Sun Sentinel Palm Beach Edition
Broward schools hit by hackers
International malware group demanded up to $40 million
Computer hackers attacked the Broward County schools this month, demanding as much as $40 million in ransom to prevent personal information about students and teachers from being published, according to a transcript the hackers released online.
Hackers with the international malware group Conti posted a transcript March 26 of what they say is a two-week negotiation with a representative from Broward schools. The hackers started with an offer of $40 million and later reduced the demand to $15 million and then $10 million.
The unidentified district representative counter-offered with $500,000, which appeared to end negotiations, the transcript shows.
“We have no intention of paying a ransom,” the school district said Wednesday in a statement from the office of Chief Communications Officer Kathy Koch. The district did not confirm or deny the authenticity of the transcript.
The statement said the district is working with cyber-security experts to investigate what happened and restore systems, and that effort is going well.
“At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident,” the statement from Koch’s office said. “If the investigation uncovers any compromised personal data, the district will provide appropriate notification to those affected.”
Although any postings from criminals should be viewed with skepticism,
school cyber-security expert Doug Levin and others say there’s a good chance the chat is authentic.
“It doesn’t paint the Conti group in a great light, demanding money from a school district,” Levin said. “There’s certainly no honor among a thief targeting a school district.”
Levin said that when a breach like this happens, people should assume that personal data is at risk.
“If I were a parent, student or employee in the district and I’d been assured there’s nothing for me to worry about, there’s evidence to suggest the contrary,” said Levin, national director of K12 Security Information Exchange, a nonprofit group based in Virginia that assists school districts facing cybersecurity threats.
He said children’s data is often valuable to thieves because they can establish credit using their names without anyone noticing.
The hackers told the district they do have personal data, according to a transcript that began March 12, five days after hackers attacked the district’s computers and caused a temporary shutdown of most systems. The hacker responded after a representative from the district asked how to retrieve the data.
“The bad news is that we hacked your network and encrypted your servers, as well as downloaded more than 1 terabyte of your personal data, including financial, contracts, databases and other documents containing [social security numbers], addresses, [date of birth] and other information about students and teachers,” the hacker wrote.
The hacker then said the information could be retrieved for $40 million, a price that flabbergasted the district representative.
“I am ... speechless. Surely this is a mistake? Are there extra zero’s in that number by mistake?” the person asked
The hacker responded that a review of school records showed revenues of more than $4 billion “so it is a possible amount for you.”
“I am so confused. This is a PUBLIC school district. public, meaning it is free for students to attend,” the district representative wrote. “You cannot possibly think we have anything close to this!”
“What is your position?” the hacker asked.
“My position is shock and horror that anyone thinks a taxpayer-funded school district could afford this kind of money!”
The price would be dropped to $15 million if the district agreed to pay within 24 hours in bitcoin, the hacker said. The district representative argued that it was the weekend and banks were closed.
“We don’t have bitcoins! This is a school district. No one here uses a cryptocurrency,” the representative said. “This is a weekend and we could not even pay you $10 today let alone millions when our bank is closed.”
The conversation continued for two weeks, with the district representative pleading to lower the price. On March 26, the hackers lowered their price to $10 million, which the district official said was still unreasonable.
“You attacked a school district that only has money sent to us by the government. We make no profits or anything like that. We have approval to offer $500,000, but the price ranges you started with are too far off for a taxpayer funded school,” the representative said.
The conversation ended at that point.
Koch’s office did not respond to questions about why the $500,000 figure was chosen. Under district policy, $500,000 is the maximum the district can pay without School Board approval in a public meeting.
“I’m sure that figure was chosen intentionally,” said Levin, the security consultant. “If the chat log is accurate, they made the calculation they were willing to pay that money to have it go away.”
The district made no public comments about the ransomware incident until Wednesday, after the South Florida Sun Sentinel asked questions about the transcript. Ashton Henry, director of risk management, sent a note to employees Wednesday afternoon saying a March 7 disruption “was caused by unauthorized activity on our computer network. Our security team enacted our incident response plan and promptly took steps to contain this incident and secure the network. We contacted law enforcement and immediately began an investigation.”
“Your confidence and trust are important to us and we regret any inconvenience or concern this incident may cause,” Henry wrote. “We have already implemented additional security measures to enhance the security of our network, including deploying endpoint threat detection and response tools.”
As of Wednesday evening, no notice had gone out to parents about the threat.