'Lost A Lifetime Of Work': Some CPCC Systems Still Not Recovered After February Cyberattack
Central Piedmont Community College is still reeling after a ransomware attack more than a month ago that shut down email, phones and computer networks. Some key systems have been restored, but others weren't backed up or backups were compromised. And that has led to lost course plans, grades and assignments.
This week was supposed to be spring break at CPCC, but it was canceled after the college shut down last month in the wake of the cyberattack. CPCC officials still aren't saying how the cyberattack happened, or how much money hackers demanded after breaking into college servers the night of Feb. 10.
For days, students and professors couldn't communicate. Information about the attack was limited to campus-wide messages on the college website or social media.
"Really frustrating, kind of like a roller coaster," said Evie O'Keefe, who is in her final semester of an associate's degree program. "I'm a nontraditional student. So this isn't my first time in college. But this is definitely my first time experiencing anything like this."
But it's not the first time an attack like this has happened at a North Carolina community college, said Lt. Col. Seth Barun, who oversees cyberoperations for the North Carolina National Guard. Barun helps governments and educational institutions prepare for and respond to cyberattacks. He wouldn't say how many community colleges have been targeted or if he's helping CPCC.
"We've responded to multiple school systems and colleges in North Carolina. And they're all fairly similar in that they're ransomware attacks," Barun said.
In these kinds of attacks, intruders typically gain access to a network through what's called a "phishing" email. It's a message that appears to come from a trusted source and tricks a user into clicking on a link or attachment that triggers a program that infects the network. The program locks up data on the servers and hackers demand a payment to unlock it.
That's what happened to Mecklenburg County in 2017 — but the county refused to pay and was able to restore its systems from backups.
A CPCC spokesman wouldn't say if the college plans to pay the ransom, but said the FBI recommends against it. The FBI and other agencies are still investigating.
A new study from cybersecurity consultant BlueVoyant found ransomware attacks against colleges and universities doubled last year. And the average cost of an attack is now about $450,000.
Barun said colleges and school systems are among the most vulnerable, because they have large, complicated networks and lots of users.
"So they're sometimes a little bit tougher to lock down in the way they want to," he said. "You know, students bring their own computers, in most cases, and so there's just some defenses that we need to see implemented, that would help prevent that."
Most CPCC classes resumed by March 1, and some systems are back online this week, said CPCC spokesman Jeff Lowrance.
"Things like email are back up, and folks can communicate with instructors and register for classes, all those sorts of things," Lowrance said. The college employees are getting paid on time, so great progress is being made."
But systems still aren't back 100%, he said.
"No, no, not yet," Lowrance said. "You know, it's gonna take some time. Our ITS folks are bringing things back up at a very deliberate pace, making sure that they are safe. And so it's gonna be a process — but making good progress."
Lowrance also repeated the college's statement that investigators so far have not found evidence that any student or faculty data was stolen. But that's no comfort to Gary Walker. Walker retired last June as an English professor and still gets paychecks and insurance through CPCC, so he hopes his personal data is safe.
"Personally, I'd like more reassurances in some way to know that that's the case," he said. "A statement from a college spokesman doesn't instill the confidence that maybe someone with a little more technical ability to offer assurances might give."
On the academic side, one of the major casualties of the attack was the online class system Blackboard, which instructors use to plan and manage online classes. O'Keefe said she knew the situation was bad when she couldn't get into the system.
"I had just submitted a paper that I was really proud of, and I wanted to see my grades," she said. "And then I started getting phone calls and emails saying that the school had been attacked, and we weren't sure what was going to happen."
Now, the paper — and a lot more — are gone. And it appears CPCC has no backup, or the backup was compromised.
"Anything that we had submitted directly to Blackboard that hadn't been saved on our computers was lost," O'Keefe said. "One of my professors said he's been speaking to colleagues who have lost a lifetime of work, they say, because they trusted the system."
Lowrance says some standardized classes could be rebuilt from state templates. But he said for others, there may not be backups, unless professors had their own.
"(In) other cases ... faculty had to kind of rebuild things from scratch," he said. "So, it will depend on the course and how long the faculty member had been using Blackboard, all those sorts of things."
Not only did professors have to rebuild, but they had to do it in a new system. After the attack, CPCC abruptly decided to abandon Blackboard. The school gave faculty only a couple of weeks to shift to a new system called Brightspace — and they had to do it without access to their old data. A few classes were already using Brightspace, but some students and faculty had to learn the new system mid-semester.
As fallout from the cyberattack drags on, Walker said he worries about students and his former colleagues.
"I cannot imagine, from either as a faculty or from a student's perspective, how you can just lose everything and then start over," Walker said.
And O'Keefe said she wonders if CPCC will compensate students for what they lost.
"I have weeks and weeks of work that was lost," she said. "I have grades that I earned that went back to zero. So essentially, yeah, I paid for a product I didn't get."
Lowrance said CPCC will work with students on a case-by-case basis on those concerns.