In May 2020, Baltimore County Public School system suffered a cyber attack that caused the district to shut down its computer systems, including email and internet access. The attack was later identified as a ransomware attack, resulting in the district losing access to critical data, including student records and staff information.
The attackers demanded a ransom payment of $75,000 in bitcoin to restore access to the locked data. The district refused to pay the ransom based on advice from law enforcement authorities, and instead decided to restore its systems from backups. The recovery process took several weeks and resulted in a significant amount of data loss due to backups containing unreadable and damaged files.
On January 23rd, 2023, an Investigative Report was released to uncover its findings.
The breach was identified as a phishing attack via email, which was addressed to an official member of the school’s faculty.
The email impersonated a college official and contained an attached file appearing to be an invoice. The email format “seemed legitimate” as it used a recognized email address and extension. After being unable to open the attachment, the email was sent to a security contractor, who mistakenly opened the email with the attachment using their unsecured BaltimoreCounty Public School email domain account— not their secured email domain.Opening the attachment in the unsecured environment delivered the undetected malware into the school system’s IT network.
According to the report, the Baltimore County Public School allegedly ignored several recommendations made by the Maryland Office of Legislative Audits (OLA): “TheOIGE did substantiate that at the time of the cyberattack, the BCPS had not relocated their pubilcly accessible database servers as recommended buy the OLA. Following the attack, BCPS migrated its database servers into a cloud-based (encrypted) environment.
According to the report, the cost to recover from the attack, implement system upgrades, and migrate to a new platform has exceeded $9,682,437 million.
The incident highlights the importance of having robust cybersecurity measures in place—including regular backups—and the ability to quickly detect and respond to cyber threats. BCPS had not fully migrated to the cloud, despite recommendations from the Maryland Office of Legislative Audits.
Using the cloud can be more secure than on-premises solutions for several reasons:
School systems are often the victim of cyber-attacks for several reasons: lack of resources, limited budgets, remote access, outdated systems, and insufficient security awareness, to name a few. They are also privy to large amounts of sensitive data which can be easily monetized by cybercriminals. We go into detail on cyber risk in the education sector, here.
ContraForce provides free security monitoring for anyone in the education space, including public and private K12 institutions, higher-ed, EdTech, or anything in between.Reach out to us to get started at firstname.lastname@example.org