Hackers who broke into Broward County Public Schools’ computer system last month made good on their threat this week to release thousands of files that they stole.
The group, known as Conti, published almost 26,000 files on its website, which threatens other businesses and organizations they target that unless they pay ransoms, their files, which may contain personal information, will be released as well.
The files, which dated from 2012 to March of this year, did not contain Social Security numbers, but did include a few cases of confidential student or faculty or staff data, according to the Sun-Sentinel.
“If you are a client who declined the deal on cartel’s website or did not find valuable files, this does not mean that we forgot about you, it only means that data was sold and only therefore it did not publish in free access,” the group states on its website.
The school district, which did not immediately respond to a request for comment, posted a statement on its website saying that so far, outside investigators it’s hired have not found any indication student or employee personal data has been compromised.
“If the investigation uncovers any compromised personal data, the District will provide appropriate notification to those affected,” the statement reads.
The district has contacted law enforcement, it said on its website.
When the hackers breached the school district’s system in early March, they first demanded $40 million, but then said they’d accept $10 million, according to a transcript of text messages between Conti and an unidentified employee. The Miami Herald viewed screenshots of the transcript.
The district told the Herald last month that it had no intention of paying the ransom. It hired a cybersecurity firm to investigate the breach and to try to get back its files.
Brett Callow, a threat analyst with New Zealand-based cyber security firm Emsisoft, said Conti are “experienced extortionists” who’ve released data they’ve stolen from almost 300 other organizations.
“That info that is released in these cases can be very sensitive. For example, in one recent case involving a school district, the hackers published details of alleged sexual assaults by/against named individuals,” Callow said in an email. “Things like this are really, really bad. If your financial information leaks, you can fix your credit; when stuff like this leaks, there’s no way to fix it. Once it’s out there, it’s out there.”
Callow said hackers get into organizations’ computer systems either by tricking an employee into opening a link contained within an email, or because the organization has an improperly secured internet-facing server.
“It’s about 50/50. In these cases, the hackers attempt to delete or encrypt the target’s backups,” Callow said. “If they fail, the organization can use the backups to recover its systems. If they succeed, the organization’s only option is to lose its data or pay the ransom.
“But, or course, in either case, they still have the problem of the stolen data.”