The Maryland School Inspector General said the Baltimore County school system did not have adequate security for its computer network servers, despite several warnings from the state in the years preceding the 2020 devastating ransomware attack. said it was unable to provide
An investigative report released Monday disrupted school operations ahead of the 2020 Thanksgiving holiday, when all school board and school board meetings were held online due to the coronavirus pandemic. The report provides new details about the causes of the attack, the total cost of the restoration, and the steps taken by the Baltimore County school system prior to the incident. Offers.
In a statement Tuesday night, county school spokesperson Charles Herndon said the report found the system was “years ahead” of other school systems in terms of cyber defenses. Said it shows restoration work.
“Superintendent Darryl Williams, in the school system’s first operating budget proposal, made a notable effort to address the system’s technical infrastructure needs in advance of a cyberattack. No funding was provided,” Herndon wrote in an email.
“School systems are victims and, like many other school systems, governments and healthcare organizations across the country targeted in sophisticated cyberattacks against critical technological infrastructure, the perpetrators who facilitated the attacks are to blame. . ” He said.
Williams announced Monday that it will not seek another four-year deal with the school system.
State Education Inspector General Richard Henry has launched an investigation into a ransomware attack after allegations that the state’s third-largest school system ignored cybersecurity recommendations from the Maryland Office of Legal Comptroller. The complaint also alleges that the system was unprepared for cyberattacks and failed to protect the personally identifiable information of students, staff and system retirees.
Investigators said on November 24, 2020, about 15 days after fake university officials sent emails with fake invoices to education experts in Baltimore County, the school system’s network was in catastrophic chaos. experienced.
When personnel were unable to open an email formatted with a recognized email address and extension, they contacted technical personnel. Technical personnel deemed the message suspicious and forwarded it to a security contractor in the school system’s information technology department.
An unnamed contractor accidentally opened the attachment using the unsecured Baltimore County school email domain instead of the secured domain. Upon opening the attachment, the malware was able to penetrate her IT network of the school system. Investigators found that antivirus software in use at the time failed to detect the malware program used in the cyberattack, and that the files were not organized in a known, identifiable format.
The malware was also designed to delay damage, allowing it to systematically disable critical functions within the school system network that could have prevented the attack.
Investigators acknowledged that IT personnel at a Baltimore County school acted as soon as they determined their network had been compromised. However, investigators believe the school system relocated publicly accessible database servers before the attacks in 2015 and she said in 2020, despite recommendations to do so by the Maryland State Office of Legal Comptrollment. I discovered that I didn’t.
The latter audit was delivered to school systems on November 19, 2020, days before the cyberattack. Investigators said the malware had already been distributed by the time the report was published.
In the days and months following the crisis, Baltimore County school administrators were met with enthusiasm by the public, employees, and county government officials for their perceived lack of transparency and communication regarding the incident. Investigators found that federal law enforcement asked her IT staff at the school system not to discuss the cyberattack with other organizations, including local governments. School officials were also told that the FBI would work with local law enforcement because of the severity of the cyberattack, according to the inspector general’s report.
Herndon also reiterated that authorities have instructed system leaders to refrain from sharing information about attacks during and after investigations.
Meanwhile, the school’s systems were working to restore critical information using backup files, which were not corrupted in the attack. Still, some of the files related to personnel and payroll turned out to be unreadable or corrupted. Instead, school system leaders turned to nearly a year-old backup files that didn’t contain personnel, salary, and benefits changes made prior to the cyberattack.
While authorities worked to restore files, the system relied on outdated information about deduction rates, salary status and income levels, tax deductions, benefits, and other details affecting employees and retirees. rice field.
More than two years after the cyberattack, school systems are rolling out a series of new security measures. This includes multi-factor authentication standards for all faculty and staff, improved firewall technology, and enhanced device protection to detect and prevent malware. School systems have also moved “critical” network functions to encrypted cloud-based services and run security updates to ensure devices receive real-time security patches.
The total cost of emergency restoration work, system upgrades and new security measures for school systems soared to $9.682 million, the report said. OIGE noted that the upgrade saved Baltimore County’s school system about $1 million in IT operating expenses.
The report also includes seven recommendations related to data protection, cyberattack prevention, and recovery planning. It calls on school system executives to develop processes to immediately address irregularities in staff and retiree benefits and salaries caused by outdated backups.
Copies of the report have been sent to the Governor, General Assembly, State Board of Education, and State Superintendent.Baltimore County school system ends February 23 Submit a formal response to the investigator’s findings.
In recent years, cyberattacks have plagued many of Maryland’s local governments, state agencies, and school systems. A ransomware attack on the City of Baltimore government in May 2019 cost the city millions of dollars in recovery costs and lost revenue. In December 2021, a cyberattack brought down his COVID-19 data dashboard for the Maryland Department of Health during a dangerous spike in the Omicron variant of the virus. Prior to the attacks on Baltimore County schools, state audits regularly found cybersecurity issues in other school systems in the state.
The Maryland legislature passed legislation during its 2022 session aimed at helping state and local governments protect themselves against cyberattacks. The law created a centralized network in Maryland and provided funding for local governments to prepare for cyberattacks.