IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Buffalo School District to Spend $10M on Ransomware Response

Following a ransomware attack March 12 that shut down systems and forced the cancellation of classes, Buffalo Public Schools is spending nearly $10 million on network security, fraud monitoring and other services.

Hacker with laptop and dangling IDs
Shutterstock
(TNS) — The Buffalo school district is spending nearly $10 million to respond to a March ransomware attack, including the ongoing cost to bolster the security of its computer network, but it never paid a ransom to the attackers.

In fact, a top district official said, no ransom ever was demanded from the district.

Those are among the key revelations from Nathaniel Kuzma, the district's general counsel, who updated The Buffalo News last week on the ransomware attack, which severely disrupted district operations.

In all, Kuzma said, the district alerted about 110,000 current and former teachers, other school employees, current and former students and vendors that their information on file with the district may have been compromised in the attack.

About 1,500 people took advantage of 12 months of free fraud monitoring services offered by a district cybersecurity consultant, Kuzma said.

But Kuzma said it's still not clear how much information was exposed nor what data, if any, was lost and not recovered.

And he declined to say how, precisely, the attacker was able to breach the district's network nor whether investigators have determined who was behind the attack. That's partly because district information technology staff and outside consultants continue to update and improve the system's security.

"Our system, as we speak, is being worked on, rebooted, redesigned and there still is vulnerability," Kuzma said. "So I wouldn't want to speak about what our weakness would be, necessarily."

This leaves Buffalo Public Schools teachers and parents seeking more details about the attack and its long-term impact.

Those stakeholders say it appears the district lost a substantial amount of information stored on its computer network, such as teacher lesson plans and digitized versions of student transcripts.

They say they don't blame the district for its vulnerability to the growing threat of ransomware. But they hope the district learns its lesson from this event and they seek more transparency from officials about what occurred.

"We've never heard anything from the district, except it happened," said Wendy Mistretta, president of Buffalo's District Parent Coordinating Council.

The March 12 ransomware attack forced the district to cancel classes for a few days until employees could restore key systems, equipment and applications targeted in the electronic intrusion.

The district quickly hired a cybersecurity consultant, GreyCastle Security, at an initial cost of $40,000 to help it investigate and respond to the attack. It also requested the assistance of the FBI.

A few days after the attack was discovered, Superintendent Kriner Cash sent a letter to district employees saying that "at this point, our lead investigative consultant and the FBI have not determined that there has been an exposure of personally identifiable information."

However, by May, the district informed the families of 82,000 current and former students, about 14,000 current and former teachers and other district staff and about 14,000 businesses that have worked with the district that their information was exposed, Kuzma said.

This doesn't mean all of those people lost personally identifiable information to the attackers, Kuzma cautioned. It means their information was exposed, but the district has no knowledge any of the data was misused, he said.

The students' potentially exposed data includes demographic information, such as gender, race and ethnicity, special education status and primary language, the district said in a May letter. Parent and guardian names and addresses were also exposed.

No student Social Security numbers were compromised, Kuzma emphasized, because the district doesn't store this information for its students.

It's hard for the district to know exactly what information was lost to the attackers because as soon as it was alerted to the attack, Kuzma said, it shut down its computer systems as a precaution.

"The district is presently in the process of rebuilding and redesigning its instructional technology infrastructure and security with leading industry experts," Kuzma said. "Though progress has been made since the time of the cyberattack, the extent of the information lost/recovered remains undetermined until that project is complete."

Kuzma also said he was reluctant to discuss what the district has learned from its consultants about how the attack succeeded for the same reason.

The Buffalo School Board has approved spending nearly $9.4 million on IT consultants to respond to the ransomware attack, including $597,000 to GreyCastle. It is set to approve another $400,000 at this week's board meeting, including $190,000 to Kroll, the consultant providing free fraud monitoring services.

The biggest payment, nearly $3.8 million for the first 12 months and $4 million total for the next two years, is going to a Nashville-based technology consulting firm called ENA.

"We believe once this work is completed, we will have a best-in-class IT security and infrastructure system in this district," Kuzma said. "We are taking the necessary steps to ensure that we are as protected, based on industry standards, as we can be from this happening again."

Ransomware is a malicious software, or malware, that typically blocks access to the user's computer system until a ransom is paid. This malware often gets into the network when an employee unwittingly clicks on a link, or opens an attachment, carrying the software's payload.

School districts, hospital systems, government agencies and companies large and small are targeted in ransomware attacks.

"Believe me when I tell you they are after every business sector, no matter what it is," said Holly Hubert, a former FBI agent and founder of Amherst-based GlobalSecurityIQ.

School districts have become particularly attractive targets, experts say, because they often don't invest in the highest-level cybersecurity measures, they store extensive data on students and employees and they have had to ramp up extensive remote-learning procedures since the start of the pandemic.

The K-12 Cybersecurity Resource Center collected 408 publicly disclosed school incidents in 2020, including ransomware attacks, data breaches and denial-of-service attacks, an 18-percent increase from the year before.

A ransomware attack without a ransom demand is "uncommon," said Hubert.

But there could be any of a number of reasons for this, said Hubert, whose firm didn't work on this incident. For example, if the district regularly backed up the data it stored and the attack occurred moments after one of those frequent backups, the hackers behind the attack could come away empty handed, she said.

The public isn't likely to learn the specifics of what happened, and who was behind it, unless the Justice Department brings charges against the attackers.

"You're not going to see attribution until there's a prosecution," Hubert said.

This isn't always possible, she said, noting sophisticated ransomware attacks increasingly are launched from overseas by international criminal gangs or state actors.

The Buffalo FBI office declined to comment on its investigation.

District stakeholders say they understand the district isn't alone in confronting cybersecurity threats and officials can't disclose anything that would compromise a criminal investigation.

But they say they're not completely satisfied with the level of detail officials have shared about the extent of the attack.

Mistretta said it's clear the district lost instructional material and other data that was stored on its network. She said she's aware of teachers who had to rebuild their lesson plans and schools that had to reconstruct the templates they followed for their annual graduation ceremonies.

"It's very extensive, the data that was lost," Mistretta said.

Buffalo Teachers Federation President Phil Rumore said the union has requested more information from the district on how its members were affected. He also said teachers want more training into best cybersecurity practices and more time to be able to sign up for IT consulting and monitoring services.

The BTF plans to meet with district officials on the issue in December.

"The bottom line is the transparency," Rumore said. "We want to have more access and quicker access to what exactly is going on, what has been compromised, et cetera, within the guidelines that are required by the federal government."

©2021 The Buffalo News (Buffalo, N.Y.). Distributed by Tribune Content Agency, LLC.