Updated: February 1, 2022

Pellissippi State Community College (PSCC) recognizes that many people have questions about this cyberattack. Due to the nature of the situation, many factors must be considered before information is released publicly. This includes protecting the processes used to investigate and recover from the attack, the sensitive nature of the investigation and the steps being taken to prevent future attacks. PSCC is working closely with the Tennessee Board of Regents, the State of Tennessee Attorney General’s Office, the State of Tennessee Treasury Department and the State of Tennessee Strategic Technology Solutions division to ensure our systems are securely restored.

While PSCC was also a victim, we apologize for any stress and concern this has caused. We thank everyone for their patience as we continue to progress through the investigation, restoration, and after-action review, which will help us become more resilient to future cyberattacks.

PSCC sent a notification on February 1, 2022, to all personal email addresses and active PSCC email addresses our enterprise database about the potential of personal information being compromised as a result of the cyberattack. That notification is on PSCC’s website at https://www.pstcc.edu/cyberattack. More information about the incident and actions concerned individuals can take to protect themselves against identify theft can be found below.

 

What happened?

PSCC was the victim of a ransomware cyberattack overnight on December 5 – 6, 2021. The attacker encrypted all connected PC workstations and most of our servers including both the operating system and files.  As part of the attack, the attacker also changed the password of every user to make restoration of services more difficult.

The incident was discovered early in the morning of December 6, 2021, and our network staff swiftly responded by shutting down our network and internet access to prevent any additional access.  Our IT staff also worked closely with independent security experts and appropriate law enforcement to conduct an exhaustive investigation to determine what information, if any, may have been accessed.

The investigation revealed that the ransomware attack was focused mostly on encrypting the PSCC’s data to force a ransom payment, rather than an attack to steal data. However, we were able to confirm unauthorized access to one system.

When was the attack first discovered?

First signs of a potential attack were identified in the early morning hours on December 6, 2021 by our Campus Police and security staff, who then notified the CIO and director of network and technical services (NTS). NTS staff immediately started investigating to identify and isolate any affected systems, applications and accounts to contain the threat. The decision was made to take the entire campus offline to prevent further disruption and harm to servers, systems and data. The public was then notified of the disruption of services via social media and a message through the College’s alert system on December 6. The incident was also immediately reported to law enforcement. Subsequent updates were provided in social media announcements and on a temporary website hosted by the Tennessee Board of Regents (TBR). PSCC then retained Mandiant, a leading cybersecurity firm that provides incident response consulting services, to help conduct an in-depth investigation of the incident.

 

Who or what attacked Pellissippi State?

The cybersecurity consultant and the FBI provided some information about the malware and other cyberattack tools used but did not identify the attacker. PSCC is focused on responding to and recovering from the attack and will not comment on the identity of the group.

 

Are they still attacking Pellissippi State?

Currently there is no evidence of continued attacks against PSCC. One of the cybersecurity consultant’s goals was to identify any hidden means to launch an attack in the future, and we continue to work through the recovery process. Cyberattacks occur across the world every day, and we know that attackers could attack again. In collaboration with our partners, the PSCC Cyber Incident Response Team is taking a systemic approach to strengthen our people, processes, and technology, and we are developing more robust incident response capabilities to respond more swiftly to cyberattacks in the future.

 

What was attacked inside PSCC?

At this time, due to law enforcement recommendations, details on the nature and scope of this attack will not be released. Providing any further specific details could give our attackers information that would help them, and other threat actors.

 

Was personal information compromised?

Our cybersecurity consultant thoroughly examined PSCC’s technology infrastructure and found evidence that personally identifiable information could have been accessed in one system. Knowing this, we cannot be assured that they did not have access to other systems.  Therefore, out of an abundance of caution, we have notified those who have shared information with Pellissippi State that their personal information may have been compromised.

 

What type of data was compromised?

Mandiant confirmed that the attacker had access to our Active Directory database, which includes:

  • First and last name
  • PSCC username
  • PSCC email address
  • P number (this is a unique number for students and employees at Pellissippi and is not used to sign documents)
  • General User ID number (a long random string of numbers used only by PSCC in our Banner system)
  • Department and title (if employee)
  • Office location and phone number (if employee)
  • PSCC password as set on December 5, 2021 (hashed)

The passwords were “hashed” in this database. Hashed passwords mean they were not in their original form and that the hashed information itself is useless, unless there is a key to decipher it. This provides some protection. However, it is possible, given enough time, for a cyber criminal to break the hash and access the passwords. Even if you no longer attend or work at Pellissippi State and your PSCC account was not active, your PSCC account with its expired password, as it was set on December 5, 2021, was in this database.

This was the only database to which access was confirmed.  It is possible, however, that other personal data in our system could have been accessed, including.

PSCC does not have knowledge about exactly what information could have been compromised or who specifically might be impacted which is why all individuals in our enterprise database are being notified.

 

What do I do if think my private information is at risk?

