South Florida Sun-Sentinel Palm Beach (Sunday)
District hid massive data breach
Experts alarmed that Broward schools took extraordinary steps to conceal ransomware attacks
When the Broward School District learned that hackers may have accessed the personal data of thousands of people from district servers, its response was to hide and delay.
The district took extraordinary steps to keep the public, including 50,000 potential victims, from learning about ransomware attacks that took place from November 2020 to March 2021, a South Florida Sun Sentinel investigation has found.
Among these efforts, the district: Waited five months to report key information to affected individuals as well as to the U.S. Department of Health and Human Services, three months longer than a federal rule allows. The department is investigating the district’s response.
Alerted the public in November it had conducted its own investigation into the data breach but later said the findings of the investigation were never put in writing.
Used a public relations firm to help dodge questions from the news media and persuade the public that personal data wasn’t at risk.
Rejected a public records request for emails related to the ransomware, with a district lawyer saying “it is not worth any of our time” to review the emails to see if they were exempt under state law.
Lobbied the state Legislature for a law that would keep any cybersecurity investigations hidden from the public.
The ransomware attack and the issues it posed spanned two schools superintendents. Robert Runcie was in charge when the breach happened and hackers posted 26,000 district files online after failed ransom negotiations. Vickie Cartwright, who started with the district in August, was in charge when the deadline to notify the federal government
passed, the district’s investigation was completed and when affected employees were finally notified.
Cartwright, who recently was chosen as the permanent superintendent, said there is a reason for the district’s efforts: to avoid exposing the district’s vulnerabilities to those who want to cause more harm.
“That is best practice when it comes to security, because you do not want to expose what and how it occurred because then you’re exposing the potential for someone to repeat that,” Cartwright said. “We’re not going to show the public our security protocols because it only dramatically increases the likelihood of it being done again.”
The school district wouldn’t specifically address why it wouldn’t put the findings of its ransomware investigation in writing.
The district “undertook a time-consuming review of the data that might have been accessed by the unauthorized party” to determine who was impacted, the office of Chief Communications Officer Kathy Koch said in late November.
” Ultimately, the investigation could not identify all of the individuals affected,” Koch’s office said.
The district’s actions raise alarm from some security experts and advocates of open government who say the secrecy appears to be more about protecting the district’s image than its network servers. Their efforts have deprived employees, other agencies and the public of knowing what went wrong and what lessons were learned to prevent a future attack, these experts say.
“Knowing is half the battle,” said Brett Callow, a threat analyst for Emsisoft, a software company that specializes in cybersecurity. “If the security community understands why attacks succeed, steps can be taken to prevent other attacks from succeeding for the same reasons. Information sharing is, therefore, a very good thing. It helps keep everybody safer.”
The delays in releasing details didn’t go over well with many of the 50,000 employees, former employees, students and others who received letters in late November or early December about the breach.
“As someone who’s been a victim of identity theft three times in the past, it pissed me off that the district waited months to say a word about who may have been compromised,” said Jeffrey West, a teacher of the deaf and hard of hearing at South Plantation High.
West said so far he’s not aware of his personal information being misused from this incident.
A ransomware attack
The school district first discovered the data breach on March 7, 2021. After the district learned of the incident, it “secured the systems involved and commenced an investigation,” the school district has said.
On March 9, employees received a notice saying certain programs had been shut down temporarily due to “recently identified cybersecurity risks.” On March 11, the hackers told the district they had personal data of students and employees.
The district had begun receiving media inquiries the morning of Monday, March 8. But the district wouldn’t respond to questions until 7:20 p.m. Friday, March 12, when it would only acknowledge a “service disruption” in a statement issued to reporters.
The district only acknowledged the ransomware attack weeks later, on March 31, after hackers posted a transcript of failed ransom negotiations online, and the district received more media inquiries. On that day, in a message to employees, it encouraged them to stay vigilant by reviewing their account statements and credit reports for any unauthorized activity, while saying there was no evidence at the time that anyone’s personal information had been accessed.
