Baltimore County’s school system did not follow state recommendations to relocate its servers to a more secure data cloud prior to a 2020 cyberattack that wiped crucial data and affected thousands of students, employees, and retirees, state officials have found.
The Maryland Office of the Inspector General of Education this week released a report based on its review of a complaint the office had received. While the inspector general did not substantiate numerous claims, it did find that Baltimore County Public Schools failed to follow recommendations by the Maryland Office of Legislative Audits the year of the attack, as well as similar suggestions made five years prior.
The school system defended its response, and noted it has spent millions since the incident to upgrade its cyberdefense.
“BCPS was a victim — just as scores of other school systems and governmental and health care institutions across the nation that have been the target of sophisticated cyberattacks on critical technical infrastructures — and the blame solely rests with the perpetrators who facilitated the attack,” the school system said in a statement.
The inspector general’s office, which is headed by Richard Henry, details not only each accusation in the complaint but how the attack happened and the cost to the county of the recovery — nearly $10 million.
The complaint also alleged that BCPS was targeted because the state audit office had published a report stating that the county schools were unprepared for an attack; that its information technology department didn’t adequately protect the personal data of students, staff and retirees; and that it failed to share the cost of the cyberattack and how its IT networks were subsequently improved.
The district was hit by the ransomware attack on Nov. 24, 2020 — several months into the pandemic and as the school system had turned to virtual learning. The attack led to classes being canceled, the FBI being brought in to investigate, and data being lost because the system did not pay the hackers.
Defenders of Superintendent Darryl Williams have pointed to the cyberattack as an incident that kneecapped him in his second year of office. Williams announced this week that he was not seeking a second term.
Fallout from the attack still affects people, including the district’s 9,700 retirees. The school system’s human resources staff told school board members in September that retirees were both overcharged and undercharged for health benefits.
The cyberattack stemmed from a phishing attack, the report said. The hacker impersonated a college official in an email sent to a school staffer with a fake invoice attached. The recipient clicked on the attachment, but it didn’t open. The school’s IT department was called in, and the tech liaison forwarded the suspicious email to the department’s security contractor.
“The contractor mistakenly opened the email with the attachment using their unsecured BCPS email domain account and not in their secured email domain,” the report states. “Consequently, opening the attachment in the unsecured environment served as the catalyst, which delivered the undetected malware into the BCPS IT network.”
BCPS has implemented several of the state audit office’s recommendations over the past dozen years. In 2020, the office suggested the school system relocate its publicly accessible database servers, but the system did not do it. The audit office gave similar recommendations five years prior, making them partly responsible for the attack, the report found. The audit office said the county schools’ internal network servers did not provide adequate security.
Since the cyberattack, however, the school system has “implemented an array of new security measures to ensure network integrity,” the report said. Recovering from the attack, implementing the upgrades and migrating to a new platform cost nearly $9.68 million.
The state IG’s office “also determined that BCPS has reduced prior IT operating expenses by approximately $1 million because of system upgrades,” the report stated.
The inspector general couldn’t substantiate the claim that the school system didn’t disclose the ransomware demands because the FBI had restricted certain information from being shared. And the report confirmed that the malware from the attack was delivered to the school system prior to the release of the audit office’s report stating that the system was not fully prepared. Therefore, no evidence was found to back the accusation that the audit report made the school system a target.
The county school system stated that it is “years ahead” of other school districts nationwide because of its recently implemented cyberdefense.
“Superintendent Darryl Williams made notable efforts to address the technology infrastructure needs of the system prior to the cyberattack in his first proposed operating budget for the school system, however, those requests were not funded,” the school system said in a statement.
Other defenses put in place include multifactor identification standards for all staff, improved firewall technology, and enhanced device protections to detect and prevent malware.
Ed Kitlowski, a member of the retirees chapter of the Teachers Association of Baltimore County, said the system’s response “puts a positive light” on the issue by highlighting its mitigation efforts, but “doesn’t really take responsibility for the mess that was created.”
While leaders such as Deputy Superintendent Myriam Yarbrough have been supportive in working through the retiree benefit issues, problems still remain, Kitlowski said.
He said he thought the IG’s report missed the mark.
It’s like the inspector general “looked at a red light and said, ‘Hey, the light’s red.’ No kidding,” the union leader said. While Baltimore County isn’t the only school that’s been hacked, he said “that doesn’t justify some of the inaction” by Baltimore County schools administrators.
He said one retiree, prior to the attack, was paying the county for her health care benefits while also having it deducted from her pension.
The IG office recommended that the district keep backups of data, use cloud storage, perform periodic tests, plan for recovery times, train staff, and develop procedures to report and respond to threats. The report also recommended that district leaders develop and implement a process to immediately resolve benefit and payroll irregularities “resulting from using outdated backups to restore its human resources data affecting staff and retirees.”
The school system said it has already implemented many of those recommendations and that its recovery efforts have been called “the gold standard of prevention and defense.”