No personal information stolen in Baltimore County schools ransomware attack, officials say

Baltimore County officials do not believe that the personal data of students or employees was stolen in the November ransomware attack that crippled the school system, they announced Monday.

“At this point — we must stress, at this point — we have no evidence that shows that there has been any data exfiltration or data theft,” said Jim Corns, the county schools’ executive director of information technology.


Still, “out of an abundance of caution,” the county will cover the cost of credit monitoring for all county schools students and staff, County Executive Johnny Olszewski Jr. announced.

They made the comments at a news conference in front of county government offices in Towson with schools Superintendent Darryl Williams and others.


Officials did not provide specifics of the credit monitoring coverage but said they would release details in the coming days.

In a ransomware attack, hackers encrypt the victim’s files and demand payment to unlock them. In some incidents, hackers steal sensitive personal data maintained by the targeted organization. They have posted the information on the dark web in other cases.

Since the attack hit two weeks ago, many parents and employees have worried about the security of the vast personal data stored by the school system.

“It will be very reassuring for members to know that the Baltimore County government is providing credit” monitoring, said Cindy Sexton, president of the Teachers Association of Baltimore County.

However, Brett Callow, a threat analyst with the cybersecurity company Emsisoft, said there have been many incidents where officials publicly say they have no evidence of data theft, only to be proven wrong later.

The Morning Sun


Get your morning news in your e-mail inbox. Get all the top news and sports from the

It’s “not always possible to tell what did happen because the attackers try to scramble systems and log files as much as they can,” Callow said.

A forensic analysis to determine if data was stolen can take up to a month, he said.

Employee groups have been pressing school officials for information on the security of personal data, said Tom DeHart, executive director of the Council of Administrative and Supervisory Employees, the bargaining unit representing school principals and other administrators.


DeHart said the group understands “that there are limits as to what the system can share,” but providing information to staff and the public when it becomes available “goes a long way” in an uncertain situation.

Also at the news conference, school board Chairwoman Kathleen Causey and Vice Chairwoman Julie Henn confirmed that county schools have cyber insurance.

Officials have not said previously whether the school system carried such insurance, which typically covers costs associated with cyber attacks, data breaches and other incidents. The school board members would not say if the insurance company was in contact with the hackers.

Later Monday, school system officials declined to provide any details on the insurance coverage, including the name of the carrier or when they purchased the insurance.