[BreachExchange] Buffalo Public Schools didn't pay ransom in cyberattack, but response cost nearly $10M

[Terrell Byrd]

https://buffalonews.com/news/local/education/buffalo-public-schools-didnt-pay-ransom-in-cyberattack-but-response-cost-nearly-10m/article_f0265112-2de2-11ec-bfa9-cf4404e9f9b5.html


The Buffalo school district is spending nearly $10 million to respond to a
March ransomware attack, including the ongoing cost to bolster the security
of its computer network, but it never paid a ransom to the attackers.

In fact, a top district official said, no ransom ever was demanded from the
district.

Those are among the key revelations from Nathaniel Kuzma, the district's
general counsel, who updated The Buffalo News last week on the ransomware
attack, which severely disrupted district operations.

In all, Kuzma said, the district alerted about 110,000 current and former
teachers, other school employees, current and former students and vendors
that their information on file with the district may have been compromised
in the attack.

About 1,500 people took advantage of 12 months of free fraud monitoring
services offered by a district cybersecurity consultant, Kuzma said.

But Kuzma said it's still not clear how much information was exposed nor
what data, if any, was lost and not recovered.

And he declined to say how, precisely, the attacker was able to breach the
district's network nor whether investigators have determined who was behind
the attack. That's partly because district information technology staff and
outside consultants continue to update and improve the system's security.

"Our system, as we speak, is being worked on, rebooted, redesigned and
there still is vulnerability," Kuzma said. "So I wouldn’t want to speak
about what our weakness would be, necessarily."

This leaves Buffalo Public Schools teachers and parents seeking more
details about the attack and its long-term impact.

Those stakeholders say it appears the district lost a substantial amount of
information stored on its computer network, such as teacher lesson plans
and digitized versions of student transcripts.

They say they don't blame the district for its vulnerability to the growing
threat of ransomware. But they hope the district learns its lesson from
this event and they seek more transparency from officials about what
occurred.

"We've never heard anything from the district, except it happened," said
Wendy Mistretta, president of Buffalo's District Parent Coordinating
Council.

The March 12 ransomware attack forced the district to cancel classes for a
few days until employees could restore key systems, equipment and
applications targeted in the electronic intrusion.

The district quickly hired a cybersecurity consultant, GreyCastle Security,
at an initial cost of $40,000 to help it investigate and respond to the
attack. It also requested the assistance of the FBI.

A few days after the attack was discovered, Superintendent Kriner Cash sent
a letter to district employees saying that “at this point, our lead
investigative consultant and the FBI have not determined that there has
been an exposure of personally identifiable information.”

However, by May, the district informed the families of 82,000 current and
former students, about 14,000 current and former teachers and other
district staff and about 14,000 businesses that have worked with the
district that their information was exposed, Kuzma said.

This doesn't mean all of those people lost personally identifiable
information to the attackers, Kuzma cautioned. It means their information
was exposed, but the district has no knowledge any of the data was misused,
he said.

The students' potentially exposed data includes demographic information,
such as gender, race and ethnicity, special education status and primary
language, the district said in a May letter. Parent and guardian names and
addresses were also exposed.

No student Social Security numbers were compromised, Kuzma emphasized,
because the district doesn't store this information for its students.

It's hard for the district to know exactly what information was lost to the
attackers because as soon as it was alerted to the attack, Kuzma said, it
shut down its computer systems as a precaution.

"The district is presently in the process of rebuilding and redesigning its
instructional technology infrastructure and security with leading industry
experts," Kuzma said. "Though progress has been made since the time of the
cyberattack, the extent of the information lost/recovered remains
undetermined until that project is complete."

Kuzma also said he was reluctant to discuss what the district has learned
from its consultants about how the attack succeeded for the same reason.

The Buffalo School Board has approved spending nearly $9.4 million on IT
consultants to respond to the ransomware attack, including $597,000 to
GreyCastle. It is set to approve another $400,000 at this week's board
meeting, including $190,000 to Kroll, the consultant providing free fraud
monitoring services.

The biggest payment, nearly $3.8 million for the first 12 months and $4
million total for the next two years, is going to a Nashville-based
technology consulting firm called ENA.

"We believe once this work is completed, we will have a best-in-class IT
security and infrastructure system in this district," Kuzma said. "We are
taking the necessary steps to ensure that we are as protected, based on
industry standards, as we can be from this happening again."

Ransomware is a malicious software, or malware, that typically blocks
access to the user’s computer system until a ransom is paid. This malware
often gets into the network when an employee unwittingly clicks on a link,
or opens an attachment, carrying the software's payload.

School districts, hospital systems, government agencies and companies large
and small are targeted in ransomware attacks.

"Believe me when I tell you they are after every business sector, no matter
what it is," said Holly Hubert, a former FBI agent and founder of
Amherst-based GlobalSecurityIQ.

School districts have become particularly attractive targets, experts say,
because they often don't invest in the highest-level cybersecurity
measures, they store extensive data on students and employees and they have
had to ramp up extensive remote-learning procedures since the start of the
pandemic.

The K-12 Cybersecurity Resource Center collected 408 publicly disclosed
school incidents in 2020, including ransomware attacks, data breaches and
denial-of-service attacks, an 18% increase from the year before.

A ransomware attack without a ransom demand is "uncommon," said Hubert.

But there could be any of a number of reasons for this, said Hubert, whose
firm didn't work on this incident. For example, if the district regularly
backed up the data it stored and the attack occurred moments after one of
those frequent backups, the hackers behind the attack could come away empty
handed, she said.

The public isn't likely to learn the specifics of what happened, and who
was behind it, unless the Justice Department brings charges against the
attackers.

"You're not going to see attribution until there's a prosecution," Hubert
said.

This isn't always possible, she said, noting sophisticated ransomware
attacks increasingly are launched from overseas by international criminal
gangs or state actors.

The Buffalo FBI office declined to comment on its investigation.

District stakeholders say they understand the district isn't alone in
confronting cybersecurity threats and officials can't disclose anything
that would compromise a criminal investigation.

But they say they're not completely satisfied with the level of detail
officials have shared about the extent of the attack.

Mistretta said it's clear the district lost instructional material and
other data that was stored on its network. She said she's aware of teachers
who had to rebuild their lesson plans and schools that had to reconstruct
the templates they followed for their annual graduation ceremonies.

"It's very extensive, the data that was lost," Mistretta said.

Buffalo Teachers Federation President Phil Rumore said the union has
requested more information from the district on how its members were
affected. He also said teachers want more training into best cybersecurity
practices and more time to be able to sign up for IT consulting and
monitoring services.

The BTF plans to meet with district officials on the issue in December.

"The bottom line is the transparency," Rumore said. "We want to have more
access and quicker access to what exactly is going on, what has been
compromised, et cetera, within the guidelines that are required by the
federal government."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211018/f6f3323f/attachment.html>