The hackers demanded as much as $40 million, and the district offered $500,000, but no ransom was paid.
On April 19, the hackers posted 26,000 files online, which the district acknowledged in response to reporters’ questions. The Sun Sentinel, after a quick review of some documents, reported that same day that some files contained confidential employee and student information.
But at the time, the district wouldn’t answer questions from the Sun Sentinel about anything related to personal data being breached.
Reporting the cyberattack
The district’s response to the data breach is now being reviewed by federal officials. The U.S. Department of Health and Human Services’ breach notification portal lists the school district among cases currently under investigation by its Office of Civil Rights.
Broward school district officials say they learned June 29 that the hackers had access to employee health plan information.
Because the breach involved health data, there are federal reporting requirements as part of HIPAA, the Health Insurance Portability and Accountability Act, which was created to protect patient privacy.
If an agency or business believes personal health data of 500 or more people has been illegally accessed, they are required to report this to the Department of Health and Human Services within 60 days, according to the department’s breach notification rule.
But the school district didn’t share the information it had learned in June with the state or federal government, those affected or the public for 154 days: It finally disclosed the full extent of the attack on Nov. 29 through a notice on its website, and reports to the Department of Health and Human Services and state Attorney General’s Office.
That day, the district sent an email about the breach to the Sun Sentinel and started sending out letters to 50,000 employees, former employees, family members of employees and students saying their data may have been compromised.
The district was aware of the federal government’s reporting rules but doesn’t believe it violated federal law, according to a statement from Koch’s office.
“The notification to individuals and to [Health and Human Services] required the gathering and sorting of significant amounts of data in order to determine the individuals to be notified,” the statement said. “That process was complex and took substantial hours. Under the circumstances, notification was made in an expeditious manner.”
A spokeswoman for the federal department said it doesn’t comment on “open or potential investigations.”
A school district shouldn’t hold off on reporting the breach to the federal government just because it hasn’t identified every victim, said Steve Alder, editor-in-chief of the trade magazine HIPAA Journal, who wrote an article this month about health-related data breaches.
“Notifications to the HHS should not be delayed unnecessarily and must be issued within 60 days of the discovery of a data breach, even if the total number of individuals affected is not known at the time,” Alder told the Sun Sentinel.
There are sometimes valid reasons to delay notifications, such as a request from law enforcement, but few agencies have cited this as a reason for the delay when they finally alert the public, Alder said.
The Broward school district reported the incident to the FBI and U.S. Department of Secret Service, school district emails show. The district’s public statements about the breach don’t say whether law enforcement agencies asked the district to delay telling victims.
The potential penalty is fines, but enforcement for late reporting is rare, experts say.
A slow response plan also can lead to investigations by state attorneys general, said Michael Hamilton, chief information security officer for Critical Insight, a Seattle-based cybersecurity company that works with health care organizations and governments.
Hamilton said the Rhode Island attorney general, for example, is investigating a data breach involving a large insurance company and public transit authority.
The transit authority notified the FBI on Aug. 11, but didn’t send notices to the 22,000 people affected or the attorney general until late December, according to the Boston Globe. Rhode Island law requires notification within 45 days.
Florida law is not clear on whether school districts must report data breaches to the state. A spokeswoman for Attorney General Ashley Moody said her office “is aware of this security incident and cannot provide further comment at this time.”
An investigation — but no written report
When the Broward school district finally did issue the required public notice on Nov. 29, it said multiple times the district learned that personal data was breached through an investigation.
But when the Sun Sentinel requested a copy of the investigation report, a school district lawyer said the investigation wasn’t placed in writing.
“Our Office has been advised that while an ‘on-the-ground’ investigation was conducted, no written investigation report was produced by either the district or any outside persons acting on the district’s behalf,” district lawyer Bob Vignola wrote to a Sun Sentinel lawyer on Jan. 12.
