Contractor error led to Baltimore schools ransomware attack
A security contractor for Baltimore County Public Schools mistakenly opened a suspicious phishing email attachment in an unsecure environment, leading to the ransomware attack.
A 2020 ransomware attack against Baltimore County Public Schools began with a contractor error, according to a report released Monday by Maryland's Office of the Inspector General for Education.
Baltimore County Public Schools, a district representing 115,000 students, disclosed a major ransomware attack in November 2020. Few details were provided about the attack's specifics at the time, but the school system referred to it as a "catastrophic attack on our technology system." The school was closed to students on Monday, Nov. 30 and Tuesday, Dec. 1.
More details were provided in the Monday report, published by Maryland's Office of the Inspector General for Education (OIGE). The role of the inspector general for education, currently Richard P. Henry for the state, is to detect and prevent fraud as well as assure that state funds are allocated appropriately.
According to the report, the OIGE began their investigation "after receiving a complaint alleging that the Baltimore County Public Schools (BCPS) system disregarded the recommendations made by the Maryland Office of Legislative Audits (OLA) during their 2008, 2015, and 2020 audit reports."
"It was further alleged that the repeated OLA findings indicated that the BCPS IT division was not prepared for the cyberattack and failed to protect the personally identifiable information (PII) of students, staff, and BCPS retirees," the report read. "Lastly, it was alleged that the BCPS failed to disclose the cost associated with ransomware demands, the recovery of information, and improving the IT network following the cyberattack."
The OIGE report found that the cyberattack occurred 15 days prior to when the BCPS network was disrupted on Nov. 24, when an educator received a phishing email with an attachment that they attempted to open but could not. The staffer then contacted a "BCPS tech liaison," which is a member of BCPS staff dedicated to handling basic IT inquiries, who then concluded the email was suspicious.
The tech liaison then forwarded the email to the BCPS district IT security contractor. The investigation found the contractor then "mistakenly opened the email with the attachment using their unsecured BCPS email domain account and not in their secured email domain." It was this mistake that delivered the malware into BCPS' network.
The OIGE investigation found more problems that contributed to the devastating ransomware attack.
"An analysis of the antivirus software used at the time of this incident determined that it was unable to detect the malware program used during this cyberattack," the report read. "Additionally, the malware used by the threat actor(s) had been programmed to delay its initial execution to avoid immediate detection. This delay allowed the malware to disable systematically critical functions within the BCPS network that could have prevented the malware from facilitating its attack."
The OIGE determined that contrary to the complaint, the school district had implemented several of OLA's recommendations, though it had not followed the recommendation to relocate on-premises database servers. Following the attack, the district switched to an encrypted cloud environment.
The OIGE report determined that the ransomware attack has to date cost the school district over $9.6 million between recovery costs, system upgrades and migration to the new platform.
A spokesperson with Baltimore County Public Schools shared a statement with TechTarget Editorial in response to the OIGE report.
"The OIGE report highlights BCPS' extensive and immediate recovery efforts that have now positioned the system years ahead of other school systems across the state and nation in cyber defense," the statement read. "Superintendent Darryl Williams made notable efforts to address the technology infrastructure needs of the system prior to the cyberattack in his first proposed operating budget for the school system, however, those requests were not funded."
It continued, "Additionally, it is important to note the Federal Bureau of Investigations (FBI) directed BCPS to refrain from sharing information regarding the attack during and after the investigation. BCPS already has implemented many of the recommendations of the OIGE report, and its recovery efforts have been cited nationally as the gold standard of prevention and defense. BCPS was a victim -- just as scores of other school systems and governmental and health care institutions across the nation that have been the target of sophisticated cyberattacks on critical technical infrastructures -- and the blame solely rests with the perpetrators who facilitated the attack."
Alexander Culafi is a writer, journalist and podcaster based in Boston.