It was almost one year ago that the Baltimore County Public Schools was hit by a devastating ransomware attack. Classes were canceled. Records were lost. Its computer network had to be rebuilt and fortified.
Questions remain about what happened, and whether the school system is still vulnerable.
It was supposed to be the last day of school before the 2020 Thanksgiving break. School Superintendent Darryl Williams said he was on the phone with staff at 5 a.m.
“I said I don’t know all the details but I know we have to get our students and staff reconnected,” he recalled.
The ransomware attack shut down classes for three days and crippled the school system.
Billy Burke at the time was the school system’s chief of organizational effectiveness. He said it was the lost data that threw people for a loop.
“It just seemed surreal that stuff could be there one day and the next day there was no access to it,” Burke said. “So, I think it took a few days, even a few weeks for people to come to the realization that some things were permanently gone.”
Things like grade books and lesson plans years in the making. Anything stored on a school’s shared drive or on a laptop connected to the school system’s email system was lost.
Burke now heads the union that represents principals and administrators. He said there are new processes and platforms in place that make the system more secure and everyone is grateful for that. But they come with learning curves.
“The fact that the ransomware happened during a pandemic just adds to its impact,” Burke said. “People are already overworked. And working on new ways and new systems. This just now added to that.”
Payroll also took a major hit.
Cindy Sexton, the president of the Teachers Association of Baltimore County, said that still has not fully recovered. Some union members were overpaid. Others are still owed money. She said statements also can be confusing, missing details of what’s included in the paycheck.
Sexton said, “We had hoped that all of those concerns would have been addressed and those problems taken care of, certainly almost a year later.”
Sexton said a recent survey found that more than 460 members of the union are owed money. Superintendent Williams said they are working with the union to straighten that out.
One year later, authorities still are not talking about what happened. The FBI declines to comment saying the investigation continues. The Baltimore County Police Department isn’t talking either.
When Superintendent Williams is asked whether a ransom was paid, he said the school system’s money is being used to rebuild and restore the system. When told that sounds like a “no” to paying ransom, he responded, “That sounds like a no? You’re a smart man.”
Mychael Dickerson was Superintendent Williams’ chief of staff at the time of the attack. He said the school system turned that issue over to experts who deal with ransomware demands.
“I’m not aware that any ransom was paid,” Dickerson said.
Following the attack, Dickerson credits Jim Corns, the executive director of information technology for the county schools, for quickly backing up what they could and getting instruction up and running.
“I think his quick action, quick thinking is really what saved the school system from even more of a catastrophe than it was,” Dickerson said.
The school system denied WYPR’s request to interview Corns.
The most recent cost of the ransomware attack the school system provided WYPR is $8.1 million. That was as of May 14. The school system would not provide updated figures of the cost.
In the days and weeks that followed the attack, county officials lambasted the school system for not saying more about what had happened. Efforts by both County Executive Johnny Olszewski and the County Council to gain more oversight of the school system failed. One of its harshest critics has been Democratic Councilman Tom Quirk.
“The transparency of the school system has been lacking and it’s disappointing and quite frankly I don’t think the leadership has been doing much in that effort at all,” Quirk said.
Two weeks after the attack, Olszewski sent Superintendent Williams a letter that was sharply critical of the lack of information coming out of BCPS. Today, Olszewski is more conciliatory.
“I know that a lot of the systems that have been affected have been repaired largely, and anything that is outstanding we continue to stand ready to work with the school system and those impacted to try to find a solution for anything that’s remaining,” Olszewski said.
In that same letter, Olszewski claimed that the attackers had been contacted by either BCPS or a third party. He went on to criticize the school system for not letting law enforcement know about the contact.
When asked about that now Olszewski said, “In the moment I think I was seeking clarity on the circumstances surrounding the attack in its entirety. I’ve since been shared that information. But to the extent the details are there, I would encourage the school system to work with you to provide that.”
When asked about that, Superintendent Williams said whether to contact the attackers was left to those investigating the crime.
“And if it meant they reached out to certain people and they collaborated, we allowed them to do that part,” Williams said.
School board member Moalie Jose said she’s asked Williams to update the board later this month on the ransomware attack.
“In terms of mitigation efforts, what we’re doing to prevent future cyberattacks,” she said.
A consultant’s report released in September raised a red flag about that, saying BCPS is still vulnerable because it is not adequately staffed to deal with the threat. Williams takes issue with that.
“I think we have much better coverage based on what we’ve learned through this experience and then what we want to do moving forward.”
Williams said he is open to the consultant’s recommendations on how to improve security, which include paying for an outside cyber security service provider and working more closely with the county.
Councilman Quirk remains skeptical.
“I’m not convinced that enough has been done, unfortunately.”
According to the K-12 Cybersecurity Resource Center, which tracks cyberattacks across the country, Baltimore County was one of 50 ransomware attacks on public schools in 2020. If you include other incidents, like phishing, data breaches and meeting invasions, there were more than 400 cases.
This is a cautionary tale according to Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute. He said attacks against computers from personal laptops, to schools, to businesses are at a crisis level.
Dahbura said, “We all need to learn from the county school system experience because it’s happening every day, all over the place.”
He said be sure to take some basic steps to protect yourself, like strong passwords and off-site backups.