A South Florida school district that suffered a ransomware attack earlier this year acknowledged Monday that it’s sending breach notification alerts to students and staff whose personal information may have been stolen in the incident.
Broward County Public Schools is in the process of sending notices to about 50,000 people that their data may have been exposed in the March 7 attack. At the time, district leaders were mum when asked if the ransomware attack had resulted in the theft of any sensitive data.
With about 270,000 K-12 students and 15,000 teachers, Broward is the second-largest public-school system in Florida and the sixth-largest in the United States.
The cyberattack was acknowledged in early March, when affiliates of the Conti ransomware outfit — which has also targeted health providers in the United States and around the world — seized up the district’s computer systems and demanded a $40 million payoff, a figure far greater than other ransom demands thrown at public-sector victims.
While school officials said they would not pay, they remained quiet for months about other details of the incident, including whether it became a “double extortion” event, in which hackers steal data and threatened to publish it on a leak site if their demands were not paid. According to the South Florida Sun-Sentinel, the district hired advisers who counseled against publicizing the costs of recovering from the attack, particularly after Baltimore County Public Schools in Maryland spent upward of $8 million after a ransomware incident last year.
But the notification being sent out by Broward County Public Schools confirms data was published.
“On April 19, 2021, the investigation revealed certain records stored on the District’s systems had been acquired and publicly released,” the notice reads. It also states that it became clear in June the stolen records included individuals’ names, Social Security numbers, dates of birth, health-insurance information and employee benefits information.
The notice also reveals that the actors behind the attack infiltrated district systems as early as November 2020.
In addition to sending the notice to some people directly, Broward officials wrote they were making the notice public to all and offering free credit-monitoring services to anyone whose data was affected.
The education sector remains a frequent target for ransomware actors, with nearly 80 U.S. school organizations hit this year, according to the antivirus company Emsisoft. In October, President Joe Biden signed legislation ordering the Department of Homeland Security to review the cybersecurity risks faced by school districts and develop guidelines for how those organizations can combat ransomware threats.