Cyberattack strikes a school system told for years it was vulnerable
With data presumed unrecoverable, Baltimore County Schools scramble to recover from cyber attack
With student transcripts, ID numbers, state test scores and more apparently destroyed, the hackers’ stranglehold on student data is far worse that school officials have acknowledged
Above: Baltimore County Public Schools headquarters on North Charles Street. (Ann Costantino)
Baltimore County Schools won praise for restarting student learning after last month’s cyber attack. But behind the scenes, the system is still reeling from the assault, including its devastating impact on students’ educational records.
Some student records are “presumed completely unrecoverable,” a Baltimore County Public Schools (BCPS) employee with information about the attack’s impact told The Brew.
“SIS [the Student Information System] is toast,” said the employee, who spoke under the condition of anonymity.
The system’s backup may have been saved on the same infected server, so that both were compromised by the malware attackers, the source said. The catastrophic loss of SIS is what is slowing the school district’s recovery, multiple sources said.
SIS is the official record-keeping system for students within BCPS One, the public-facing platform used to house students’ educational tools and data. It includes grades, state test scores, high school transcripts, school schedules, student identification numbers and directory data.
The hackers’ apparent stranglehold on these records is, sources say, far worse than the school system has acknowledged.
Employees are told not to discuss publicly what little they know about the cyber attack’s real impact.
Information technology staff are making piecemeal fixes, tracking down student data which is being collected from vendors that do nightly snapshots, also known as “dip-ins.”
“SIS is the brain of the whole operation,” the employee said. “That brain is damaged and BCPS is trying to replace the brain with things not designed to do that.”
Another source familiar with the ransomware fallout described the recovery process underway as tedious and iffy.
“BCPS is coming up with new tools and workarounds because we don’t have access to old programs,” said the source, who also asked not to be identified for fear of job reprisal. “They are using third-party programs or they are rebuilding.”
Employees are being told not to discuss publicly what little they know about the cyber attack’s real impact.
“We do not know what the access is to the data that was previously available,” one said. “Whether that data is available via backups is not being disclosed.”
Lack of Transparency
The recovery effort comes amid complaints about lack of transparency from parents and County Council members, and a harshly worded letter last week from County Executive Johnny Olszewski to Superintendent Darryl L. Williams.
“Federal, state and local partners are not getting timely and accurate information about the attack from BCPS,” Olszewski wrote, declaring that County government would “scale back its efforts” to assist.
Olszewski expressed concern about the legal, financial and reputational consequences if BCPS were to make an independent decision to pay the hackers, whose identity he does not know. Such a decision, he warned, would produce “wide-ranging and long-lasting” consequences.
Williams responded with his own letter, saying BCPS “in no way attempted to exclude anyone from or impede the criminal investigation.” The school system has “answered questions when we are able to do so and have referred questions to investigators and legal representatives when we cannot,” he said.
Williams offered no new information on the status of its negotiations with the hackers, while noting that BCPS does have ransomware insurance.
Asked by The Brew about the severity of its data losses, officials declined to discuss them.
“Due to the ongoing investigation and in consultation with both law enforcement and third-party partners, BCPS is unable to discuss details of the extent of the ransomware attack at this time,” spokesman Charles Herndon said.
Test Scores Lost?
While much remains unknown about the extent of the attack and the prospects for data recovery, discussions with persons knowledgeable about the matter make clear that huge challenges remain.
A key question is whether the school system archived any of its data – on tape – which would make it recoverable in the future. BCPS has for the time being led employees to believe that all has been lost.
Among the possible losses are transcripts for most – if not all – students, except for seniors. (The only reason senior transcripts were spared is because staff happened to have manually input those records into BCPS’ third-party college platform, Naviance, days before the attack.)
Some staff are operating under the assumption that student identification numbers have been permanently lost, which creates major complications since these identifiers tie student data in the system together much like a social security number.
State test scores may also be gone. (The Maryland State Department of Education has not responded to The Brew’s query as to whether the agency stores students’ past and present testing data.)
Employees whose flash drives were plugged into affected laptops had everything on those flash drives also destroyed and encrypted. “It wiped out everything,” said an employee. “In some cases, teachers lost up to 20 years’ worth of lesson plans and curriculum.”
“All Hands on Deck”
BCPS is in the process of building its SIS system, officially naming it “Interim SIS,” employees have told The Brew.
During a virtual meeting on Tuesday that drew hundreds of BCPS employees, participants were essentially told to listen and not ask questions.
Kim Ferguson, director of Student Services, said that meeting organizers had received over 400 inquiries from principals, counselors and other employees, but could not answer them at that time.
School administrators were led through a tutorial on how to use the Interim SIS system to allow students to enroll, withdraw and transfer, as well as how to restore the ability for schools to track attendance.
During the same meeting, Jim Corns, executive director of Information Technology, inadvertently interrupted in a “hot mike” moment, unaware his conversation was being overheard by hundreds of participants.
To a caller, he asked for any and all IT professionals to be sent over to fix BCPS’ network issues.
“All hands on deck would be greatly appreciated,” Corns was heard saying, according to an employee participating in the meeting. “I’ll take whoever you can get!”
Myriad of Complications
Days after the November 24 attack, BCPS found a workaround where meetings can take place on Google Meet for instruction.
Families were told they could exchange their BCPS-issued HP Revolve or Chromebook laptops for ones that were re-imaged. (BCPS has not explained why, this past week, families were told they must trade them in.)
It was a fast comeback for the district, but numerous practical problems remained, among them a complication for school staff who are required by law to report suspected child abuse to authorities.
With student directory information missing – coupled with staff working from home – employees have found themselves scrambling to obtain phone numbers and addresses for the children they are required to help.
“Calling home was a challenge,” a BCPS employee said. “Not having access to basic information is frustrating and does not allow staff to do their jobs effectively.”
• To reach this reporter @firstname.lastname@example.org. By phone at 410-419-9620 or through the Signal App