PENNCREST officials: Cyber-attack in February has been resolved

Apr. 11--A cyber-attack on PENNCREST School District in February has been resolved with no exposure of personal information or other sensitive data, according to district officials.

The ransomware intrusion involved "older server files that weren't frequently used by anybody," according to Superintendent Timothy Glasspool.

"Even though they were older files, we had to ensure that there wasn't any personal information on there or sensitive data," Glasspool said. "At the end of the day it was good news, but it did create some really bizarre work for us over the past couple of months."

Unlocking the data that had been encrypted cost the district $10,000 -- the amount of the deductible on its cyber insurance policy, Glasspool said. The district's insurance company, AXIS Capital, paid out nearly $75,000, including costs for investigations into the attack.

Glasspool declined to comment on whether any of the money was paid to the Russian hackers believed responsible for the attack.

At the encouragement of PENNCREST School Board, Glassman informed district residents of the incident with a letter posted to the district website on Thursday.

"One of the reasons that the board wanted me to put out a (press) release is so that other companies and organizations in the area understand that this is more common than people think," Glasspool said of cyber attacks like the one that affected PENNCREST. "It just doesn't get reported frequently."

Glasspool encouraged other organizations to obtain cyber insurance to avoid the exorbitant costs of data recovery.

PENNCREST School Board President Mark Gerow said the attack had no impact on the day-to-day operations of the district.

"I wish it had never happened, but we did what we had to do," Gerow said. "It could have been a lot worse."

PENNCREST's system was attacked through the remote desktop of a former employee that hadn't been used in several years, according to Glasspool. The district's technology director detected unusual network activity and identified associated pop-up messages stating that files were encrypted on Feb. 24.

The district contacted Carnegie Mellon University Cyber Terrorism Division and disabled the compromised account. A suspicious connection associated with the attack was traced back to Russia. A subsequent digital forensic investigation concluded that no data had been exported from the system and that there had been no unauthorized access to sensitive information. PENNCREST filed a complaint with the FBI Internet Crime Complaint Center about the incident on March 7.

Ransomware attacks typically involve the encryption of data stored on the system under attack. To obtain a key to unlock the data, the system owner is typically forced to pay a ransom to the attackers.

In PENNCREST's case, a law firm hired by the district's insurance company communicated with the Russian attackers. The six weeks spent resolving the incident, Glasspool said, was quicker than is often the case with such incidents.

The district's sensitive data is generally stored in commercial cloud-based systems rather than on district-owned servers, Glasspool said. Even though the encrypted files were not in common use, he added, the district felt compelled "to ensure there was no sensitive data that could have been obtained." The district once again has access to the files, he said.

Luigi DeFrancesco, vice president of PENNCREST School Board, expressed reservations about negotiating with cyber criminals.

"In the United States, we don't pay for terrorist threats and demands," DeFrancesco said.

While the district's expenses for the incident were limited to the insurance deductible, DeFrancesco said, "Money's tight, especially right now, and we had to pay for something that has no benefits for the district."

Glasspool said the district will be better prepared as a result of the experience.

"We want to assure all stakeholders that we are taking steps to further improve the security of our computer network," he said in the letter to district residents, "and minimize the likelihood of a similar event from occurring in the future."

Mike Crowley can be reached at 724-6370 or by email at [email protected].

___

(c)2020 The Meadville Tribune (Meadville, Pa.)

Visit The Meadville Tribune (Meadville, Pa.) at meadvilletribune.com

Distributed by Tribune Content Agency, LLC.