Medical centers and educational institutions continue to be primary targets for cybercriminals. This time, Dordt University in Sioux Center, Iowa, a private evangelical Christian university, has fallen victim.
The BianLian Ransomware Group Claims to Have 3TB of Documents Exfiltrated from Dordt University Servers
The ransomware group BianLian has declared that it possesses 3TB of documents exfiltrated from the servers of Dordt University. The group has threatened to publish the documents in the coming days if the university does not pay the ransom. Recently, the ransomware group posted a series of ten documents containing Protected Health Information (PHI) and Personally Identifiable Information (PII) on their .onion site within the Tor network as proof of the data in their possession.
Among the published documents are the passport of the Vice President for University Operations and the Form I-9, Employment Eligibility Verification, of an administrative office employee. The Form I-9 is a document required by the United States government that all employers must complete for every new employee hired after November 6, 1986. The form serves to verify the identity and employment eligibility of employees in the United States.
The document includes, in addition to the employee’s personal details and signature, some sensitive information of the employee who verified the accuracy of the provided information:
- Name and Surname
- Date of Birth
- Social Security Number (SSN)
- Driver’s License
- Signature
In this specific case, the sensitive information pertains to the current President of Dordt University, Erik Hoekstra.
Screenshot and redaction by SuspectFile.com
Despite containing an expired driver’s license from 2011, the document includes sensitive information such as personal details, SSN, and signatures that could be exploited by cybercriminals.
However, this is not the only document that could be used for criminal purposes. Among the documents we have analyzed, there are other data of employees and students of the university that include:
- Employee Names and Surnames
- Student Names and Surnames
- Dates of Birth
- Gender
- Student ID Numbers
- Email Accounts
- Driver’s Licenses
- Passports
- Birth Certificates
- COVID-19 Vaccination Record Cards (students)
- Social Security Numbers (SSNs)
- Employee Certification Numbers
- Employee Phone Numbers
Driver’s license Employee – Screenshot and redaction by SuspectFile.com
Student Passport – Screenshot and redaction by SuspectFile.com
SSN employee – Screenshot and redaction by SuspectFile.com
Certificate of vital record – Screenshot and redaction by SuspectFile.com
Student COVID-19 Vaccination Record Card – Screenshot and redaction by SuspectFile.com
Student COVID-19 Vaccination Record Card-b – Screenshot and redaction by SuspectFile.com
In a preliminary Excel file that we analyzed, dated 04/20/23, titled ‘Fall 2023 CORE-100 Academic Profile of Students in a Class 04.20.23.xlsx’, we found a list of 420 students from Dordt University. The file includes, in addition to student IDs, full names, dates of birth, gender, email accounts, and current major, the name of the high school of origin.
Academic Profile of Students – Screenshot and redaction by SuspectFile.com
Academic Profile of Students – Screenshot and redaction by SuspectFile.com
In a second Excel file that we were able to analyze, we discovered sensitive data belonging to 587 employees and their family members. The file, titled ‘Membership Census with SSN.xlsx’, is presumed to be related to health insurance plans. Towards the end of the file, we found the statement ‘Proprietary and Confidential – Wellmark Blue Cross and Blue Shield.’
The data fields included:
– Member First Name
– Member Middle Name
– Member Last Name
– Birth Date
– Gender
– Relationship to Plan Member Code
– Social Security Number
– Plan Member Address Line 1
– Plan Member City
– Plan Member State Code
– Plan Member Phone Number
– Coverage Type of Contract Code
– Membership Month
Membership Census with SSN – Screenshot and redaction by SuspectFile.com
Membership Census with SSN-b – Screenshot and redaction by SuspectFile.com
We had the opportunity to analyze a third file containing information on a total of 312 students. The file, named ‘Student list, first registrations 2019.xlsx’, includes the following data:
-
- Full names
- Home address 1
- Private email accounts
- Home city
- Home state/province
- Grade attended just completed
Student list, first registrations 2019 – Screenshot and redaction by SuspectFile.com
As stated at the beginning of the article, BianLian has exfiltrated approximately 3TB of data from Dordt University’s servers in Sioux Center, a significant amount that the ransomware group will likely make public in the coming days. In their blog post claiming responsibility, BianLian asserts possession of data including:
– Finance data
– HR data
– Databases
– Mailboxes and internal & external email correspondence
– Incident records
– Data of local and international students
– Students’ grades
– Personally Identifiable Information (PII) and Protected Health Information (PHI) records
– Data of minors
We have reiterated ad nauseam that one of the primary duties of any public or private entity handling vast amounts of sensitive data of its employees and private citizens is to diligently preserve it. Too often, we have seen statements addressing the aftermath of cybercriminal actions without acknowledgment of serious errors in network management or an admission of insufficient investment in cybersecurity.
Currently, there have been no statements on the university’s website regarding the data breach.
SuspectFile.com sent an email to the Vice President for University Operations and several administrative employees of Dordt University. We know that at least two recipients have read our email, but we have received no response.
SuspectFile.com will update the article with any new developments.