[BreachExchange] Investigation Finds Broward Schools Delayed, Hid Key Details of Cyber Attack

[Terrell Byrd]

https://www.govtech.com/education/k-12/investigation-finds-broward-schools-delayed-hid-key-details-of-cyber-attack

(TNS) — When the Broward School District learned that hackers may have
accessed the personal data of thousands of people from district servers,
its response was to hide and delay.

The district took extraordinary steps to keep the public, including 50,000
potential victims, from learning about ransomware attacks that took place
from November 2020 to March 2021, a South Florida Sun Sentinel
investigation has found.

Among these efforts, the district:

Waited five months to report key information to affected individuals as
well as to the U.S. Department of Health and Human Services, three months
longer than a federal rule allows. The department is investigating the
district’s response.
Alerted the public in November it had conducted its own investigation into
the data breach but later said the findings of the investigation were never
put in writing.
Used a public relations firm to help dodge questions from the news media
and persuade the public that personal data wasn’t at risk.
Rejected a public records request for emails related to the ransomware,
with a district lawyer saying “it is not worth any of our time” to review
the emails to see if they were exempt under state law.
Lobbied the state Legislature for a law that would keep any cybersecurity
investigations hidden from the public.

The ransomware attack and the issues it posed spanned two schools
superintendents. Robert Runcie was in charge when the breach happened and
hackers posted 26,000 district files online after failed ransom
negotiations. Vickie Cartwright, who started with the district in August,
was in charge when the deadline to notify the federal government passed,
the district’s investigation was completed and when affected employees were
finally notified.

Cartwright, who recently was chosen as the permanent superintendent, said
there is a reason for the district’s efforts: to avoid exposing the
district’s vulnerabilities to those who want to cause more harm.

“That is best practice when it comes to security, because you do not want
to expose what and how it occurred because then you’re exposing the
potential for someone to repeat that,” Cartwright said. “We’re not going to
show the public our security protocols because it only dramatically
increases the likelihood of it being done again.”

The school district wouldn’t specifically address why it wouldn’t put the
findings of its ransomware investigation in writing.

The district “undertook a time-consuming review of the data that might have
been accessed by the unauthorized party” to determine who was impacted, the
office of Chief Communications Officer Kathy Koch said in late November.

“Ultimately, the investigation could not identify all of the individuals
affected,” Koch’s office said.

The district’s actions raise alarm from some security experts and advocates
of open government who say the secrecy appears to be more about protecting
the district’s image than its network servers. Their efforts have deprived
employees, other agencies and the public of knowing what went wrong and
what lessons were learned to prevent a future attack, these experts say.

“Knowing is half the battle,” said Brett Callow, a threat analyst for
Emsisoft, a software company that specializes in cybersecurity. “If the
security community understands why attacks succeed, steps can be taken to
prevent other attacks from succeeding for the same reasons. Information
sharing is, therefore, a very good thing. It helps keep everybody safer.”

The delays in releasing details didn’t go over well with many of the 50,000
employees, former employees, students and others who received letters in
late November or early December about the breach.

“As someone who’s been a victim of identity theft three times in the past,
it pissed me off that the district waited months to say a word about who
may have been compromised,” said Jeffrey West, a teacher of the deaf and
hard of hearing at South Plantation High.

West said so far he’s not aware of his personal information being misused
from this incident.

A RANSOMWARE ATTACK

The school district first discovered the data breach on March 7, 2021.
After the district learned of the incident, it “secured the systems
involved and commenced an investigation,” the school district has said.

On March 9, employees received a notice saying certain programs had been
shut down temporarily due to “recently identified cybersecurity risks.” On
March 11, the hackers told the district they had personal data of students
and employees.

The district had begun receiving media inquiries the morning of Monday,
March 8. But the district wouldn’t respond to questions until 7:20 p.m.
Friday, March 12, when it would only acknowledge a “service disruption” in
a statement issued to reporters.

The district only acknowledged the ransomware attack weeks later, on March
31, after hackers posted a transcript of failed ransom negotiations online,
and the district received more media inquiries. On that day, in a message
to employees, it encouraged them to stay vigilant by reviewing their
account statements and credit reports for any unauthorized activity, while
saying there was no evidence at the time that anyone’s personal information
had been accessed.

