According to the Maryland Office of the Inspector General, Baltimore County Public Schools (BCPS) failed to act on several state recommendations to help mitigate cyber-attacks before a breach disrupted school operations and cost the school system millions of dollars in damages and repairs.
After a November 2020 cyberattack caused by a phishing email, operations at BCPS were impaired for several days, affecting the school system's website and remote learning programs.
The IG's report found that the initial network compromise occurred 15 days before the network disruption and came in as an e-mail. A teacher flagged the e-mail as suspicious, sending it to in-house tech support, who then forwarded the e-mail to a contracted tech support supervisor, according to the report. Unfortunately, the contractor mistakenly opened the suspicious email with the attachment using their unsecured BCPS email domain account rather than in a secured email domain. Consequently, opening the attachment in the unsecured environment delivered the undetected malware into the BCPS IT network.
Moreover, the OIGE report says BCPS did not fully implement several network recommendations from the Maryland Office of Legislative Audits in recent audit reports, including the relocation of publicly accessible database servers and the adequate maintenance of internal network servers. BCPS has implemented an array of new network security measures since the cyber-attack, the report says.
The report says the network upgrades and damages from the cyber-attack cost BCPS nearly $10 million. An investigation by the FBI and Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is ongoing, the report says. Luke Barr "Baltimore schools cyber attack cost nearly $10M: State IG" abcnews.go.com (Jan. 25, 2023)
Two lessons to take away from this incident merit examination.
First, the use of a malicious payload attached to an email remains the single most common way malware is introduced into a network system. Not selecting links, opening attachments, or downloading files from unknown or unexpected sources are some of the easiest ways of preventing a system infection.
In this matter, the employee who received the email did the right thing. Ironically, it was a contractor, an expert on the matter, who committed the error.
The second lesson is that recommendations were ignored to relocate publicly-accessible database servers to a more protected network segment and to better maintain internal network servers, presumably to keep them updated and patched. These oversights created risk.
When budgeting for educational institutions, monies spent on prevention, training, and upgrading equipment, software, and defenses will be far less of an expense than remediating, repairing, and replacing a compromised network or servers.