IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Prosecutors Reviewing Broward Administrator Actions Over Data Breach

Broward prosecutors are probing whether three school district administrators acted improperly when they shared details about a ransomware attack with a private company after withholding it from the public.

A lock formed from lines of red code on top of a silver file folder icon. The background is lines of black code against a white backdrop.
Shutterstock
(TNS) — Broward prosecutors are reviewing whether former Schools Superintendent Robert Runcie and two other former administrators did anything wrong when they used closely guarded details about a district ransomware attack in a private business pitch.

“Prosecutors have received some material from the school district and will review it and decide how to proceed,” said Paula McMahon, a spokeswoman for the State Attorney’s Office.

She said no formal investigation has been launched at this stage.

The district shared little with the public about a massive ransomware attack in March 2021, using an outside public relations firm to help dodge questions and refusing to put their internal investigation in writing.

But Runcie and former administrators Brian Katz and Philip Dunn included many previously secret details in a September 2021 “case study” for Safer School Solutions, a Fort Lauderdale company owned by Katz and Dunn. The report also covered the district’s response to the Parkland shooting and the pandemic.

A few months later, the company secured a $1 million contract from an education groupheaded by Runcie to provide security services at six school districts, none in Florida.

The report detailed how the ransomware attack left 2,000 servers inoperable; how the district put a greater priority on keeping schools open than containing the breach; and how law enforcement encouraged the district to offer, but not pay, ransom to the hackers.

Runcie, who resigned as superintendent in August 2021, is under indictment on perjury charges in a separate case. The Attorney General’s Office of Statewide Prosecution has accused him of lying to a statewide grand jury that investigated school district purchases.

He could not be reached for comment, despite attempts by phone, email and through his lawyer.

Katz was the chief safety and security officer at the time of the ransomware attack while Dunn was the chief information officer. The district refused to acknowledge for three weeks that the attack had happened, confirming it only after hackers posted a transcript of negotiations. On March 31, 2021, the district sent a message to employees encouraging them to stay vigilant by reviewing their account statements and credit reports for any unauthorized activity, while saying there was no evidence anyone’s personal information had been accessed.

The district determined in June 2021 that personal data was accessed but waited until November 2021 to alert 50,000 potential victims that their personal data may have been breached, three months longer than the 60 days allowed by federal law for such notifications.

Several School Board members said the actions of the administrators should be investigated.

“They were not forthcoming with our employees and the media, citing security,” Board member Sarah Leonardi said. “But then to go and use the information for profit doesn’t make sense to me.”

In a recent statement to the Sun Sentinel on behalf of Katz and Dunn, Safer School Solutions denied using any district information improperly.

“The referenced case study document was created for and shared with school district leaders to help them develop strategies to hopefully avoid, but if not, better respond to such incidents and tragedies in the future,” the statement said. “The document was not published or shared with the general public until the Sun Sentinel did so.”

The company report contains no “material information” that had not already been released, the statement said, adding that the authors waited six months after the attack to write about it.

“Information that could not be shared while the District was actively working with law enforcement in an open investigation may be able to be shared once those investigations are no longer active,” the statement said.

The report, which was on Safer School Solutions letterhead, lists Katz, Dunn and Runcie as the co-authors.

Runcie was not paid, according to officials from the company and Chiefs for Change, the education nonprofit that Runcie is overseeing on an interim basis.

Katz and Runcie had already left the district when the report was completed in September 2021, although Dunn was still employed. He left in November 2021.

The report was sent to members of Chiefs for Change ahead of an October 2021 meeting, leading to the $1 million contract with school districts that belong to the organization.

The move irked Nora Rupert, a longtime School Board member who has been a vocal critic of Runcie.

“I would hope that we would keep our information to ourselves,” Rupert said at a Dec. 3 School Board meeting. “When another person that used to work here decides to write about something and that becomes a monetary issue, I have to say, not cool. It does not look good or pass the smell test.”

The Sun Sentinel obtained the report through public records requests to several school districts and published an investigation in June 2022. School district spokesman John Sullivan said at the time that current Superintendent Vickie Cartwright was unaware of the report, and the district would review it.

Asked multiple times over the next few months whether the review of the 12-page report had been completed, Sullivan responded Dec. 2, “The District continues to review the report and related information. After the review, the District will take all necessary actions, which may include referral(s) to other state agencies.”

Interim General Counsel Marylin Batista told the School Board on Dec. 6 that she’d been asked the previous week to take action on the report, and that she and Chief Auditor Joris Jabouin contacted “outside agencies” that she wouldn’t name.

Rupert questioned why it took the district so long to respond, since the Sun Sentinel had alerted the district in June.

“The fact you just found out about it blows my mind because it’s going on for such a long time,” Rupert told Batista at the meeting.

“Clearly we saw it when it came out in the news,” Batista responded. “As far as being asked to take action, I don’t want to share too much information as to what has been done, but it is being looked at by outside agencies.”

©2023 South Florida Sun-Sentinel. Distributed by Tribune Content Agency, LLC.