On the morning of May 18, a cyberattack temporarily disabled university systems for the first time in Taylor’s history.
Chief Information Officer Chris Jones was preparing for the Board of Trustees meeting when he noticed the print server was offline.
“I just kind of had this knot in my stomach, and I called my team,” Jones said. “... we pretty quickly found that we were locked out of our systems and that they were encrypted. And my heart just sank.”
Steve Elwood, director of infrastructure & support, was at home taking time off when he received notifications that printing wasn't working.
A few hours later, Elwood’s vacation was cut short.
“Chris calls me and says, ‘Hey, you're gonna need to cancel your vacation — you need to come in, because we can't figure out what's going on,’” Elwood said.
Dave Compson, manager of infrastructure services, had come in early that morning to install networking equipment.
Together, Jones, Elwood and Compson began investigating the source of the system crash.
“There was definitely, in the initial hours, a wondering like, ‘OK what exactly is the scope of this?’” Compson said. “We knew the systems were essentially down broadly; we didn't know why or what exactly the source of that was — that was probably the most nerve-wracking.”
Once a threat was identified, the Information Technology (IT) team began implementing a recently-formed incident response plan; they powered everything down — notifying the FBI, cyber insurance and cyber forensics teams of the incident.
The forensics team identified the cyberattack as a ransomware event: an incident which occurs when a threat actor (or “TA”) gains access to a system — stealing data to hold for monetary payments, encrypting servers and attempting to destroy system backups.
IT team members began canceling summer plans and family gatherings to work through the weekend. A temporary war room was created in Nussbaum 022.
Jones, Elwood and Compson, along with Brent Gerig, infrastructure systems analysts, Scott Wohlfarth and Brad Whatley, database and systems admin, Dan Gerhart, manager of user services and Mark Lora, senior director of strategic analytic insight, designed a spreadsheet to track areas of the system that had been impacted.
“We pretty much lived there,” Jones said. “We went home to sleep. We ordered food … And we just sort of brought in a whole bunch of people, and we just worked and worked and worked at this — right through that weekend, right through the next week, and we were going pretty straight for a couple of weeks.”
Thanks to the fail-safes previously established by the IT team, the university was able to recover almost 100% of the data from their backup systems. Most of the infrastructure was restored within a couple of business days; the full restoration process was completed a week or two after the attack.
During their investigation, the forensics team also found that close to 1 million unique data files were taken from the file server and university computers.
Taylor has since hired a data mining company to evaluate the missing files; though they are already weeks into this evaluation, Jones estimates that a full report on the missing data will not be ready until early October.
If the missing data contains personal identifiable information, the university will alert individuals impacted by the incident and inform them of next steps. Jones emphasizes that, up to this point, there has been no evidence that data of this nature was leaked during the cyberattack.
Forensic data has not identified the origin of the cyberattack or the specific threat actor involved. However, there is no indication that the threat came from the inside or was tailored to the university.
“There's a name of the group that they call themselves, which we're not publicly discussing at this point, but we don’t (know) beyond that,” Jones said.
Moving forward, the IT team has implemented a number of changes to strengthen the system’s defenses. These changes involve layering multiple partners and defenses on top of the systems previously in place.
Multi-factor Authentication for university employees has been emphasized and a full audit of active accounts conducted. A new software defense system called SentinelOne is now deployed on all Taylor-owned devices, and the university is partnering with Arete — a global cyber risk company who will monitor Taylor’s systems around the clock.
“If anything malicious starts to happen, they actually can go in and kill a process or even quarantine a computer completely off the network — or they can call us at two in the morning,” Jones said.
Additionally, the university is working with Branch Network Consulting, a local company helping to monitor the university system logs.
As more changes are made in the coming months to better protect the community, Compson emphasizes the importance of communication — encouraging community members to practice discernment and to alert IT if anything seems suspicious.
Questions and concerns can be emailed to helpdesk@taylor.edu or taken directly to the IT Help Desk in Zondervan library.
“We're trying to make sure that people understand it's not a safe world out there,” Elwood said. “And we want to protect them as best as we possibly can. But we also need them to protect themselves.”