The Sun Sentinel later reviewed minutes of a Jan. 10 Technology Advisory Committee, which said a “final report” about the data breach “was received in September 2021.” Vignola then said he reached out to three district employees listed as speakers at the meeting.
“Each has informed me that they have not received a written report regarding the matter ... and that they did not indicate at that meeting that any such written report existed,” Vignola told a Sun Sentinel lawyer on Jan. 31.
This alarmed School Board member Sarah Leonardi, a former teacher who received one of the letters saying her data may have been compromised.
“The fact there is no written investigation report is concerning in the context of how poorly communicated this whole situation has been to both myself as a School Board member and impacted employees and families,” Leonardi said.
Before November, she said she only knew that people’s data was breached, because the Sun Sentinel reported finding confidential information online April 19.
“I would like us to learn from this situation. And the fact that there’s not a written investigative report, it makes me wonder what’s going to happen in the future,” she said.
‘It just leaves the public in the dark’
Doug Levin, a school cybersecurity expert, said school districts “will often share as little as possible” about breaches, “largely out of fear of looking poorly to their community.”
But Broward’s actions are particularly unusual, said Levin, who runs the K-12 Cybersecurity Resource Center to help school districts combat cyberattacks. He said he’s never heard of a school district saying it doesn’t have any kind of written investigative report, regardless of whether it’s made public.
“It’s sort of implying, ‘We don’t need one,’ ” he said.
Virginia Hamrick, a lawyer with the First Amendment Foundation, which advocates for open government in Florida, also questioned the district’s decision to conduct a non-written investigation.
“It just leaves the public in the dark about what was done for the investigation,” Hamrick said. “Was anything done? Who did the investigation and what did they do?”
The Sun Sentinel asked Koch’s office a series of questions on Jan. 18 about the investigation, including what caused the attack, what an “on-the-ground investigation” means, why the investigation wasn’t put in writing and if that could hurt efforts in the future to prevent another attack.
“You have received all the information that is available pertaining to this investigation,” the office responded.
District officials would like the state’s help in concealing information in the future.
They drafted a proposed law, which they shared with the state Legislature, to exempt school districts from having to release cybersecurity investigations to the public. Some state agencies, as well as colleges and universities, already have this exemption.
The district wants to get “those benefits other government entities have and not have to release information that is confidential,” Interim General Counsel Marylin Batista told the Broward School Board in August.
No such bill has been filed in the Legislature, said John Sullivan, the district’s director of legislative affairs.
Downplaying the breach
Without state protection, the school district has taken numerous steps to withhold information about the breach. The district’s decisions to shield information were at least partly guided by the public relations firm, Edelman. The contract was signed by Aston Henry, the district’s director of risk management, with Koch listed as the billing contact.
According to its contract, Edelman’s role was to assist the district with such issues as “crisis communications and reputation risk services related to cybersecurity issues.” London-based Brit-Lloyd’s Syndicate provided public-relations and legal services as part of the district’s cybersecurity insurance.
These services, as well as ones to negotiate with the hackers, recover data, make fixes and provide a year of credit monitoring to potential victims were free to the district after a $250,000 deductible, Koch’s office said.
The breach happened about the same time the district was facing another crisis — a grand jury investigation that had scrutinized the district’s purchase of classroom technology. On April 21, two days after hackers posted 26,000 district files online, Runcie was indicted by the grand jury on a perjury charge, and Barbara Myrick, then general counsel, was charged with illegally sharing confidential information from the grand jury. Myrick resigned in late June, Runcie in early August.
On multiple occasions in April, the district’s communications office shared little except that it didn’t plan to pay a ransom and that there was no evidence that any personal data was breached. Edelman officials provided a daily review of news coverage and advice on how to handle media questions.
“Most concerning, unsurprisingly, is the [Sun Sentinel’s] piece, which casts doubt on the district’s position that no personal data was at risk, and notes there has been no communication with parents,” Aidan Ryan, a crisis and risk administrator with Edelman, wrote to communications manager Keyla Concepcion on April 1.
