South Florida Sun-Sentinel Palm Beach (Sunday)
What to do now after data breach revelation
A ransomware attack against the Broward school district is leaving 50,000 people wondering if they could be the next victim of cybercriminals.
The hackers, part of the international criminal group Conti, hijacked Broward’s servers, including purchasing, accounts payable and employee benefit systems, demanding $40 million in ransom in March to prevent personal information from being revealed. The district agreed to pay $500,000, but the hackers refused the offer and released 26,000 district files on a public website April 19.
The school district sent out notices this past week to students, employees and former employees saying an investigation from June revealed that criminals posted their personal information, in many cases Social Security numbers, on a publicly available website.
Such attacks can make people more vulnerable to thieves trying to take out loans or credit cards in the victim’s name, experts say, and also more prone to phishing attacks, with criminals trying to lure victims onto unsafe websites or into sharing their passwords.
So far, district officials say they have not received reports of anyone who’s been the target of identity theft as a result of the breach, which happened between November 2020 and March 2021.
But experts say people may not know their identity has been stolen until they receive a call from a financial institution or get a notice from someone claiming they are owed money. The district is offering free credit monitoring and identity theft protection service for a year to anyone affected.
Tips for victims
Experts say there are several important steps for people to take if they feel they’ve been compromised.
■Update passwords and set unique ones for each website, preferably using multi-factor authentication where sites confirm passwords through a text or an app.
■Monitor your financial accounts for any fraudulent activity and be aware of accounts being opened in your name.
■Enter your email or phone number in the website haveibeenpwned.com, to see if you’re personal information has been compromised.
■ If you suspect fraud, check your credit report with the three consumer credit reporting agencies (Equifax, Experian and TransUnion) to identify suspicious behavior and potentially issue a credit freeze. The free site annualcreditreport.com is letting users check their reports weekly through April 20.
Many organizations attacked
Since the start of 2020, ransomware gangs have stolen data from more than 3,500 organizations and posted it online, said Brett Callow, a threat analyst for the technology group Emsisoft.
There are consumer laws that protect people from these types of scammers, “but it is quite stressful and sometimes quite time-consuming to take care of everything,” said Doug Levin, who runs the K-12 Cybersecurity Resource Center to help school districts combat cyberattacks. ”If you are trying to purchase a home, you might lose the opportunity because it could take weeks or months to address the identity theft.”
District response
The district turned the case over to the FBI and has been contracting with an outside cybersecurity company, an Atlanta law firm, a public relations firm and a credit monitoring service to help it deal with the attack and the fallout. The district said these costs have been handled by its insurance company after a $250,000 deductible.
Experts criticized the school district for its slow response in informing those affected. The school district learned that at least some employee and student data was compromised in June but only informed those affected this past week.
“In my personal opinion, within 72 hours, you’re obligated to them, ethically speaking,” said Chester Wisniewski, principal research scientist for Sophos, a global cybersecurity company that monitors ransomware threats. “It’s not a law or a rule,” he said, “[but] waiting months is very bad. It’s just more time you’re not being able to fight against your data being abused.”
The district said it was a time-consuming process to identify everyone affected, and “ultimately, the investigation could not identify all of the individuals affected,” according to a statement from the office of Chief Communications Officer Kathy Koch.
Anna Fusco, president of the Broward Teachers Union, said the ransomware attack alarmed teachers when they first learned of it in March. At that time, the district said it was unaware that any personal data had been breached.
“No one wants their personality stuff hacked. Everyone was concerned,” she said. “The district made it sound like it was not a big deal.”
Julia Skelton retired as a Broward schools teacher in 2019 but is still on the district’s insurance plan. She received a note at her home in South Carolina this week saying her data was exposed. She said it was disappointing that the district waited so long to inform her.
“I was very shocked to receive this letter, since I no longer live in Florida and I was not aware of the situation,” Skelton said.
Credit monitoring
Skelton said she doesn’t believe her Social Security number has been compromised — she refinanced her home in August and nothing suspicious came up. She is, however, taking advantage of the district’s offer for a one-year membership with Kroll Identity Monitoring.
David White, Kroll’s global head of breach notification, declined to comment specifically about its agreement with Broward. But he said in a statement that in general, the company monitors a customer’s credit, notifies them of potential problems and helps them resolve the problem.
“This full suite of services ensure that when an incident occurs, our experienced and knowledgeable experts can guide clients through the best and most proportionate response to minimize the impact to victims’ identities and their reputational damage,” White said.
Types of files
Most of the data released by the hackers did not appear to contain employees’ or students’ personal information, a review by the South Florida Sun Sentinel found. Much of it was public record, such as purchase orders for supplies and employee mileage reimbursements.
But there were files that contained sensitive information, including the names and Social Security numbers of employees receiving criminal background checks and the names, date of births and Social Security numbers of employees on the district’s health insurance plans.
While the Sun Sentinel didn’t identify any student databases breached, it did find some student names and personal information included in purchase orders, such as when the district paid vendors for services for students with disabilities.
It’s also not clear if all the personal data the hackers collected is available on its public website.
The hackers added to the confusion by writing on their website, “If you are a client who declined the deal and did not find your data on cartel’s website or did not find valuable files, this does not mean that we forgot about you, it only means that data was sold and only therefore it did not publish in free access!”
The documents that are online have been viewed 121,607 times as of Friday, the hackers say on the website.
“Whether it has 100,000 views or 100 views, the damage is done,” Levin said. “A good chunk of those visiting the Conti site are doing so with malicious intent.”
Factors reducing risk
The situation may not be as dire as some fear, said Wisniewski, noting that Conti, which is believed to operate overseas, hasn’t been known to sell personal data to criminals.
“They use the data as a bargaining chip” for ransom, Wisniewski said. “They talk big, but it’s not really clear there’s any bite behind their bark.”
Although the hacked personal information is online and freely available, it’s not cataloged in a way that’s easy to find, he noted.
“When it’s scattered in small amounts, it’s not worth the time of most criminals,” Wisniewski said, saying they’d rather buy easy-toread lists.
However, Levin said criminals can run computer scripts that can extract Social Security numbers, dates of birth and other valuable information from documents.
Avoiding future attacks
Broward school officials say they are also taking steps to try to prevent future cyberattacks.
“To help mitigate additional security breaches, the District has enhanced security staff training, is engaging in the recruiting and hiring of additional cybersecurity staff, and has worked with vendors to harden the District’s technology infrastructure,” Koch’s office said in a statement.
This year, the School Board approved an additional $2.5 million for firewall upgrades to increase security.