While we do not know if your data was viewed, we generally recommend you remain vigilant, monitor and review your financial and account statements, and report any unusual activity.  More specifically, we recommend you:

  • Reset passwords for any accounts that used the same password as was in our system;
  • Notify your financial institution if you detect suspicious activity on your accounts;
  • Report incidents of fraudulent activity or suspected identity theft to proper law enforcement authorities, the Federal Trade Commission, and/or your state attorney general;
  • Monitor your free credit reports;
  • Consider placing a freeze on your credit files and/or a fraud alert on your credit report;
  • Obtain a police report if you experience identity fraud; and
  • Take advantage of the Federal Trade Commission’s information at: IdentityTheft.gov and Identity Theft | FTC Consumer Information.

Free credit monitoring is being made available to those affected by this incident and details were sent via email to all email addresses in our enterprise database. More information about the actions you can take to protect your personal information was also included in the notification and is here at the bottom of this FAQ page.

 

Was the cyberattack a ransomware attack?

Yes, this ultimately was a ransomware attack. PSCC did not pay a ransom.

 

How did the attacker gain access to the system?

The attacker exploited a compromised user account to deploy malicious software to gain access the the school’s network. Providing any further specific details could give our attacker information that would help them, and others, be more successful in future cyber attacks

 

Has PSCC removed the attacker from the department’s systems?

We have no evidence of the attackers being active in our environment at this time, however we continue to address potential risks as part of a thorough response conducted in partnership with our cybersecurity vendor, TBR and other security partners.

 

How is PSCC responding to this attack?

PSCC is using its cyber incident response plan which includes these main steps:

  • Incident Discovery/Detection: Identifying that an attack is occurring or has occurred. This phase was completed on December 6, 2021.
  • Incident analysis: Determining what was attacked and how. This phase has been completed.
  • Eradication and recovery: We have no evidence of the attacker being active in our environment at this time. Recovery work continues to build back resilient systems and restore services. Core services have been restored and the College started classes for the Spring 2022 semester on time. A firm timeline on full restoration of all services is not yet known as Information Services continues to develop and implement new processes and technologies to provide more secure and resilient services.
  • Notifications: Notification has been provided to Tennessee Board of Regents (TBR), the State of Tennessee Comptroller’s Office, FBI, TBI, the US Department of Education, and the major credit reporting agencies as well as to all individuals in the PSCC enterprise database.
  • Post-Incident Review Strengthening people, processes, and tools so that all information technology services are more resilient to cyber attack. Recommendations for future security enhancements and any additional funding needs will be provided to College leadership and TBR.

 

What actions has Pellissippi State taken since the attack?

Since the incident, we have notified local law enforcement, including the Tennessee Bureau of Investigation and appropriate state and federal authorities, scanned every computer, and enhanced security measures.

 

What is the PSCC IT department doing to prevent any further attacks?

As systems are being brought back online, steps are being taken to build them back to be as resilient as possible to be protected from future cyberattacks. Additional steps are being planned for post-incident hardening of our IT infrastructure. Also, as part of the overall response to the attack, an after-action review will be conducted. Recommendations for future security enhancements and any additional funding needs will be provided.

 

Has PSCC contracted with any cybersecurity companies because of this cyberattack?

Yes, PSCC retained a leading cybersecurity firm that provides consulting services, to help conduct an in-depth investigation of the incident.

 

What work did they provide to PSCC?

The cybersecurity consultant provided incident response services to assist us with detection and analysis, as well as eradication and improving our resilience to cyberattack.

 

How much have you spent on the cyberattack?

The consultant has identified charges of approximately $160,000 to date. We will not know the total cost of credit monitoring for quite some time because it will depend on how many people utilize the service. It is not known at this time how many total Pellissippi State staff hours have been spent working on this cyberattack.

 

What actions do I need to take?

Based on the type of information we can confirm was accessed, if you use passwords on other accounts that are the same or similar to your Pellissippi State account password, especially accounts linked to your personal financial information, we encourage you to follow recommended cybersecurity practices and create unique and strong passwords for each account.

 

What other steps can I take to protect my personal information?

PSCC is providing the following information to help those who want to know more about how they can protect themselves and their personal information:

  • You should always remain vigilant for incidents of fraud and identity theft by reviewing credit card account statements and by monitoring your credit report for suspicious or unusual activity.
  • Please notify your financial institution immediately if you detect any suspicious activity on any of your accounts, including unauthorized transactions or new accounts opened in your name that you do not recognize. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.
  • You can request a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To do so, free of charge once every 12 months, please visit annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting agencies is listed below.
  • You have the right to file or obtain a police report if you experience identity fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide proof that you have been a victim. A police report is often required to dispute fraudulent items. You can generally report suspected incidents of identity theft to local law enforcement or to the Attorney General.
  • You can take steps recommended by the Federal Trade Commission to protect yourself from identity theft. The FTC’s website offers helpful information at ftc.gov/idtheft.