The Sun Sentinel asked the school district why there hadn’t been widespread public notice similar to when such companies as Amazon and Target faced data breaches.
Atlanta lawyer John Hutchins, of BakerHostetler, a national law firm the district received assistance from, offered advice to Concepcion on how to respond to the reporter.
“On background, maybe someone can explain to him ... that the primary purpose of paying a ransom in an incident like this is to get decryption tools from the threat actor, not to prevent publication of exfiltrated data,” Hutchins wrote April 1. “Also, he doesn’t distinguish between a consumer data breach, like Target, and a ransomware event. The latter is primarily about encrypting data to make it unusable, not about stealing personal information.”
Callow, the Emsisoft threat analyst, disagrees.
“The fact is that when personal information is accessed, it may be used either by the hackers or by other actors who obtain access to it,” Callow said. “There is no way to know whether or when that may happen.”
Hutchins did not respond to requests from the Sun Sentinel for comment, despite multiple attempts by phone and email.
Concepcion never shared Hutchins’ information with the Sun Sentinel. “Less is more with this particular outlet,” Concepcion responded to Hutchins in the April 1 email exchange. “I do believe it would be a slippery slope.”
After a Sun Sentinel reporter kept asking questions that went unanswered for two weeks, Concepcion received advice on April 14 from Ryan. “My initial thought is it would be in the district’s interests to provide a short response here, aiming to put a cap on local coverage by indicating the ‘story’ is effectively over,” Ryan wrote.
“Thank you for your response, Aidan. I completely agree,” said Concepcion, who sent the reporter a response that repeated information already shared and said the district would provide nothing else “in the interest of protecting the integrity of our data security.”
‘It is not worth any of our time’
During April, the school district refused to fulfill a Sun Sentinel public records request pertaining to emails about the cybersecurity attack.
Myrick, the then general counsel, told the school district to deny all emails without reviewing them to see if they were exempt.
“I simply think we should say that any of the emails during this period are exempt from public records under the security exemption,” Myrick wrote to district administrators April 1. “It is not worth any of our time to … pull the emails and for each of us to go through them for the few emails that would not be exempt.”
However, there isn’t actually a specific exemption in the statute related to IT security for school districts.
On April 20, the district denied the request for emails, saying files maintained by a school district’s risk management program — the department that tries to protect the district’s assets and reduce liabilities — are exempt “until termination of all litigation and settlement of all claims arising out of the same incident.”
It’s unclear what litigation the district was referring to. The district did comply in June with a Sun Sentinel request for emails about how the public records and communications offices responded in April to questions from the newspaper.
A search for answers
The school district discussed the breach at length on Jan. 10 during a meeting of its Technology Advisory Committee, which makes recommendations to district administrators and the School Board on how technology is used in the district.
Although these public meetings are normally recorded, the school district chose not to record for this meeting, “due to the sensitive nature being presented,” the minutes said.
The school district’s information technology staff had a good grasp on the data breach and were making fixes required by its insurance company to maintain its coverage, said Beth Anne Carr, chairwoman of the committee. But she said committee members were frustrated with how poorly the school district communicated information with those directly impacted and the public.
District staff informed the committee that many decisions related to disclosure were made by companies hired by the district’s insurance company, Carr said.
Carr told the Sun Sentinel she felt that created competing interests: The insurance company was trying to protect its private interests and reduce liability while the school district’s interest should be protecting employees, students and the public, she said.
“When you’re perceived as someone who is trying to obscure facts, it’s going to make people want to look further,” Carr said. “It draws more attention than if you just say, ‘Here is what happened and who is affected and here is what we’re doing to deal with it.’ ”
“That is best practice when it comes to security, because you do not want to expose what and how it occurred because then you’re exposing the potential for someone to repeat that. ... We’re not going to show the public our security protocols because it only dramatically increases the likelihood of it being done again.”
Vickie Cartwright, Broward School District superintendent