Skip to content
Campus Alert Archive
Truman State

Campus alert, April 21, 2023

AI-generated · every claim is source-linked
MOotheradvisoryhigh confidence
Confirmed Threat

On April 21, 2023, Truman State ITS discovered a ransomware attack on the university network. All Truman-issued Windows devices and services were powered down. FBI field offices in Kirksville, Kansas City, and St. Louis, plus DHS, were called in. Online classes were cancelled Monday. Network services were restored over the week, with email returning on April 28. The university did not pay a ransom.

Alerts
2
Response
Killed
Injured
Institution
Truman State University
Public Bachelors · MO
All Truman State cases →
~4,600 students
Documented Timeline

Alert Sequence

2 messages in sequence · 1 verified verbatim

Some messages in this sequence are documented (their existence, timing, and channel are sourced) but their exact wording is not preserved in the public record. Those entries appear as placeholders; only confirmed text is displayed.

INITIAL ALERTMulti-channel
Security Incident – Cyber Security Virus Attack Information regarding the security incident On the morning of Friday, April 21, Truman Information Technology Services (ITS) found evidence of what appeared to be virus on the University network. In an effort to mitigate potential spread, all Truman-issued Windows-based devices and services were powered down and remained inactive, along with the campus network, while ITS responded to the incident. During this time, the University also engaged a firm of outside experts, resulting in a cybersecurity resource dispatched to be onsite throughout the week to help resolve the issue. ITS promptly alerted law enforcement at the time of the incident and it was verified as a form of malware. ITS worked with agents from FBI field offices in Kirksville, Kansas City and St. Louis, as well as the Department of Homeland Security, on solutions. On Monday, April 24, ITS conducted preliminary assessments of most primary campus workstations at risk for this particular form of malware and began installing a security patch. By Tuesday, April 25, some network services were brought back online. Additional services were restored throughout the week, culminating with the resumption of email service, Friday, April 28. What happened? A cyber security virus attack on the campus network. What information was involved? It is not believed any of Truman's enterprise systems with personally identifiable information were accessed. The University is continuing to monitor and assess what personally identifiable information, if any, may have been accessible in other parts of the network. What is being done now? A new security tool was implemented to halt the spread of the virus, and servers/systems were remediated and in some cases rebuilt. The University will continue to monitor the campus network. While there is currently no evidence personally identifiable information was taken, out of an abundance of caution, Truman is providing the opportunity to enroll in identity theft protection free of charge. Please be assured we remain committed to protecting personal information. We are working hard to limit the impact of this incident on our Truman community. Additional information will be released at https://idinfo.truman.edu What can you do? You can enroll in identity theft protection free of charge. If you choose not to enroll in this coverage, the Federal Trade Commission (FTC) recommends that you at least place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or changes your existing accounts. You can find out how to do this, as well as other helpful information, by reading through the Frequently Asked Questions on this website. For additional information about identity theft, visit http://www.consumer.gov/idtheft or call toll free 877-ID-THEFT (877 438 4338); TTY: 866 653 4261.
Full official Truman ITS community security-incident notice recovered from idinfo.truman.edu.
All Windows-based devices and services were powered down to prevent spread; email restored April 28.
FBI field offices in Kirksville, Kansas City and St. Louis plus DHS assisted.
Supervisor rule-0 audit (2026-07-18): demoted from isVerbatimConfirmed:true -- text is structured as a webpage-style breach-disclosure notice (headline/sub-headline, third-person retrospective narrative, an FAQ block, and generic FTC identity-theft boilerplate) hosted on a compliance 'substitute notice' page, with no evidence it was actually transmitted to the community as an alert rather than simply published there.
UPDATEEmail
Wording not preserved
A update message is documented at this point in the sequence, but its exact wording is not preserved in the public record. The public edition displays only confirmed alert text.
Message elements

How the first alert is built

To check this alert, Claude (an AI) read it in full 25 separate times, independently. Each read decided whether the message answers each of the six questions and gave a short reason. A final reviewer then weighed all 25 and wrote the plain-English verdict you see when you open a row. The score (for example 22/25) is how many reads agreed; the 25 individual reads are tucked underneath if you want to check them.

