BALTIMORE, Md. — Thousands of employees and about 1,000 students in Baltimore City Public Schools (BCPS) had their personal data compromised in a cyberattack. That announcement came from the school system yesterday, after a security breach back in February.
Cybercriminals are increasingly targeting institutions like schools and government agencies. The Baltimore City State's Attorney's Office is also investigating a cybersecurity incident that happened last month.
BCPS Chief of Staff Alison Perkins-Cohen says these hackers are relentless.
"We get many, many, many attacks a day that we're thankfully fending the vast, vast, vast majority of them off and then some, you know, this one got through, but, you know, we're not alone in that," she told WMAR-2 News in an interview Wednesday.
BCPS couldn't tell us how the hackers got into the system, as that's part of the ongoing law enforcement investigation. But the criminal group demanded BCPS pay a ransom to get its data back, which the district did not do. Morey Haber, chief security advisor for cybersecurity firm BeyondTrust, says that was the right move.
"Even if you pay the money, which is not recommended at all, there's nothing from stopping them from releasing it or having a persistent presence somewhere in the future from contacting you again and say, you know what, we're still in your systems. So in terms of the school district's behavior in contacting law enforcement and doing the process that they did, they followed the best practice recommendations today, absolutely," Haber told WMAR-2 News.
BCPS immediately notified police, restored the damaged systems, and then underwent an official investigation with law enforcement and external cybersecurity experts.
"Through the longer term investigation we identified that there was some personally identifiable information that was compromised," Perkins-Cohen said.
That applied to about 7,000 current employees, about 1,000 current students, as well as some volunteers, contractors, and former staff. The compromised employee records date all the way back to 2010. Starting yesterday, BCPS notified everyone impacted, set up a call center, is offering free credit monitoring to victims, and is tightening up its security systems.
"You can never rest on this," Perkins-Cohen said. "This is an area where you just need constant vigilance because the situation keeps changing and you have to keep adapting."
Haber says these types of cybercriminals usually leak personal information they get onto the dark web.
"These are websites that are out there that you can find if you know how, that they will sell you: 'I have a list from the Baltimore School, from Harvard, from anywhere company, and it contains this information,' and for a price, normally in crypto, you can then buy that list. Now, many times that list is not complete, but it gives you enough information to start phishing campaigns."
Haber says schools are ripe for these types of attacks, as data isn't usually erased year after year, and new students keep getting added to the system: "Education just has a unique business model where the population just tends to generally increase and has no upper limit."
K-12 school settings are particularly vulnerable, as hackers look to exploit young students who might not know any better.
"You have students that may not be fully versed in cybersecurity, have accounts, not necessarily understand best practices, using school machines or machines at home, but interacting with school-based systems that could be leveraged in some form of lateral movement to compromise an environment," Haber told WMAR-2 News. “Especially if there's not any two factor [authentication], which is quite prevalent in younger education - the kids don't have phones, they have no way of doing multi-factor, so they become more ripe for targeted and social engineering attacks just because of their own immaturity.”
The Baltimore County Public School System also fell victim to a cyberattack back in 2020. According to a 2023 Maryland Inspector General report, the recovery efforts cost nearly 10 million dollars. City Schools is not anticipating that kind of cost.
"We've had cyber insurance, so we've been fortunate to have that. It's not cheap, but we have been able to utilize that to, to deal with a lot of the response and so I feel grateful that we've been able to do that," Perkins-Cohen said.
At Tuesday night's board meeting, it was announced that the CEO, Dr. Sonja Santelises, approved an emergency procurement of a contract with CrowdStrike to "provide cybersecurity forensic analysis and assessment" for about $160,000. The contract lasts through June 30.
"It's like any business and unfortunately, school systems are getting squeezed in every way possible," Haber said. "The technology has got to stay up to date and modern security practices applied."