Hackers Publish Florida School District Files After $40M Ransom Unpaid

Hackers who sought $40 million in ransom from a South Florida school district that refused to pay have now published nearly 26,000 stolen files.

Many of the files, dated from 2012 to March 2021, contain Broward School District accounting and other financial records, which include invoices, purchase orders, and travel and reimbursement forms, the South Florida SunSentinel reported. None of the files reviewed by the newspaper so far contained Social Security numbers.

The international malware group Conti posted the files Monday, the newspaper reported. Last month the hackers posted a transcript of a conversation with an unidentified Broward schools representative which offered to pay $500,000 to retrieve data. The hackers initially demanded $40 million but dropped the price to $10 million.

On March 31, the district announced it had no intention of paying a ransom.

Kathy Kochhe, the district’s chief communications officer, said in a statement that officials are analyzing the content of the posted material to determine next steps, and will notify anyone whose personal information was shared.

“Cybersecurity experts are continuing to investigate the incident and enhance measures system-wide,” the statement said.

The district, which is the nation’s sixth largest with 271,000 students, has published questions and answers about the breach on its website at browardschools.com. The school district has an annual budget of about $4 billion – a fact the hackers kept returning to as they demanded $40 million, to be paid in cryptocurrency.

The published files includes more than 750 employee mileage reports, 36 employee travel reimbursement forms, more than 700 invoices for spring water, more than 1,000 invoices for school construction work, about 400 payments to Broward Sheriff’s Office or local police departments for security, dozens of utility bills and several employee phone lists, the newspaper reported.

While the vast majority of the data appeared to be public records, some confidential material was shared, the report said. A March 2020 invoice for $14 from the state health department that includes the name and birthdate of a 9-year-old student who was being examined for a disability. Some invoices name bus drivers who visited urgent care centers. And several documents list employee benefits.

“It doesn’t sound like it was that big,” Jorge Orchilles chief technology officer for the cybersecurity company Scythe, told the SunSentinel. “It looks like they made the right decision not to pay ransom. At this point, there’s no point in paying it because all the information is already out there.”

The hackers said on their website they may have more information.

“If you are a client who declined the deal and did not find your data on cartel’s website or did not find valuable files, this does not mean that we forgot about you,” the website says. “It only means that data was sold and only therefore it did not publish in free access!”

Last week, the school district’s chief information officer warned the Broward School Board that a new cyber-attack could affect the ability to pay employees and keep schools open. Phil Dunn requested $20 million to enhance the district’s cyber-security efforts, and the board plans to make a final decision soon.

In 2021, there have already been at least 21 successful ransomware attacks in the U.S. education sector, disrupting 550 schools, Brett Callow, a threat analyst for the anti-malware company Emsisoft, told the newspaper.