Stolen Providence school district data may be making its way onto the internet
Providence public school officials last Friday were about to finalize a credit monitoring agreement to provide protection for district teachers and staff after a recent ransomware attack on the district’s network.
Then over the weekend, a video preview of selected data allegedly stolen from the Providence Public School Department (PPSD) showed up on a regular website. The site is accessible via any internet browser — what’s sometimes called the “clearnet” — unlike the dark web ransom page where cybercriminal group Medusa first alleged to leak the 201 gigabytes of data on Sept. 25.
While a forensic analysis of the breach continues, the credit monitoring agreement with an unspecified vendor was finalized as of Thursday and the district was drafting a letter to go out to the staff “very soon” with information on how to access those services, spokesperson Jay G. Wégimont said in an email.
“First and foremost, the safety and security of our staff members is of utmost importance, and the District continues to make decisions with that in mind,” Wégimont said.
“We will also continue to explore any additional services we can offer to protect the security of our staff members and students.”
Meanwhile, the data breach has yet to be formally reported to the Rhode Island Attorney General’s office, said spokesperson Brian Hodge. State law requires any municipal or government agency to inform the AG’s office, credit reporting agencies, and people affected by a breach within 30 days of the breach’s confirmation.
PPSD first used the wording “unauthorized access” to describe the breach in a Sept. 25 letter from Superintendent Javier Montañez, although the Providence School Board had used the term “breach” in a public statement on Sept. 18.
Providence Mayor Brett Smiley was “encouraged” the district was advising potentially affected staff and finalizing the credit monitoring agreement, spokesperson Anthony Vega said in a statement emailed Tuesday to Rhode Island Current.
The Providence City Council declined to comment, said spokesperson Roxie Richner in an email. Gov. Dan Mckee’s office did not respond to a request for comment.
‘Robert’ makes a video
Ransomware group Medusa first took public credit for the pirated PPSD data on Sept. 16, when it demanded a $1 million ransom to be paid by the morning of Sept. 25.
Hackers claim to have published data stolen from Providence Public School Department
Rhode Island Current previously reported that the alleged ransom landing page did not provide access to files, but did show file and folder names, as well as partially obscured screenshots of the allegedly stolen data.
The clearnet-hosted leak includes a 24-minute screen recording in which someone clicks through an assortment of the allegedly leaked files and folders on an otherwise empty Windows desktop. The post sports a disclaimer that its author is “not engaged in illegal activities” and showcases leaks only for “possible information security problems.”
The author signs off: “Traditional thanks to The Providence Public School Department for the provided data. Do not skimp on information security. Always yours. Robert.”
While the uploader does not explicitly brand themself as affiliated with Medusa, the “Robert” source appears to share all the same leaks Medusa does, and both sources use the same encrypted messaging address, according to threat researchers at Bitdefender.
Ransomware attacks, and Medusa’s methodology as well, have long been associated with social engineering — like getting people to click phishing links in emails. But it’s becoming more common that outdated hardware or software are to blame, said Bill Garneau, vice president of operations at CMIT Solutions in Cranston.
“What we’ve started to see in terms of ransomware is, it’s not only business email compromise,” Garneau said. “Threat actors out there are really pursuing systems that are out of compliance.”
That could mean equipment at the end of its manufacturer-supported lifespan, or software that needs to be patched. Garneau’s company uses a compliance framework crafted by the National Institute of Standards and Technology. One of its standards is to patch devices within 30 days of the patch release, before threat actors can exploit the vulnerabilities patches are meant to fix.
“If there’s a patch available, it’s because there’s a bad guy out there that knows that there’s a vulnerability, and there’s somebody that’s knocking on doors trying to find it,” Garneau said.
To insure or not to insure?
Cyber insurance policies can cover some costs incurred by attacks. But they can’t prevent future threats or suddenly make insecure networks better, Garneau noted.
“Insurance is great, right? But that’s not going to solve any problem,” Garneau said.
PPSD has not responded to requests about whether the district has cyber insurance. According to Lauren Greene, a spokesperson for the Rhode Island League of Cities and Towns, no public entity would disclose that information anyway. “As you can understand, it poses a security risk for municipalities to disclose if and what type of cybersecurity insurance that they have,” Greene said in an email.
“Municipalities continue to prioritize training for their staff in order to mitigate risk and draw awareness to the constantly evolving threats,” Greene added, and noted that a community’s IT staff may work across multiple areas or departments like public safety and schools.
A Deloitte report released Monday, however, showed that states-level IT officials and security officers are not feeling confident about the budgets for their states’ IT infrastructure.
“The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself,” Srini Subramanian, principal of Deloitte & Touche LLP, said in an interview with States Newsroom. “And CISOs (chief information security officers) have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”
Budget restrictions, staff issues, and AI are threats to states’ cybersecurity
Those challenges were reflected in the survey numbers, which found almost half of respondents did not know their state’s budget for cybersecurity. Roughly 40% of state IT officers said they did not have enough funds to comply with regulations or other legal requirements.
That finding echoes a 2023 report from Moody’s Ratings, which scores and analyzes municipal bonds. “While robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,” wrote Gregory Sobel, a Moody’s analyst and assistant vice president, in the report.
Moody’s also noted that one survey showed 92% of local governments had cyber insurance, a twofold increase over five years. But that popularity came with higher rates: One county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022. Those higher costs are also in addition to stricter stipulations on risk management practices before a policy will pay out, like better firewalls, consistent data backups and multi-factor authentication.
Douglas W. Hubbard, the CEO of consulting firm Hubbard Decision Research and coauthor of “How to Measure Anything in Cybersecurity Risk,” told Rhode Island Current in an email that schools should exhaust the low-cost, shared or free resources available to help them manage cyber risk. Examples include offerings from the Cybersecurity and Infrastructure Security Agency (CISA) or a pilot program by the Federal Communications Commission for K-12 schools.
“For specific cybersecurity recommendations…there are a few things that are so fundamental that administrators don’t really even need a risk analysis to get started,” Hubbard said. They include training staff and students on best practices including strong passwords or avoiding mysterious links. Multi-factor authentication is “probably the single most effective technology a school could implement,” even if it involves an upfront cost, Hubbard said.
“The fundamental responsibilities of the schools should include at least using the resources which have been made available to them through the programs I mentioned,” Hubbard said. “If they aren’t doing at least that, there is room for blame.”
This article was corrected to show that Rhode Island state law requires municipal agencies to notify affected parties and the state Attorney General within 30 days of a data breach. The article originally stated 45 days, which is the timeframe required for individuals to report a breach.