The investigative report published Monday places the school system partially at fault for the hack that disrupted school operations days before the Thanksgiving holiday in 2020, when all instruction and school board meetings were taking place online due to the coronavirus pandemic. The report offers new details about the cause of the attack, the total cost of recovery and actions taken by the Baltimore County school system prior to the incident.
Baltimore County spokesperson Charles Herndon declined to comment on the report Monday. Superintendent Darryl L. Williams announced Monday he would not seek another four-year contract with the school system.
Inspector General for Education Richard Henry opened the investigation into the ransomware attack after receiving a complaint alleging the state’s third-largest school system had disregarded cybersecurity recommendations made by the Maryland Office of Legislative Audits. The complaint also alleged the system was not prepared for the cyber attack and failed to protect the personally identifiable information of students, staff and system retirees.
The school system’s networks experienced catastrophic disruptions Nov. 24, 2020, about 15 days after a phony college official sent an email containing a bogus invoice attachment to a Baltimore County education professional, according to investigators.
When the staff member was unable to open the email, which was formatted with a recognized email address and extension, they contacted a tech liaison, who deemed the message suspicious and forwarded it to a security contractor for the school system’s department of information technology.
The unnamed contractor mistakenly opened the attachment using an unsecured Baltimore County schools email domain instead of a secured email. Opening the attachment allowed the malware to penetrate the school system’s IT network. Investigators found the antivirus software being used at the time was unable to detect the malware program used in the cyber attack and that the file was not configured in a known identifiable format.
The malware was also designed to delay its damage to avoid immediate detection and allowing it to systematically disable critical functions within the school system network that could have prevented the attack.
Investigators acknowledged that Baltimore County schools’ IT employees took immediate action once they determined the network was compromised. However, investigators found that prior to the attack, the school system had not relocated its publicly accessible database servers — despite Maryland Office of Legislative Audits recommendations to do so in 2015 and in 2020.
The latter audit’s findings were delivered to the school system Nov. 19, 2020, just days before the cyber attack. Investigators say the malware had already been delivered by the time the report was made public.
In the days and months following the crisis, Baltimore County school administrators took heat from the public, employees and county government officials for a perceived lack of transparency and communication about the incident. Investigators found that federal law enforcement had asked school system IT staff not to discuss the cyber attack with any other entity, including local officials. And school staff were told the FBI would coordinate with local law enforcement due to the seriousness of the cyber attack, according to the inspector general’s report.
Meanwhile, the school system was working to recover crucial information using backup files, which were not corrupted in the attack. Still, some of the files related to human resources and payroll were found to be unreadable or damaged. School system leaders instead turned to a backup file that was about a year old and did not include personnel, payroll or benefit changes made before the cyber attack.
While officials worked to recover the files, the system relied on outdated information regarding deduction rates, statuses and income levels for payroll, tax deductions, benefits and other details affecting employees and retirees.
More than two years after the cyber attack, the school system has deployed an array of new security measures, including multi-factor authentication standards for all staff, improved firewall technology and enhanced device protections to detect and prevent malware. The school system has also migrated “essential” network functions to an encrypted, cloud-based service and carried out security updates to ensure devices receive real-time security patches.
The total cost of the school system’s emergency recovery efforts, system upgrades and new security measures has toppled $9.682 million, the report states. The OIGE noted that the Baltimore County school system has since trimmed about $1 million from IT operating expenses because of the upgrades.
The report also includes seven recommendations related to data protection, cyber attack prevention and recovery plans. It calls on school system executives to develop a process to immediately resolve benefits and payroll irregularities for staff and retirees resulting from the outdated backups.
Copies of the report are being delivered to the governor, General Assembly, State Board of Education and State Superintendent of Schools. The Baltimore County school system is expected to submit a formal response to the investigators’ findings in the coming months.
Cyber attacks have plagued a number of local governments, state agencies and school systems in Maryland in recent years. A ransomware attack on Baltimore City government in May 2019 cost the city millions in recovery expenses and lost revenue. A cyber attack downed the Maryland health department’s COVID-19 data dashboard in Dec. 2021 during a dangerous surge of the virus’ omicron variant. Prior to the attack on Baltimore County schools, state audits routinely found cybersecurity problems in other school systems around the state.
The Maryland General Assembly passed legislation during its 2022 session aimed at helping state and local governments better prepare and protect themselves from cyber attacks. The law created a centralized Maryland network and provided funding for local governments to afford cyber attack preparedness.
©2023 Baltimore Sun. Distributed by Tribune Content Agency, LLC.