The recent cyber attack on the Riverhead Central School District is believed to have been “specifically targeted” at the district, according to Superintendent Augustine Tornatore.
The attack occurred on the morning of Friday, Dec. 3, when district staff reported an outage in the school district’s emails and internet connections. The district worked the following weekend to restore the district’s technology, but their Microsoft computer system, including Outlook email, remained unavailable. The district said in robocalls it wasn’t aware of any student data breaches and that its Google services were safe and available.
Tornatore said in an interview yesterday afternoon the group that executed the attack is currently believed to be foreign, but the people who paid for the attack are believed to be domestic and “knew Riverhead.”
“It was a very different entry point into our system than other districts may have experienced. So this means that somebody paid this group…to specifically do this to Riverhead,” Tornatore said, adding that the current belief is that the attack compromised the district through an email. He declined to specify further because of the ongoing investigation into the incident.
The attack compromised the school district’s Microsoft-based system, Tornatore said. This includes documents made by faculty and staff that were saved within the district, like interoffice documents, district-generated forms and teaching materials.
The documents compromised in the attack are separate from the district’s cloud-based student management system or staff payroll system, which are outsourced to vendors like Google, and which contain sensitive data like social security numbers. The district believes those services were not compromised, Tornatore said.
Tornatore said the district can’t be sure that any personal information wasn’t stored in those compromised documents. He said the district is trying to figure out whether the information compromised in the attack can be accessed by the group that attacked the district, or if the group just disabled the district’s access. They are also attempting to recover whatever they can from the attack.
Tornatore said the attack was likely executed to hold information hostage in exchange for ransom, a cyber attack referred to as ransomware. People can unknowingly download ransomware onto a computer by opening email attachments, according to the FBI. School districts have become “targets of opportunity” in recent years, according to an FBI memo.
Tornatore said the district is working with national law enforcement agencies like the U.S. Department of Homeland Security and the FBI in investigating the attack. The board of education will also approve the Dec. 6 hiring of PNG Cyber, Inc. and Wilson Elser Moskowitz Edelman & Dicker LLP for services related to the incident at tonight’s meeting.
The district was in the process of enhancing its cyber security when the attack happened. The school board approved a cyber incident response plan to address cyber attacks at its meeting the Tuesday before the attack.
“I would say some things [from the plan] we were starting to put into place. But we were not at the point of putting everything into place, which would have thwarted this from even happening,” Tornatore said.
Separate from the plan was to have the district transition away from using Microsoft and move all of their services to Google’s cloud-based service at the start of the school year because of security concerns, Tornatore said. That full transition never happened, and only just started after the cyber attack, he said.
Tornatore said the attack could have possibly been avoided if the district had paid more attention and budgeted more resources for the district’s technology department in previous years. “To me, this could have been avoided had the technology director and the technology department been given more support,” Tornatore said.
The incident is also leading the district into new conversations around its reliance on technology, Tornatore said.
“How much technology do we want to have and have our students exposed to? And how much time do we want them to enjoy the fresh air outside and to build relationships with each other at recess, or in the cafeteria, or even in the classroom where they’re looking at one another instead of looking at a device?” Tornatore said.
Gregory Wallace, president of the Riverhead Central Faculty Association, said teachers have their various learning resources, like lesson plans, worksheets and other important files, on a number of platforms, including Microsoft. Some teachers have transferred those files to Google, he said, while others are currently teaching without those resources.
“There’s a significant amount of work product that is just no longer accessible, which is frustrating, time consuming and labor intensive to try to recreate at a moment’s notice as we’re going through this cyber incident,” Wallace said.
“We’ve been on the Microsoft platform since the inception of the PC. So some people cannot access 25 years of files at this point,” he added.
Wallace said faculty is concerned about possible personal data leaks resulting from the attack. “The district has told us they don’t believe it has been, but that’s still a concern whenever you’re dealing with an attack of this magnitude,” he said.
“Although it’s very difficult and challenging and frustrating, the teachers of Riverhead are doing what the teachers at Riverhead always do. They’re cutting through the adversity and doing the best they can for the children of this community, and they do it time and time again, through crisis after crisis,” Wallace said.
Support local journalism.
Now more than ever, the survival of quality local journalism depends on your support. Our community faces unprecedented economic disruption, and the future of many small businesses are under threat, including our own. It takes time and resources to provide this service. We are a small family-owned operation, and we will do everything in our power to keep it going. But today more than ever before, we will depend on your support to continue. Support RiverheadLOCAL today. You rely on us to stay informed and we depend on you to make our work possible.