[BreachExchange] Hackers post 26,000 files online after Florida school district doesn’t pay $40 million ransom

[Destry Winant]

https://www.orlandosentinel.com/news/florida/fl-ne-broward-schools-hackers-post-files-20210420-mypt2qtlc5a7xela4x6bcg5hdy-story.html

Hackers who demanded up to $40 million from the Broward School
District have now published nearly 26,000 files stolen from district
servers.

An initial review by the South Florida Sun Sentinel found a few
isolated incidents where confidential student or employee information
was released, but none that contained Social Security numbers.

The 25,971 files, which are dated from 2012 to March 2021, contain
mostly district accounting and other financial records, including
invoices, purchase orders, travel and mileage reimbursement forms and
forms used to dispose of surplus inventory at schools.

The international malware group Conti posted the files Monday after
the district refused to pay millions in ransom. Last month, the
hackers posted a transcript of a conversation with an unidentified
representative of Broward schools, which offered to pay the hackers
$500,000 on March 26 to retrieve data. The hackers initially demanded
$40 million but dropped the price to $10 million.

The district, which announced March 31 it had no intention of paying a
ransom, “is aware of the recent actions taken by the criminals who
breached our system,” according to a statement Monday from the office
of Chief Communications Officer Kathy Koch.

“With the assistance of outside experts, the district has implemented
a plan to analyze the content to determine what further action is
necessary,” the statement said, adding that the district will notify
any individuals whose personal information was shared.

“Cybersecurity experts are continuing to investigate the incident and
enhance measures system-wide,” the statement said.

The district has published questions and answers about the breach on
its website at browardschools.com

The data published includes more 750 employee mileage reports, 36
employee travel reimbursement forms, more than 700 invoices for spring
water, more than 1,000 invoices for school construction work, about
400 payments to Broward Sheriff’s Office or local police departments
for security, dozens of utility bills and several employee phone
lists.

The vast majority of the information released appears to be public
records. But there were some instances of confidential information
being shared:

- A March 2020 invoice for $14 from the state Health Department
includes the name and date of birth of a 9-year-old student who was
being examined for a disability.
- A report about missing equipment includes a December 2018 letter
from a mother whose son took a laptop from his class and switched the
inventory tag from his computer after he broke his device. The names
of the mother and student are included.
- Several invoices name bus drivers who visited urgent care centers,
both for state-required physicals and other matters.
- Several documents list employee benefits, including a policy summary
of an employee’s life insurance coverage and a listing of another
employee’s health insurance coverage.

“It doesn’t sound like it was that big,” said Jorge Orchilles of
Weston, chief technology officer for the cybersecurity company Scythe.
“It looks like they made the right decision not to pay ransom. At this
point, there’s no point in paying it because all the information is
already out there.”

However, the hackers say on their website they may have more information.

“If you are a client who declined the deal and did not find your data
on cartel’s website or did not find valuable files, this does not mean
that we forgot about you,” the website says. “It only means that data
was sold and only therefore it did not publish in free access!”

The district’s Chief Information Officer Phil Dunn warned the School
Board last week that a new cyber-attack could be devastating,
affecting the district’s ability to pay employees or even keep schools
open. He requested $20 million to enhance the district’s
cyber-security efforts. The School Board plans to make a final
decision in the coming weeks.

There have been at least 21 successful ransomware attacks in the U.S.
education sector so far in 2021, disrupting 550 schools, said Brett
Callow, a threat analyst for the anti-malware company Emsisoft. He
said data was stolen from at least seven of those school districts.