The hackers demanded as much as $40 million, and the district offered
$500,000, but no ransom was paid.

On April 19, the hackers posted 26,000 files online, which the district
acknowledged in response to reporters’ questions. The Sun Sentinel, after a
quick review of some documents, reported that same day that some files
contained confidential employee and student information.

But at the time, the district wouldn’t answer questions from the Sun
Sentinel about anything related to personal data being breached.

REPORTING THE CYBER ATTACK

The district’s response to the data breach is now being reviewed by federal
officials. The U.S. Department of Health and Human Services’ breach
notification portal lists the school district among cases currently under
investigation by its Office of Civil Rights.

Broward school district officials say they learned June 29 that the hackers
had access to employee health plan information.

Because the breach involved health data, there are federal reporting
requirements as part of HIPAA, the Health Insurance Portability and
Accountability Act, which was created to protect patient privacy.

If an agency or business believes personal health data of 500 or more
people has been illegally accessed, they are required to report this to the
Department of Health and Human Services within 60 days, according to the
department’s breach notification rule.

But the school district didn’t share the information it had learned in June
with the state or federal government, those affected or the public for 154
days: It finally disclosed the full extent of the attack on Nov. 29 through
a notice on its website, and reports to the Department of Health and Human
Services and state Attorney General’s Office.

That day, the district sent an email about the breach to the Sun Sentinel
and started sending out letters to 50,000 employees, former employees,
family members of employees and students saying their data may have been
compromised.

The district was aware of the federal government’s reporting rules but
doesn’t believe it violated federal law, according to a statement from
Koch’s office.

“The notification to individuals and to [ Health and Human Services]
required the gathering and sorting of significant amounts of data in order
to determine the individuals to be notified,” the statement said. “That
process was complex and took substantial hours. Under the circumstances,
notification was made in an expeditious manner.”

A spokeswoman for the federal department said it doesn’t comment on “open
or potential investigations.”

A school district shouldn’t hold off on reporting the breach to the federal
government just because it hasn’t identified every victim, said Steve
Alder, editor-in-chief of the trade magazine HIPAA Journal, who wrote an
article this month about health-related data breaches.

“Notifications to the HHS should not be delayed unnecessarily and must be
issued within 60 days of the discovery of a data breach, even if the total
number of individuals affected is not known at the time,” Alder told the
Sun Sentinel.

There are sometimes valid reasons to delay notifications, such as a request
from law enforcement, but few agencies have cited this as a reason for the
delay when they finally alert the public, Alder said.

The Broward school district reported the incident to the FBI and U.S.
Department of Secret Service, school district emails show. The district’s
public statements about the breach don’t say whether law enforcement
agencies asked the district to delay telling victims.

The potential penalty is fines, but enforcement for late reporting is rare,
experts say.

A slow response plan also can lead to investigations by state attorneys
general, said Michael Hamilton, chief information security officer for
Critical Insight, a Seattle-based cybersecurity company that works with
health care organizations and governments.

Hamilton said the Rhode Island attorney general, for example, is
investigating a data breach involving a large insurance company and public
transit authority.

The transit authority notified the FBI on Aug. 11, but didn’t send notices
to the 22,000 people affected or the attorney general until late December,
according to the Boston Globe. Rhode Island law requires notification
within 45 days.

Florida law is not clear on whether school districts must report data
breaches to the state. A spokeswoman for Attorney General Ashley Moody said
her office “is aware of this security incident and cannot provide further
comment at this time.”

AN INVESTIGATION — BUT NO WRITTEN REPORT

When the Broward school district finally did issue the required public
notice on Nov. 29, it said multiple times the district learned that
personal data was breached through an investigation.

But when the Sun Sentinel requested a copy of the investigation report, a
school district lawyer said the investigation wasn’t placed in writing.

“Our Office has been advised that while an ‘on-the-ground’ investigation
was conducted, no written investigation report was produced by either the
district or any outside persons acting on the district’s behalf,” district
lawyer Bob Vignola wrote to a Sun Sentinel lawyer on Jan. 12.