Security Incident – Cyber Security Virus Attack Information regarding the security incident On the morning of Friday, April 21, Truman Information Technology Services (ITS) found evidence of what appeared to be virus on the University network. In an effort to mitigate potential spread, all Truman-issued Windows-based devices and services were powered down and remained inactive, along with the campus network, while ITS responded to the incident. During this time, the University also engaged a firm of outside experts, resulting in a cybersecurity resource dispatched to be onsite throughout the week to help resolve the issue. ITS promptly alerted law enforcement at the time of the incident and it was verified as a form of malware. ITS worked with agents from FBI field offices in Kirksville, Kansas City and St. Louis, as well as the Department of Homeland Security, on solutions. On Monday, April 24, ITS conducted preliminary assessments of most primary campus workstations at risk for this particular form of malware and began installing a security patch. By Tuesday, April 25, some network services were brought back online. Additional services were restored throughout the week, culminating with the resumption of email service, Friday, April 28. What happened? A cyber security virus attack on the campus network. What information was involved? It is not believed any of Truman's enterprise systems with personally identifiable information were accessed. The University is continuing to monitor and assess what personally identifiable information, if any, may have been accessible in other parts of the network. What is being done now? A new security tool was implemented to halt the spread of the virus, and servers/systems were remediated and in some cases rebuilt. The University will continue to monitor the campus network. While there is currently no evidence personally identifiable information was taken, out of an abundance of caution, Truman is providing the opportunity to enroll in identity theft protection free of charge. Please be assured we remain committed to protecting personal information. We are working hard to limit the impact of this incident on our Truman community. Additional information will be released at https://idinfo.truman.edu What can you do? You can enroll in identity theft protection free of charge. If you choose not to enroll in this coverage, the Federal Trade Commission (FTC) recommends that you at least place a free fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or changes your existing accounts. You can find out how to do this, as well as other helpful information, by reading through the Frequently Asked Questions on this website. For additional information about identity theft, visit http://www.consumer.gov/idtheft or call toll free 877-ID-THEFT (877 438 4338); TTY: 866 653 4261.

  • Sourceabsent0/0

    Who is sending the alert and who is responding. People act faster on a message from a clearly identifiable, credible sender, such as a named department, the police, or a branded alert system, than on an anonymous notice. A branded signature counts.

    See all 25 individual reads

    Open to load the 25 reads.

  • Hazardabsent0/0

    What the threat actually is. A complete warning names the specific danger, such as a shooter, a fire, a tornado, or a gas leak, rather than a vague emergency, because people decide what to do based on what they are facing.

    See all 25 individual reads

    Open to load the 25 reads.

  • Locationabsent0/0

    Where the threat is. Saying whether danger is in a specific building, a part of campus, or area-wide lets people judge their own proximity and choose a safe direction. Without a where, a warning is hard to act on precisely.

    See all 25 individual reads

    Open to load the 25 reads.

  • Guidanceabsent0/0

    The protective action to take. A clear, specific instruction, such as shelter in place, evacuate, avoid the area, or run-hide-fight, drives faster and more correct protective behavior than describing the threat alone.

    See all 25 individual reads

    Open to load the 25 reads.

  • Timeabsent0/0

    When the message applies. A timestamp, the word now or immediately, or a phrase like until further notice tells the reader whether the danger is current and how quickly to act.

    See all 25 individual reads

    Open to load the 25 reads.

  • Impactabsent0/0

    What the hazard could do to the people in its path. Beyond naming the threat, a complete warning conveys its potential consequences or severity, such as that a tornado can level buildings or that a leak could be explosive, so recipients grasp how much danger they are in. Research on warning message content finds that a concrete impact statement helps people personalize their risk and act sooner.

    See all 25 individual reads

    Open to load the 25 reads.

Systematic AI judgments with visible reasoning, not human-validated codings.

About this analysis
Context

Background

On April 21, 2023, Truman State University ITS discovered a ransomware attack on the university network in Kirksville, Missouri. All Truman-issued Windows devices were powered down immediately to prevent spread. The Record reported that ITS worked with FBI field offices in Kirksville, Kansas City, and St. Louis, as well as the Department of Homeland Security. KBIA reported that online classes were cancelled for Monday, April 24. Network services began restoring on April 25, with email service restored on April 28. The university's official Cyber Security Virus Attack page confirmed the university did not pay a ransom, and that no personally identifiable information from enterprise systems was believed to have been accessed. The weeklong disruption illustrates how cyberattacks can paralyze campus operations even without a physical threat.
Analysis

Key Findings

The university refused to pay the ransom while still restoring services within a week, a relatively fast recovery for a ransomware attack
FBI from three field offices plus DHS were involved, reflecting the federal seriousness of university ransomware attacks
Cyberattacks represent a growing but underreported category of campus emergencies that can affect every aspect of university operations
Outcome
ITS restored services over one week. The university did not pay a ransom. FBI and DHS assisted. No personally identifiable information from enterprise systems is believed to have been accessed.
Provenance

Sources

  1. Official
  2. News
  3. national media
  4. News
  5. Official
Cite this case

Campus Alert Archive. "Truman State University: Campus alert, April 21, 2023." Incident of April 21, 2023. Added April 2026; last updated July 2026. https://campusalertarchive.com/case/truman-state-university-cyberattack-2023-04-21/

Download case JSON

Alert text quoted on this page remains the work of the issuing institution; the archive is a secondary source.

Tags
cyberattackransomwaremissourifbidhsnetwork-shutdownweek-long-disruptionno-ransom-paidpublic-liberal-arts
Added April 2026Updated July 2026Via ingestion