BUFFALO, N.Y. — Buffalo Public Schools (BPS) is the latest victim in an increasing number of cyberattacks against school districts across the country.
The district announced late Friday that it had canceled all remote classes earlier in the day due to a ransomware attack that caused “unanticipated interruption to BPS District network systems,” reports Buffalo News. BPS serves approximately 34,000 students and operates nearly 70 facilities.
In a memo, BPS Chief Technology Officer Myra Burden said “at this time, no demands have been made; however, the FBI has found out that ransom may be between $100-300K and could be negotiable.”
Superintendent Kriner Cash approved an emergency contract with GreyCastle Security, a cybersecurity company, to support the FBI in its investigation. A press release from Cash’s office said investigators do not believe any Personally Identifiable Information (PII) was exposed.
Classes were also canceled Monday so the district can “pressure test system restoration and access as well as communicate any new or required information for students to access virtual learning tools once instruction resumes,” according to the release.
The press release also said IT will “continue to provide staff with training and information to safeguard against cybersecurity threats to personally identifiable information” and that “the district will implement a longer term comprehensive initiative to enhance IT security and infrastructure going forward.”
In December, federal agencies warned K-12 schools that ransomware attacks have been on the rise since districts have continued to rely on technology and online learning during the pandemic.
According to an advisory issued by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, 28% of all reported ransomware cases between Jan. 2020 and July 2020 involved K-12 schools. That statistic increased to 57% for August and September.
For instance, the day before Thanksgiving, Baltimore County Public Schools was hit by a ransomware attack that shut down schools for several days. Also in November, personal data was stolen from Toledo (Ohio) Public Schools, including Social Security numbers, employee evaluations, exam grades and dates of birth for students and employees.
Last March, Houston’s Sheldon Independent School District paid a ransom of over $200,000. However, the FBI and Cybersecurity and Infrastructure Security Agency do not recommend schools pay ransoms.
“Payment does not guarantee files will be recovered,” the agencies said. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”