The Sun Sentinel later reviewed minutes of a Jan. 10 Technology Advisory
Committee, which said a “final report” about the data breach “was received
in September 2021.” Vignola then said he reached out to three district
employees listed as speakers at the meeting.

“Each has informed me that they have not received a written report
regarding the matter ... and that they did not indicate at that meeting
that any such written report existed,” Vignola told a Sun Sentinel lawyer
on Jan. 31.

This alarmed School Board member Sarah Leonardi, a former teacher who
received one of the letters saying her data may have been compromised.

“The fact there is no written investigation report is concerning in the
context of how poorly communicated this whole situation has been to both
myself as a School Board member and impacted employees and families,”
Leonardi said.

Before November, she said she only knew that people’s data was breached,
because the Sun Sentinel reported finding confidential information online
April 19.

“I would like us to learn from this situation. And the fact that there’s
not a written investigative report, it makes me wonder what’s going to
happen in the future,” she said.

‘IT JUST LEAVES THE PUBLIC IN THE DARK’

Doug Levin, a school cybersecurity expert, said school districts “will
often share as little as possible” about breaches, “largely out of fear of
looking poorly to their community.”

But Broward’s actions are particularly unusual, said Levin, who runs the
K-12 Cybersecurity Resource Center to help school districts combat
cyberattacks. He said he’s never heard of a school district saying it
doesn’t have any kind of written investigative report, regardless of
whether it’s made public.

“It’s sort of implying, ‘We don’t need one,’” he said.

Virginia Hamrick, a lawyer with the First Amendment Foundation, which
advocates for open government in Florida, also questioned the district’s
decision to conduct a non-written investigation.

“It just leaves the public in the dark about what was done for the
investigation,” Hamrick said. “Was anything done? Who did the investigation
and what did they do?”

The Sun Sentinel asked Koch’s office a series of questions on Jan. 18 about
the investigation, including what caused the attack, what an “on-the-ground
investigation” means, why the investigation wasn’t put in writing and if
that could hurt efforts in the future to prevent another attack.

“You have received all the information that is available pertaining to this
investigation,” the office responded.

District officials would like the state’s help in concealing information in
the future.

They drafted a proposed law, which they shared with the state Legislature,
to exempt school districts from having to release cybersecurity
investigations to the public. Some state agencies, as well as colleges and
universities, already have this exemption.

The district wants to get “those benefits other government entities have
and not have to release information that is confidential,” Interim General
Counsel Marylin Batista told the Broward School Board in August.

No such bill has been filed in the Legislature, said John Sullivan, the
district’s director of legislative affairs.

DOWNPLAYING THE BREACH

Without state protection, the school district has taken numerous steps to
withhold information about the breach. The district’s decisions to shield
information were at least partly guided by the public relations firm,
Edelman. The contract was signed by Aston Henry, the district’s director of
risk management, with Koch listed as the billing contact.

According to its contract, Edelman’s role was to assist the district with
such issues as “crisis communications and reputation risk services related
to cybersecurity issues.” London-based Brit-Lloyd’s Syndicate provided
public-relations and legal services as part of the district’s cybersecurity
insurance.

These services, as well as ones to negotiate with the hackers, recover
data, make fixes and provide a year of credit monitoring to potential
victims were free to the district after a $250,000 deductible, Koch’s
office said.

The breach happened about the same time the district was facing another
crisis — a grand jury investigation that had scrutinized the district’s
purchase of classroom technology. On April 21, two days after hackers
posted 26,000 district files online, Runcie was indicted by the grand jury
on a perjury charge, and Barbara Myrick, then general counsel, was charged
with illegally sharing confidential information from the grand jury. Myrick
resigned in late June, Runcie in early August.

On multiple occasions in April, the district’s communications office shared
little except that it didn’t plan to pay a ransom and that there was no
evidence that any personal data was breached. Edelman officials provided a
daily review of news coverage and advice on how to handle media questions.

