The hackers who broke into the computer system at Broward County Public Schools last month made good on their threat this week to release thousands of files they stole from the district.
The group, known as Conti, has posted nearly 26,000 files on its website, threatening companies and other organizations targeting it that unless they pay a ransom, their files, which may contain personal information, will be released, too.
The files, dating from 2012 to March of this year, do not contain Social Security numbers, but they did include some cases of confidential data for students, faculty or staff, according to the Sun Sentinel.
“If you are a customer who declined the transaction on the Cartel website or you did not find valuable files, it does not mean that we have forgotten you, it just means that the data was sold and therefore not published for free,” states the group on its website.
The school district posted a statement on its website saying that so far, the outside investigators hired have found no indication that the student or employee’s personal data has been compromised.
The statement reads: “If an investigation uncovers any personal data that has been compromised, the county will provide appropriate notice to those affected.”
The district contacted law enforcement and said in a statement to the media on Tuesday that it, with the help of its designated cybersecurity experts, had “implemented a plan of content analysis to determine the necessary further action.”
The statement added that the breach is still under investigation.
When hackers breached the school district’s system in early March, they initially asked for $40 million, but then said they would accept $10 million, according to a transcript of text messages between Conte and an anonymous employee. The Miami Herald has seen screenshots of the transcript.
The district told the Herald last month that it had no plans to pay the ransom. She hired a cyber security company to investigate the hack and try to recover her files.
Brett Kalou, a threat analyst at New Zealand-based cybersecurity firm Emsisoft, said Conte had “experienced extortionists” who released data they stole from nearly 300 other organizations.
“The information being released in these cases can be very sensitive. For example, in one recent case involving a school district, hackers published details of alleged sexual assaults by/against specific individuals,” Kalou said in an email. “Things like this are really bad. If your financial information leaks, you can fix your credit; when things like this leak, there is no way to fix it. Once it is there, it will be there.”
Callow said hackers get into organizations’ computer systems either by tricking an employee into opening a link in an email message, or because the organization has a server facing the Internet that is improperly secured.
“It’s about 50/50. In these cases, the hackers try to delete or encrypt the target’s backups, Kalou said. “If they fail, the organization can use the backups to restore their systems. If they are successful, the organization’s only option is to lose its data or pay the ransom.”
“But, of course, either way, they still have the problem of stolen data.”
This story was originally published April 20, 2021 2:03 p.m.