About 50,000 students and employees may have had their personal info stolen. They’re getting told now.
South Florida Sun Sentinel | By Scott Travis | November 30, 2021
About 50,000 students and employees are now being notified by the Broward school district that their personal data may have been breached during a ransomware attack months ago.
The school district — which initially said it was unaware of any student or personal data being compromised — confirmed that it likely did happen during an investigation in June. The district publicly announced on its website Monday that those affected were now receiving written notifications.
The district publicly disclosed for the first time Tuesday the vast extent of the breach. The school district has been secretive for months about this ransomware attack, which happened between Nov. 12, 2020, and March 6, 2021, often relying on the advice of a lawyer and public relations company it hired.
The hackers demanded $40 million to access locked files, but district officials said in April they wouldn’t be paying a ransom.
“This notice is to inform you that the March 7, 2021 security incident that resulted in unauthorized access to some Broward County Public Schools systems may have potentially included the sensitive information of some faculty, staff, and students,” the Monday posting says.
The incident led to a few hours of disruption in education for students who were learning at home during the pandemic in early March, until the district was able to determine student academic software hadn’t been breached.
The notice published Monday says that on June 8, the district determined that some information publicly released included individuals’ names and Social Security numbers.
Further analysis on June 29 determined that the data “may include information relating to our self-insured health plan, including individuals’ names, dates of birth, Social Security numbers, and benefits selection information.”
“The District is now providing written notification to the affected individuals,” the notice says. “In an abundance of caution, BCPS is also posting this notice to inform the public … about the extent of this incident and provide recommendations on ways to protect personal information. The District is also offering complimentary credit monitoring, by request, to those affected.”
The decision to release the information now instead of in June has raised concerns.
“I’m not exactly sure why it came out now. It does seem odd,” said Debbi Hixon, a Broward School Board member.
In a statement Tuesday, the office of Chief Communications Officer Kathy Koch said the district “worked diligently to investigate the incident, determine how the incident occurred, and attempt to identify individuals whose data may have been compromised.”
The district first secured its systems and started an investigation and then “undertook a time-consuming review of the data that might have been accessed by the unauthorized party and engaged in further effort to attempt to determine precisely whose data was involved and notifying those individuals. Ultimately, the investigation could not identify all of the individuals affected.
The district should have let those affected know about this sooner, said Brett Callow, a threat analyst with the technology company Emsisoft.
“When data is compromised, it puts affected individuals and businesses at risk of identity theft … fraud and other scams,” he said. “If those individuals and businesses are promptly notified as to what’s happened, they can take steps to protect themselves. If they’re not notified, they have no way of knowing they may be in the crosshairs of cybercriminals.
“Bottom line: Speedy notifications can stop one crime from becoming many,” Callow said.
The district, with the help of security consultants, has remained tight-lipped about the attack, refusing to turn over investigation findings or answering many of the Sun Sentinel’s questions.
Prior to Monday’s post, the school district had refused to acknowledge that student and employee data was breached, even after a Sun Sentinel reporter found a few examples in April of personal data shared on materials posted publicly by hackers with the international malware group Conti.
“At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident,” the communications office wrote on March 31, declining to provide updates prior to this week.
On July 31, the Sun Sentinel submitted a public records request for the results of any investigations into the cyber attack. Records clerk Requel Bell replied on Aug. 10, “I have received a final response, ‘There have been NO Reports provided for the cyber/ransomware incident.”
Emails obtained through other public records requests showed the school district was using John Hutchins, an Atlanta-based cyber-security lawyer, and Edelman, a large public relations company, for advice on ways to avoid answering questions and to control the story.
Karmina Zafiro, an Edelman PR official, encouraged district officials March 31 not to provide the media with the costs of the investigation. A similar attack in Baltimore County Public Schools cost about $8.1 million, Fox Baltimore reported.
“Would the cost be eventually revealed in any public financial statements? Sharing a number could turn into a story in itself, so I would caution against responding with a number,” Zafiro wrote to district public relations manager Keyla Concepcion. “But if that information will be disclosed at some point, we have to be careful about how we decline to state the information.”
When a reporter asked questions that went beyond the district’s initial statement about the cyberattack, Zafiro wrote, “Our recommendation would be to let these follow‐up questions go. The reporter has received a response, there’s no benefit to expanding on the statement.”
“Agree with your comments. No communication took place with the reporter,” Concepcion wrote.
After a Sun Sentinel reporter kept asking questions that went unanswered for two weeks, Conception received advice from Aidan Ryan of Edelman on April 14.
“My initial thought is it would be in the district’s interests to provide a short response here, aiming to put a cap on local coverage by indication the ‘story’ is effectively over,” Ryan replied to Concepcion.
Ryan encouraged district officials to repeat messages already shared and to inform the Sun Sentinel it would not share any further information “in the interest of protecting the integrity of our data security.”
Correction: An earlier version of this news article incorrectly stated when a data breach in Broward schools occurred. The ransomware attack took place between Nov. 12, 2020, and March 6, 2021, and the investigation took place in June.