The University of Rochester has been hit with a lawsuit claiming that its response to a ransomware attack it suffered in May is inadequate.
The court action was filed Aug. 17 in the federal Western District of New York’s Rochester Division. A Highland Hospital worker is lead plaintiff in the action, which seeks class-action status.
UR publicly acknowledged the attack in June, stating that the breach compromised personal information of 88,050 individuals. On July 28, UR sent a letter to affected individuals laying out steps it is taking to protect them.
According to the letter, the school was notified of the May 27 data breach on May 31 by Progress Software, a third-party vender to UR. The invader “exploited a vulnerability in their MOVEit File Transfer software to gain access to University of Rochester data,” the July 28 letter states.
MOVEit file transfers are used by organizations to transfer large data filed between servers.
The university has taken “immediate actions to mitigate and assess the scope of information potentially compromised, including engaging outside professionals to assist in investigating and remediating the vulnerability,” the July 28 letter states.
Upon learning of Progress Software’s MOVEit product vulnerability, UR launched a prompt and thorough response, says Sara Miller, spokesperson.
“This incident was part of a sophisticated attack by foreign cybercriminals against one of our third-party software providers,” she says. “The University is committed to safeguarding the privacy of personal information in our possession and take many precautions to protect all of our data. We are continually evaluating and modifying cybersecurity practices and enhancing internal controls and reviews to adapt to the evolving cybersecurity landscape,”
Despite having no evidence that anyone’s data has been compromised, “out of an abundance of caution, we want to make you aware of the scope of the incident and offer a complimentary 24-month membership of Experian IdentityWorksSM,” the July 28 letter states. “IdentityWorks is completely free to you and enrolling in this program will not hurt your credit score,” it adds.
Despite those assurances, affected individuals will remain vulnerable to identity theft years down the road, exposing them dangers after the two years of free protection offered by UR has expired, the lawsuit claims.
“The complimentary fraud and identity monitoring service offered by (UR) is wholly
inadequate as the services are only offered for 24 months and it places the burden squarely on
plaintiff and class Members by requiring them to expend time signing up for that service, as
opposed to automatically enrolling all victims of this cybercrime,” the court brief maintains.
According to the court complaint, a cybercrime gang known as TA505 or the CLOP Ransomware Gang used ransomware known as CLOP to breach UR’s computer networks, obtaining data including Social Security numbers of UR students, faculty and employees.
“Class members’ identities are now at an imminent and ongoing substantial risk because of (UR’s) negligent conduct, since the private information that (UR) collected and maintained is now in the hands of data thieves. This present risk will continue for their respective lifetimes,” the class action complaint claims.
In a June 7 alert, the federal Cybersecurity & Infrastructure Security Agency stated that TA505, which has been staging cyberattacks for several years, started using a previously unknown method to tease data out of computer networks on the day of the UR data breach.
Other organizations besides UR including Zellis and Extreme Networks as well as government computer networks—the province of Nova Scotia, the state of Illinois and the Minnesota Department of Education among them—were also hit by the CLOP Gang, Bleeping Computer reported in June.
The May 27 cyberattack came some three years after the UR Medical Center paid a $3 million fine for failing to adequately protect patients’ health information. The fine was imposed after URMC reported that patient data had been compromised by an unencrypted flash drive and in the theft of a laptop.
The Aug. 17 court action asks that UR be ordered to tighten its security measures and release more specific information on data compromised in the May 27 breach. It also seeks unspecified restitution for affected individuals and for UR to pay for at least three years of data monitoring.
Will Astor is Rochester Beacon senior writer. The Beacon welcomes comments and letters from readers who adhere to our comment policy including use of their full, real name. Submissions to the Letters page should be sent to [email protected].