Advertisement
Education

Baltimore County schools partially at fault for 2020 cyberattack, Maryland inspector general for education finds

Maryland’s inspector general for education says the Baltimore County school system failed to provide adequate security for its computer network servers, despite several warnings from the state in the years preceding a devastating ransomware attack in 2020.

The investigative report published Monday partially faults the school system for the hack that disrupted school operations days before the Thanksgiving holiday in 2020, when all instruction and school board meetings were taking place online due to the coronavirus pandemic. The report offers new details about the cause of the attack, the total cost of recovery and actions taken by the Baltimore County school system prior to the incident.

Advertisement

In a Tuesday evening statement, county schools spokesperson Charles Herndon said the report illustrated how the recovery efforts positioned the system as “years ahead” of other school systems in terms of cyber defense.

“Superintendent Darryl Williams made notable efforts to address the technology infrastructure needs of the system prior to the cyberattack in his first proposed operating budget for the school system; however, those requests were not funded,” Herndon wrote in an email.

Advertisement

“The school system was a victim — just as scores of other school systems and governmental and health care institutions across the nation that have been the target of sophisticated cyberattacks on critical technical infrastructures — and the blame solely rests with the perpetrators who facilitated the attack,” he said.

Williams announced Monday he would not seek another four-year contract with the school system.

The state’s Inspector General for Education Richard Henry opened the investigation into the ransomware attack after receiving a complaint alleging the state’s third-largest school system had disregarded cybersecurity recommendations made by the Maryland Office of Legislative Audits. The complaint also alleged the system was not prepared for the cyberattack and failed to protect the personally identifiable information of students, staff and system retirees.

Darryl L. Williams, Baltimore County schools superintendent, speaks at a news conference Nov. 25, 2020, to update the public on the ransomware attack that targeted the school system.

The school system’s networks experienced catastrophic disruptions Nov. 24, 2020, about 15 days after a phony college official sent an email containing a bogus invoice attachment to a Baltimore County education professional, according to investigators.

When the staff member was unable to open the email, which was formatted with a recognized email address and extension, they contacted a tech liaison, who deemed the message suspicious and forwarded it to a security contractor for the school system’s department of information technology.

The unnamed contractor mistakenly opened the attachment using an unsecured Baltimore County schools email domain instead of a secured one. Opening the attachment allowed the malware to penetrate the school system’s IT network. Investigators found the antivirus software being used at the time was unable to detect the malware program used in the cyberattack and that the file was not configured in a known identifiable format.

The malware also was designed to delay its damage to avoid immediate detection and allowing it to systematically disable critical functions within the school system network that could have prevented the attack.

Investigators acknowledged that Baltimore County schools’ IT employees took immediate action once they determined the network was compromised. However, investigators found that prior to the attack, the school system had not relocated its publicly accessible database servers — despite Maryland Office of Legislative Audits recommendations to do so in 2015 and in 2020.

Advertisement

The latter audit’s findings were delivered to the school system Nov. 19, 2020, just days before the cyberattack. Investigators say the malware already was in school system’s computers and servers by the time the report was made public.

In the days and months following the crisis, Baltimore County school administrators took heat from the public, employees and county government officials for a perceived lack of transparency and communication about the incident. Investigators found that federal law enforcement had asked school system IT staff not to discuss the cyberattack with any other entity, including local officials. And school staff were told the FBI would coordinate with local law enforcement due to the seriousness of the cyberattack, according to the inspector general’s report.

Herndon also reiterated that the agency had directed system leaders to refrain from sharing information about the attack during and after the investigation.

Meanwhile, the school system was working to recover crucial information using backup files, which were not corrupted in the attack. Still, some of the files related to human resources and payroll were found to be unreadable or damaged. School system leaders instead turned to a backup file that was about a year old and did not include personnel, payroll or benefit changes made before the cyberattack.

While officials worked to recover the files, the system relied on outdated information regarding deduction rates, statuses and income levels for payroll, tax deductions, benefits and other details affecting employees and retirees.

More than two years after the cyberattack, the school system has deployed an array of new security measures, including multi-factor authentication standards for all staff, improved firewall technology and enhanced device protections to detect and prevent malware. The school system also has migrated “essential” network functions to an encrypted, cloud-based service and carried out security updates to ensure devices receive real-time security patches.

Advertisement

The total cost of the school system’s emergency recovery efforts, system upgrades and new security measures has topped $9.682 million, the report states. The inspector general’s report noted that the Baltimore County school system has since trimmed about $1 million from IT operating expenses because of the upgrades.

The report also includes seven recommendations related to data protection, cyberattack prevention and recovery plans. It calls on school system executives to develop a process to immediately resolve benefits and payroll irregularities for staff and retirees resulting from the outdated backups.

Copies of the report are being delivered to the governor, General Assembly, State Board of Education and State Superintendent of Schools. The Baltimore County school system has until Feb. 23 to submit a formal response to the investigators’ findings.

Cyberattacks have plagued a number of local governments, state agencies and school systems in Maryland in recent years. A ransomware attack on Baltimore City government in May 2019 cost the city millions in recovery expenses and lost revenue. A cyberattack downed the Maryland health department’s COVID-19 data dashboard in December 2021 during a dangerous surge of the virus’ omicron variant. Prior to the attack on Baltimore County schools, state audits routinely found cybersecurity problems in other school systems around the state.

The Maryland General Assembly passed legislation during its 2022 session aimed at helping state and local governments better prepare and protect themselves from cyberattacks. The law created a centralized Maryland network and provided funding for local governments to afford cyberattack preparedness.


Advertisement