Hackers Publish Nearly 26,000 Stolen Broward Schools Files

FORT LAUDERDALE (CBSMiami/AP) - Hackers who sought $40 million in ransom from Broward County Public Schools have published nearly 26,000 stolen files online after the district refused to pay.

Many of the files, dated from 2012 to March 2021, contain Broward school district accounting and other financial records, which include invoices, purchase orders, and travel and reimbursement forms, the South Florida Sun-Sentinel reported. None of the files reviewed by the newspaper so far contained Social Security numbers.

The international malware group Conti posted the files Monday. Last month the hackers posted a transcript of a conversation with an unidentified Broward schools representative which offered to pay $500,000 to retrieve data. The hackers initially demanded $40 million but dropped the price to $10 million.

On March 31, the district announced it had no intention of paying a ransom.

Keyla Concepción, the district's manager of Media & Community Relations, said in a statement that officials are analyzing the content of the posted material to determine the next steps to take.

"Broward County Public Schools (BCPS) is aware of the recent actions taken by the criminals who breached our system. With the assistance of outside experts, the District has implemented a plan to analyze the content to determine what further action is necessary. BCPS will make all the necessary notifications, based on the analysis of the data. Cyber security experts are continuing to investigate the incident and enhance measures system-wide."

The district, which is the nation's sixth-largest with 271,000 students, has published questions and answers about the breach on its website at browardschools.com. The school district has an annual budget of about $4 billion — a fact the hackers kept returning to as they demanded $40 million, to be paid in cryptocurrency.

The published files include more 750 employee mileage reports, 36 employee travel reimbursement forms, more than 700 invoices for spring water, more than 1,000 invoices for school construction work, about 400 payments to Broward Sheriff's Office or local police departments for security, dozens of utility bills and several employee phone lists, the newspaper reported.

While the vast majority of the data appeared to be public records, some confidential material was shared, the report said. A March 2020 invoice for $14 from the state health department includes the name and birthdate of a 9-year-old student who was being examined for a disability. Some invoices name bus drivers who visited urgent care centers. Several documents list employee benefits.

"It doesn't sound like it was that big," Jorge Orchilles chief technology officer for the cybersecurity company Scythe, told the Sun-Sentinel. "It looks like they made the right decision not to pay the ransom. At this point, there's no point in paying it because all the information is already out there."

The hackers said on their website they may have more information.

"If you are a client who declined the deal and did not find your data on cartel's website or did not find valuable files, this does not mean that we forgot about you," the website says. "It only means that data was sold and only, therefore, it did not publish in free access!"

Last week, the school district's chief information officer warned the Broward School Board that a new cyber-attack could affect the ability to pay employees and keep schools open. Phil Dunn requested $20 million to enhance the district's cyber-security efforts, and the board plans to make a final decision soon.

(© Copyright 2021 CBS Broadcasting Inc. All Rights Reserved. The Associated Press contributed to this report.)

Read more
f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.