The system was down for weeks.
Paychecks had to be written by hand.
In some cases, employees were overpaid — which meant districts had to warn workers that they would be required to repay any overages.
Other employees were underpaid.
Mileage and other reimbursements could not be processed.
There were concerns that employee data may have been breached, which prompted County Schools to offer free credit monitoring to employees.
"I did it out of an abundance of caution," County Schools Superintendent Jim Brescia told the Board of Education.
Law enforcement — including the FBI — was notified, along with employees.
But the general public was largely oblivious to the extent of the breach.
SAN LUIS COASTAL HIT BY SEPARATE CYBER ATTACK
Cyber attacks on schools are common, and districts often downplay them — if they release any information at all.
SLO County's Office of Education did not issue a public statement, though officials did provide some information to a Tribune reporter who was acting on a tip.
The San Luis Coastal Unified School District was hacked in May 2022, but it wasn't reported by the media until October, when EdSource — a statewide, online publication — picked up on it.
Local media were never notified of the attack, though Ryan Pinkerton, assistant superintendent of business services, said he would have responded to questions had he been asked — as he did with EdSource.
The attack, he said, was resolved so quickly that many in the district weren't even aware of it, though employees were later informed of the breach and offered a year of free credit monitoring.
"The situation happened. They hit us. We dealt with it. We were able to get right back up," Pinkerton said.
EdSource identified the hacker as Vice Society, a crime syndicate based in Russia. A ransom was demanded, though Pinkerton said he didn't know the amount. In any event, he never would have paid it, he said, even if it was just $10.
Months after the attack, some data stolen from the district — including some employees' Social Security numbers — was posted on the dark web but was taken down by a cybersecurity service, Pinkerton said.
He wasn't aware of any identity theft issues resulting from the breach.
"We were super fortunate. That's why it really didn't get out," he said. "Within an hour we had our system running."
COUNTY SCHOOLS SYSTEM WAS DOWN FOR WEEKS
It took much longer for the County Office of Education to bring its system back online.
On July 12 — a month after the breach was discovered — Brescia emailed educators to let them know the computer system had been successfully restored.
"The team is completing full data backups and finalizing additional security protocols," he wrote.
Still, from the start there have been suspicions that the public isn't getting the whole story.
The County Office of Education has said as little as possible about the breach; it's been treating it as a "move-on-there's-nothing-to-see-here" situation.
Even though it's been resolved, questions remain:
- Who was responsible?
- What upgrades have been made to prevent a repeat?
- Was a ransom demanded and, if so, was it paid?
Brescia has not commented on a ransom, nor would he say how much this breach would wind up costing the district in overtime and other expenses.
"It's going to be expensive," he said in a telephone interview.
"It's all going to have to come out of our reserves," he added.
NEED-TO-KNOW BASIS
A bill signed by the governor last year — AB 2355 — requires schools to report cyber attacks to the state's cybersecurity team, but it only applies if more than 500 students or staff are affected.
Other than that, there are no reporting requirements — even though the public has a stake in what happens at our schools.
So why the silent treatment?
It's understandable that public agencies would not want to appear vulnerable to security breaches, but when officials seem to be hiding something, that undermines public trust.
It also leads to speculation.
For instance, following the cyber attack on County Schools, there was a rumor floating around that student data had been breached.
It wasn't, but that's not as far-fetched as it might seem.
A 2022 ransomware attack on the Los Angeles Unified School District — also attributed to Vice Society — exposed approximately 2,000 student assessment records, according to the Los Angeles Times.
The 74, an education news site, had more disturbing information: The leaked information included student psychological records that were published on the dark web by the "Russian-speaking ransomware gang Vice Society."
Is it any wonder, then, that the very word "cyber attack" conjures up images of bad actors out to wreck lives?
The lack of transparency, first by San Luis Coastal and now by County Schools, is disappointing.
Reporting incidents such as these serves as a wake-up call — a reminder that no organization is safe from cyber attacks.
It can help the public understand why it makes sense for government agencies to invest in cybersecurity.
And it can dispel the notion that school districts are not being upfront with the public, triggering speculation that school districts may be trying to hide other things as well.
If they want to inspire confidence, school officials will stop trying to downplay cyber crimes and proactively alert the public to security breaches — no matter how minor they may seem.
©2023 The Tribune (San Luis Obispo, Calif.). Distributed by Tribune Content Agency, LLC.