Brendan W. Clark ’21
President of the College Joanne Berger-Sweeney reported Tuesday afternoon via email that the cyber-attack which devastated Trinity’s information technology systems in September was largely related to records of financial contributions to the College and admissions data for the past admissions cycle.
Berger-Sweeney stressed that “no social security or driver’s license numbers were access, nor was any personal financial, banking, or health information.” Two databases were accessed, one “contained historical data (from 2013 and earlier) on donations by individuals and institutions” and a second contained “admissions data and a limited amount of biographical and demographic information, including full name and date of birth.” The donor information “was largely what Trinity and many other schools typically have reported publicly in annual donor rolls,” Berger-Sweeney added.
The other database contained admissions data, and students admitted in 2019-2020 had some of their “application file data, including admissions data” accessed and those students will be contacted directly. According to Berger-Sweeney, disclosing this is not “legally required” in most states. However, in Washington and North Dakota, Berger-Sweeney added, that “combination of full name and date of birth is considered Personally Identifiable Information (PII) and the College is communicating with those students as required by law. Outside counsel was engaged in the process of determining which notifications were required, Chief of Staff to the President Jason Rojas told the Tripod.
While this information was accessed, Berger-Sweeney noted that “fast action on the part of the Trinity team meant the attackers had limited access to and time on our servers and therefore did not succeed in their objective of encrypting the environment.” It was not clear if any data was in fact taken or recorded in a different manner, though Berger-Sweeney noted that the intent of “demanding ransom” for the data did not occur and the College’s “rapid response” limited the severity of the attack.
In September, the administration refused to answer any Tripod questions related to the attack, with Rojas adding that the College would “provide an update when we have additional information to share.”
The investigation of the attack was conducted by CrowdStrike, “one of the world’s top cybersecurity firms,” according to Berger-Sweeney’s email. CrowdStrike handles cybersecurity for some firms including Goldman Sachs, Amazon Web Services, and MIT, and also conducts some cybersecurity investigations for the federal government, according to a 2019 report from CNN.
CrowdStrike was secured with the assistance of “Matthew Prince ’96, CEO and co-founder of Cloudflare,” a website security company. Berger-Sweeney previously met with Price to discuss cyber security issues in late May before the September cyber-attack. The Board of Trustee’s Audit and Risk Committee was also consulted in the response process.
Berger-Sweeney added that it is “an unfortunate reality that Trinity is among thousands of institutions that have been hit by cyberattacks.” A cyber alert brief obtained by the Tripod in September indicated that as many as eight Connecticut institutions may have been subjected to cyber-attacks.
Trinity’s September attack caused wireless issues on campus for weeks and left Trinity systems and accounts inaccessible amidst the pandemic, which has forced learning to increasingly rely on information technology.
Trinity, Berger-Sweeney added, had made improvements following the attack to “enhance security and help prevent future attacks.” Changes included installing “on all of servers and critical workstations advanced anomaly detecting software, which is monitored 24 hours a day by cybersecurity professionals” and “increased the blocking and sensitivity of our firewall detections.” Additional changes were made to authentication systems and password changes, as well as “accelerating the implementation of multifactor authentication.” It was not immediately clear what security measures were in place before the cyber-attack.
Rojas noted that the “work to implement multifactor authentication is ongoing; the majority of staff and those who deal with sensitive information are already using it. We are working to complete the roll-out to staff as quickly as possible, as well as how best to implement it among faculty and students.”
Berger-Sweeney offered her “sincere apologies on behalf of the institution” and stressed that “Trinity is committed to maintaining the privacy of personal information with which we have been entrusted.”
Trinity’s Information Technology division has been led by an interim official, Fred Kass, since the retirement of former Vice President for Information Services and Chief Information Office Suzanne Aber in October following the cyber-attack. Aber had been slated to retire earlier this year before the pandemic began. While a committee to replace Aber was formed in late October, it was not immediately clear what the status of the search process was.
Rojas later told the Tripod that the search process is in “the early stages” and that the “search committee has started working with Isaacson Miller, who is collecting input from constituent groups and preparing the position description.”
Students were subsequently notified on Dec. 11, pursuant to the Family Educational Rights and Privacy Act of 1974 (FERPA), that a “recordation of this incident,” specifically the data breach, had been placed “in your electronic educational records at Trinity.” It was not immediately clear why the FERPA notification had been delayed by several weeks.