When ransomware hit the Buffalo Public Schools in March, the district told students and families that investigators had not determined that any personal information had been exposed.
Two months later, investigators have found that such information was exposed.
Personal information about an unknown number of students, parents and employees has been exposed, along with bank account information for an unknown number of vendors, the district revealed in letters recently.
Student names, district ID numbers, birthdates, grade levels, schools, addresses, phone numbers and parent names were among the information exposed in the attack, according to a letter sent May 7 to families by Kroll, a security consulting firm, on behalf of the district.
The school district did not respond to questions Sunday regarding how many individuals’ information had been exposed and when the district became aware that personal information had been exposed.
Buffalo Public Schools is the latest victim in a growing number of cyberattacks targeting school districts across the U.S.
“The FBI is still looking into our cyberattack as part of a larger group of investigations,” district spokesperson Elena Cala said in an email. “Therefore, the district will not be commenting further on this matter at this time.”
The hackers also accessed students’ demographic information, including gender, race and ethnicity, special education status and primary language. Parent and guardian names and addresses were also exposed.
Social Security numbers, though, were not exposed, according to the letter.
Teachers also received letters last week alerting them to the breach of information.
And the Buffalo Public Schools notified vendors in a letter May 11 that bank account information for wire transfers was among the information exposed in the cyberattack, along with federal tax identification numbers, email addresses and contact information.
Remote and in-person learning in Buffalo Public Schools are canceled Monday as the school district continues to deal with a ransomware attack.
In March, after the district was hit by ransomware, classes were canceled for a few days until the district could restore the functionality of key systems, equipment and applications that had been targeted.
A few days later, Superintendent Kriner Cash sent a letter to district employees saying that “at this point, our lead investigative consultant and the FBI have not determined that there has been an exposure of personally identifiable information.”
In mid-March, the district hired GreyCastle, a cybersecurity firm, for $40,000 to work with law enforcement agencies to investigate the attack.
On Sunday, Cala declined to say whether the district ever received a ransom demand. She also declined to say whether the district had recovered any of the information that had been targeted.
Families have been offered free fraud consultation and identity theft restoration services from Kroll for one year. Vendors have been offered Kroll’s services to provide call center support for three months, according to the letter that was sent to vendors.
Cala declined to say when the district hired Kroll.
“The district engaged with Kroll for the purpose of notifying students, staff and vendors in the event that their information may have been compromised, as well as offering the appropriate monitoring services,” she said.
“The amount that the district will pay Kroll is dependent on the number of people who take advantage of their services.”