Ds Scholarship

Broward Schools Warn 50K Employees, Students of Data Breach

(TNS) – About 50,000 students and staff are now being notified by the Broward School District that their personal data may have been compromised during a ransomware attack months ago.

The school district — which initially said it was unaware of any personal or student data that was compromised — confirmed that it likely happened during an investigation in June. The county publicly announced on its website Monday that those affected are now receiving written notifications.

The county publicly disclosed for the first time on Tuesday the broad scope of the violation. The school district has remained secretive for several months about this ransomware attack, which occurred between November 12, 2020 and March 6, 2021, often relying on the advice of a lawyer and the PR firm it employed.

The hackers demanded $40 million to gain access to the locked files, but district officials said in April that they would not pay a ransom.

“This notice is to inform you that the March 7, 2021 security incident that resulted in unauthorized access to certain Broward County Public School systems may include sensitive information for certain faculty, staff, and students,” the post said Monday.

The incident led to a few hours of disruption in education for students who were homeschooled during the pandemic in early March, until the school district was able to determine not to penetrate students’ academic programs.

The notice posted on Monday said that on June 8, the district decided that some of the information that was disclosed included individuals’ names and Social Security numbers.

Additional analysis on June 29 determined that the data “may include information related to our health insurance plan, including individuals’ names, dates of birth, Social Security numbers, and benefits selection information.”

“The county is now providing written notification to affected individuals,” the notice says. “With great caution, Baltimore County Public Schools is also posting this notice to inform the public … about the extent of this incident and to make recommendations on ways to protect personal information. The district also offers free credit monitoring, upon request, to those affected.”

The decision to release the information now instead of June has raised concerns.

“I’m not quite sure why it’s showing up now. It sounds weird,” said Debbie Hickson, a member of the Broward School Board of Directors.

In a statement issued on Tuesday, the office of Chief Communications Officer Cathy Koch said the district had “worked diligently to investigate the incident, determine how the incident occurred, and attempt to identify individuals whose data may have been compromised.”

The county first secured its systems and launched an investigation and then “conducted a time-consuming review of data that might have been accessed by the unauthorized party and engaged in further efforts to try to accurately identify the data it shared and notify these individuals. In the end, the investigation was unable to determine All affected individuals.”

Brett Kahlo, threat analyst at technology company Emsisoft, said the region should have told those affected sooner.

“When data is compromised, it puts affected individuals and businesses at risk of identity theft … fraud and other frauds,” he said. “If these individuals and companies are immediately notified of what has happened, they can take steps to protect themselves. If they are not notified, they will have no way of knowing that they may be in the crosshairs of cybercriminals.

“The bottom line: Quick notifications can prevent one crime from becoming many,” Kalou said.

The district, with the help of security advisors, remained silent about the attack, refusing to hand over the results of the investigation or answer many of the Sun Sentinel’s questions.

Prior to Monday’s publication, the school district refused to acknowledge the breach of student and employee data, even after a Sun Sentinel reporter found some examples in April of personal data shared on material that hackers had publicly posted with international malware group Conti.

“At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident,” the communications office wrote on March 31, refusing to provide updates before this week.

On July 31, Sun Sentinel submitted a request for public records of the results of any investigations into the cyber attack. “I’ve received a final response,” Records Officer Rykiel Bell replied on August 10, “The internet/ransomware incident has not been reported. “

Emails obtained through other public records requests showed that the school district was using John Hutchins, a cybersecurity attorney in Atlanta, and Edelman, a large public relations firm, for advice on ways to avoid answering questions and to control the story.

Edelman’s public relations officer, Carmina Zafiro, encouraged district officials on March 31 not to provide the media with the costs of the investigation. A similar attack in Baltimore County Public Schools cost about $8.1 million, Fox Baltimore reported.

Will the cost eventually be disclosed in any public financial statements? Sharing a number may turn out to be a story in and of itself, so I would caution against responding with a number,” Zafiro wrote to District Public Relations Director Kela Concepcion. “But if at some point this information is revealed, we have to be careful about how we refuse to mention the information.”

When a reporter asked questions that went beyond the area’s initial statement about the cyber attack, Zafiro wrote, “Our recommendation is to let these follow-up questions go. The reporter has received a response, and there is no point in expanding on the statement.”

“I agree with your comments. No contact with the reporter has taken place,” Concepcion wrote.

After the Sun Sentinel reporter kept asking unanswered questions for two weeks, Conception received advice from Edelman’s Aidan Ryan on April 14.

Ryan replied to Concepcion: “My initial idea is that it would be in the interest of the region to provide a short answer here, with the goal of putting an end to local coverage by noting that the ‘story’ is effectively over.”

Ryan encouraged district officials to repeat messages already shared and to inform Sun Sentinel that they would not share any further information “in order to protect the integrity of our data security.”

© 2021 South Florida Sun Sentinel. Distributed by Tribune Content Agency, LLC.


Please enter your comment!
Please enter your name here