Capital and U New Mexico hit by cyberattacks prior to fall classes

Just weeks before the fall semester started, both University of New Mexico School of Law in Albuquerque and Capital University Law School in Columbus, Ohio, were hit with cyberattacks that shut down the school websites and email. 

The University of New Mexico was hit about one week before classes started on Aug.17. 

“We are working closely with UNM IT support to restore information that has been encrypted, and will provide additional detailed information and resources on the School of Law web page to help faculty, staff and students prepare for the fall 2020 semester,” Dean Sergio Pareja said in a letter to students.

If that wasn’t stressful enough for the law school, then a group of law professors on tenure track cited this (and the pandemic too) when writing a letter to the law school requesting the first day of class be pushed back. 

“The hack resulted in the deletion of information and data preventing faculty from preparing for the semester,” the letter read. “We believe it is our duty, as tenured faculty members entrusted with shared-governance responsibilities, to ask that the administration acknowledge the overload and additional stress caused by the cyber-attack and neither ignore, nor deny its impact on teaching preparation and related work." 

Additionally, the letter referenced that the law school had reported two positive cases of COVID-19 during the summer.

“According to the employee, policies were not in place prior to the first positive case, and multiple employees have expressed concern over the lack of COVID-19 protections for faculty, staff and students with the pending school year.”

The server outage and disconnection to files and emails only affected the law school at the University of New Mexico. Students, faculty and staff were unable to access their email or shared server. 

Classes began Aug. 17, but Dean Pareja said the cyberattack was still affecting some professors and making it hard for them to get prepared for the start of the semester.

“Some professors are fine, because their important documents were cached in their computer or saved elsewhere, Pareja said. “But others can’t see their course notes, prior tests, articles or drafts of research papers.”

Meanwhile, Capital University also suffered a system outage. In an email from Capital University Law School, it notified recipients that the email server suffered a “major incident” from July 31 to August 18. 

“On Friday, July 31, 2020, Capital University suffered a major incident in which Law School website all went down. Only today, August 18, are we fully operational again.”

During the outage, the law school’s website was down, faculty, administrators and staff were unable to send or receive e-mails and voicemail was also inoperable. 

“As a result of the service outages, the Law School confronted significant communications challenges at a time when it would normally have been using the web page and e-mail to provide scheduling and orientation information, first assignments, and other information, to incoming and returning students,” Prof. Chuck Cohen, chair of the law school’s communications committee wrote in an email. “In addition, new students were unable to make tuition deposits through the website.  Our faculty, staff and administrators could not be reached by e-mail. “

In the face of these challenges, the law school’s administrators and staff worked together to find alternative ways to connect with students 

“Despite a pandemic and an outage of email and our website, we were still able to bring in the largest class in a decade,” said Jason Owen, assistant dean of admissions.

Law school officials said they were hit by a Zero-Day virus which caused service disruptions and outage in the critical areas of email communications, voicemail services, the law school website, an internal online blackboard system, and the parking permit website.

“We do not know the exact details as to how the virus compromised and infected our servers,” Cohen wrote. “At the time of the attack, the majority of campus was working remotely which increased potential virus entry points significantly. An employee who was using their own personal home computer connected to our VPN could have inadvertently allowed a virus to enter into our infrastructure.”

Capital University has two anti-virus providers, Symantec and Malwarebytes but the virus was undetected by both.

“However, this particular zero-day virus was apparently unknown to our anti-virus service providers, and therefore our anti-virus software did not detect it,” Cohen wrote.

The university’s IT department was alerted to the problem on Aug. 1 when faculty members sent text messages reporting they were unable to access their email accounts. 

The law school’s website will now be hosted in a new, more robust hosting site and the law school will remain vigilant against malware, viruses and hackers.

“However, there are always risks,” Cohen wrote. “A zero-day vulnerability by its nature is very difficult to prevent. There is no network security product on the market today that can guarantee it will prevent such an attack.  Therefore, we cannot promise that we will never encounter a similar attack again.”

School Referenced in News: