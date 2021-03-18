The ransomware attack on the Buffalo Public Schools could have happened to any number of organizations or individuals. The lesson to be learned – that should have been learned long ago – is to be prepared for such intrusions. The task can seem overwhelming, but it’s urgent as entities from hospitals to schools have learned the hard way.
The attack on the city school system left it floundering. For days, it didn’t know when students would be able to return to class, in person or remotely. The district was supposed to have started the second phase of reopening Monday, when another 5,000 students were scheduled to return to the classroom. The attack meant that 30,000 students sat at home, not learning.
School district officials disclosed last Friday afternoon that it was a victim of a ransomware attack. They had already canceled all remote classes earlier in the day, announcing “an unanticipated interruption to BPS District network systems.”
Ransomware is a malicious software that blocks access to the user’s computer system until a ransom is paid. Cyber experts do not recommend paying any ransom. At last report, the district’s chief technology wrote in a memo that “ … no demands have been made,” but that the “FBI has found out that ransom may be between $100K-$300K and could be negotiable.”
Superintendent Kriner Cash approved an emergency contract with GreyCastle Security, a cybersecurity service that is helping in the investigation. The FBI is trying to determine how the ransomware infiltrated the school district’s computer system, as well as who is responsible for the cyberattack.
Right now, there are many unknowns, not the least of which is exactly what personal information was stolen from the district's networks, and how this would affect remote and in-person learning.
It shouldn’t be needed, but this incident is another warning to every school district, governmental agency or private business to guard against electronic breaches. Erie County Medical Center was hacked by cyber extortionists who took down 6,000 computers in April 2017. School districts from Toledo, Ohio, to Houston, Texas, to Victor, N.Y., have been targeted.
It is difficult to know what happened to the Buffalo Public Schools. How did the perpetrator break in, what systems were compromised, what information is being held and will it be held, forever, or will some be released?
Moreover, does the school district have a backup, or if that was also infiltrated, does it have a backup to the backup? School leaders across the region are likely asking the same of their own tech experts.
If they aren’t, they should.
In general, districts have enormous liability tied up in preventing the unauthorized release of student information.
The incident is a reminder that this could happen anywhere, anytime. The federal Family Educational Rights and Privacy Act, along with state education law, require districts to protect student and staff data. Implicit in these requirements is the need to have a plan in place to hold off these attacks. Let’s hope safeguards held strong.
• • •