“Most concerning, unsurprisingly, is the [Sun Sentinel’s] piece, which
casts doubt on the district’s position that no personal data was at risk,
and notes there has been no communication with parents,” Aidan Ryan, a
crisis and risk administrator with Edelman, wrote to communications manager
Keyla Concepcion on April 1.

The Sun Sentinel asked the school district why there hadn’t been widespread
public notice similar to when such companies as Amazon and Target faced
data breaches.

Atlanta lawyer John Hutchins, of BakerHostetler, a national law firm the
district received assistance from, offered advice to Concepcion on how to
respond to the reporter.

“On background, maybe someone can explain to him ... that the primary
purpose of paying a ransom in an incident like this is to get decryption
tools from the threat actor, not to prevent publication of exfiltrated
data,” Hutchins wrote April 1. “Also, he doesn’t distinguish between a
consumer data breach, like Target, and a ransomware event. The latter is
primarily about encrypting data to make it unusable, not about stealing
personal information.”

Callow, the Emsisoft threat analyst, disagrees.

“The fact is that when personal information is accessed, it may be used
either by the hackers or by other actors who obtain access to it,” Callow
said. “There is no way to know whether or when that may happen.”

Hutchins did not respond to requests from the Sun Sentinel for comment,
despite multiple attempts by phone and email.

Concepcion never shared Hutchins’ information with the Sun Sentinel. “Less
is more with this particular outlet,” Concepcion responded to Hutchins in
the April 1 email exchange. “I do believe it would be a slippery slope.”

After a Sun Sentinel reporter kept asking questions that went unanswered
for two weeks, Concepcion received advice on April 14 from Ryan. “My
initial thought is it would be in the district’s interests to provide a
short response here, aiming to put a cap on local coverage by indicating
the ‘story’ is effectively over,” Ryan wrote.

“Thank you for your response, Aidan. I completely agree,” said Concepcion,
who sent the reporter a response that repeated information already shared
and said the district would provide nothing else “in the interest of
protecting the integrity of our data security.”

‘IT’S NOT WORTH ANY OF OUR TIME’

During April, the school district refused to fulfill a Sun Sentinel public
records request pertaining to emails about the cybersecurity attack.

Myrick, the then general counsel, told the school district to deny all
emails without reviewing them to see if they were exempt.

“I simply think we should say that any of the emails during this period are
exempt from public records under the security exemption,” Myrick wrote to
district administrators April 1. “It is not worth any of our time to … pull
the emails and for each of us to go through them for the few emails that
would not be exempt.”

However, there isn’t actually a specific exemption in the statute related
to IT security for school districts.

On April 20, the district denied the request for emails, saying files
maintained by a school district’s risk management program — the department
that tries to protect the district’s assets and reduce liabilities — are
exempt “until termination of all litigation and settlement of all claims
arising out of the same incident.”

It’s unclear what litigation the district was referring to. The district
did comply in June with a Sun Sentinel request for emails about how the
public records and communications offices responded in April to questions
from the newspaper.

A SEARCH FOR ANSWERS

The school district discussed the breach at length on Jan. 10 during a
meeting of its Technology Advisory Committee, which makes recommendations
to district administrators and the School Board on how technology is used
in the district.

Although these public meetings are normally recorded, the school district
chose not to record for this meeting, “due to the sensitive nature being
presented,” the minutes said.

The school district’s information technology staff had a good grasp on the
data breach and were making fixes required by its insurance company to
maintain its coverage, said Beth Anne Carr, chairwoman of the committee.
But she said committee members were frustrated with how poorly the school
district communicated information with those directly impacted and the
public.

District staff informed the committee that many decisions related to
disclosure were made by companies hired by the district’s insurance
company, Carr said.

Carr told the Sun Sentinel she felt that created competing interests: The
insurance company was trying to protect its private interests and reduce
liability while the school district’s interest should be protecting
employees, students and the public, she said.

“When you’re perceived as someone who is trying to obscure facts, it’s
going to make people want to look further,” Carr said. “It draws more
attention than if you just say, ‘Here is what happened and who is affected
and here is what we’re doing to deal with it.’”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220222/c5fb2644/attachment.html>