 

How do I obtain a copy of my credit report?

You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account. You may obtain a free copy of your credit report from each of the three nationwide credit reporting agencies. To order your free credit report, please visit www.annualcreditreport.com, or call toll-free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available at https://www.consumer.ftc.gov/articles/0155-free-credit-reports) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281.

Contact information is also provided below:

 

Experian

P.O. Box 2104

Allen, TX 75013

1-888-397-3742

www.experian.com

TransUnion

P.O. Box 2000

Chester, PA 19022

1-800-680-7289

www.transunion.com

Equifax

P.O. Box 740256

Atlanta, GA 30348

1-888-766-0008

www.equifax.com

 

 

How do I place a security freeze on my credit report?

You have the right to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans, and services from being approved in your name without your consent.  To place a security freeze on your credit report, you need to make a request to each consumer reporting agency. You may make that request by certified mail, overnight mail, regular stamped mail, or by following the instructions found at the websites listed below.

However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing, or other services.  Many states require the security freeze to be free of charge.

Experian

P.O. Box 9554

Allen, TX 75013

1-888-397-3742 www.experian.com/freeze/center.html

TransUnion

P.O. Box 1000

Chester, PA 19016

1-888-909-8872 www.transunion.com/credit-freeze

Equifax

P.O. Box 105788

Atlanta, GA 30348

1-888-298-0045

https://www.equifax.com/personal/credit-report-services/credit-freeze/

 

 

How do I place a fraud alert on my account?

You can place fraud alerts by contacting the credit reporting agencies below.  A fraud alert tells creditors to follow certain procedures, including contacting you, before they open any new accounts or change your existing accounts.  For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.

Experian

P.O. Box 9554

Allen, TX 75013

1-888-397-3742 www.experian.com/fraud/center.html

TransUnion

P.O. Box 2000, Chester, PA 19016

1-800-680-7289

www.transunion.com/fraud-alerts

Equifax

P.O. Box 105069

Atlanta, GA 30348

1-800-525-6285

https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/

 

 

What should I do if we were notified about a family member who is deceased?

We are sorry for your loss. To help protect your deceased family member, there are steps you can take to request a copy of your deceased family member’s credit report.  An executor or surviving spouse can place a request to any of the three credit reporting agencies for a copy of the deceased individual’s credit report.  An executor or surviving spouse can also request that the following two notices be placed on a deceased individual’s credit report:

  • “Deceased – Do not issue credit”
  • “If an application is made for credit, please notify the following person(s) (e.g. surviving relative, executor/trustee of the estate and/or local law enforcement agency – notifying the relationship).”

For more information regarding identity theft and the deceased, please visit Identity Theft and the Deceased: Prevention and Victim Tips | Office of Justice Programs (ojp.gov)

 

What should I do if I didn’t get an email notification and I am concerned about my personal data that I have shared with PSCC?

We sent email notification to the personal email address provided for every person in our enterprise database and to all active PSCC email addresses. If you did not get a notification and you believe you should have, please contact the Call Center established by PSCC for this incident and they can assist you with information about credit monitoring. Information on how to contact the call center is below.

 

How do I contact the FTC?

To contact the FTC, you can send a letter to the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580; go to www.IdentityTheft.gov/databreach; or call 1-877-438-4338.  Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, a database made available to law enforcement agencies.

 

What if I am not a resident of Tennessee?

Here is some state specific information.

District of Columbia Residents: You have the right to obtain a security freeze free of charge.  You may contact the D.C. Attorney General at: 400 6th Street, NW, Washington, DC 20001, 202-727-3400, or Attorney General Karl A. Racine | Attorney General Karl A. Racine (dc.gov).

Maryland Residents: You may obtain information from the M.D. Attorney General, who can be reached at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, or Maryland Attorney General – Brian E Frosh.

Massachusetts Residents: You that you have the right to obtain a police report.  You may also obtain a security freeze on your credit report free of charge.  To do so, you will need the following information: your full name, social security number, address(es), date of birth, a copy of a government issued identification card, a copy of a utility bill, bank or insurance information, or anything else the credit reporting agency needs to place the security freeze.

New Mexico Residents: You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; and you must give your consent for credit.

New York Residents: You may contact the following state agencies for information regarding security breach response and identity theft prevention and protection information.

North Carolina Residents: You may wish to review the information provided by the North Carolina Attorney General at www.ncdoj.gov, or by contacting the Attorney General by calling 877-5-NO-SCAM (Toll-free within North Carolina) or by mailing a letter to the Attorney General at North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center Raleigh, NC 27699.

Rhode Island Residents: You have the right to obtain or file a police report.  Further, you can obtain information from the Rhode Island Office of the Attorney General: 150 South Main Street, Providence, RI 02903, 401-274-4400, www.riag.ri.gov.  You have the right to place a security freeze on your credit report at no charge, but the consumer reporting agencies may charge fees for other services.