Full Report
Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February.
Analysis Summary
# Incident Report: Baltimore City Public Schools Ransomware Attack
## Executive Summary
Baltimore City Public Schools (BCPS) experienced a ransomware attack on February 13, 2024, resulting in the compromise of certain network systems and the theft of sensitive documents. The attack potentially exposed personal information for thousands of individuals, including students, current and former staff, and contractors. While no ransom was paid, BCPS implemented immediate response measures, including hiring cybersecurity firms and enhancing security controls.
## Incident Details
- Discovery Date: February 13, 2024 (Date of Incident)
- Incident Date: February 13, 2024
- Affected Organization: Baltimore City Public Schools (BCPS)
- Sector: Education (K-12)
- Geography: Baltimore, Maryland, USA
## Timeline of Events
### Initial Access
- Date/Time: On or around February 13, 2024
- Vector: Ransomware attack (allegedly linked to the Cloak ransomware gang).
- Details: Threat actors gained access to certain IT systems within the BCPS network infrastructure.
### Lateral Movement
- Details: The attack progressed to the point where "certain documents may have been compromised." Specific details on the extent of internal movement are not provided, but the outcome suggests actors accessed folders containing personally identifiable information (PII).
### Data Exfiltration/Impact
- Details: Compromised documents contained PII for current/former employees, volunteers, and contractors, as well as records for less than 1.5% of the student population. This likely included Social Security numbers, driver’s license numbers, passport numbers for staff, and student call logs, absenteeism records, or maternity status for students.
### Detection & Response
- Detection: The incident was discovered on February 13, 2024 (the date of the cyber incident).
- Response actions taken: Law enforcement was contacted, cybersecurity firms were hired, notification letters were sent out, two years of credit monitoring were offered to victims, a call center was established, *endpoint detection and response* (EDR) software was installed, and all user passwords were reset.
## Attack Methodology
- Initial Access: Ransomware deployment/Infection.
- Persistence: *Not explicitly detailed.*
- Privilege Escalation: *Not explicitly detailed.*
- Defense Evasion: *Not explicitly detailed.*
- Credential Access: Inferred, as PII belonging to numerous individuals was accessed.
- Discovery: Inferred, to locate sensitive documents.
- Lateral Movement: Inferred, to move across the network and access various systems.
- Collection: Gathering employee PII (SSN, DL, Passport) and student records (logs, attendance, status).
- Exfiltration: Data was acquired by criminal actors prior to containment.
- Impact: Data loss and required breach notification processes.
## Impact Assessment
- Financial: Not fully quantified, but system recovery, investigations, and offering credit monitoring represent significant costs (notably, BCPS suffered a \$10M network upgrade cost after a prior 2020 incident).
- Data Breach: Data of approximately 25,000 people affected, including information on over 1,150 students (1.5% of the population) and 55% of employees. Data included SSNs, passport numbers, driver’s licenses, and student records.
- Operational: The aggressive response ensured "no indication that the actions of the criminal actors significantly disturbed schools or other functions."
- Reputational: Public disclosure of a data breach affecting student and staff PII.
## Indicators of Compromise
- Network indicators: *No specific IP addresses or domains were provided in the summary.*
- File indicators: *No specific file hashes or names were provided in the summary.*
- Behavioral indicators: Ransomware deployment (Cloak variant suspected).
## Response Actions
- Containment measures: Implementation of EDR software and complete password reset for all users.
- Eradication steps: Cybersecurity firms engaged to investigate and remediate the environment.
- Recovery actions: Resumption of normal operations without paying the ransom. Affected parties notified, and credit monitoring services initiated.
## Lessons Learned
- Key takeaways: Despite an aggressive response, data exfiltration occurred, indicating gaps in preventative or detective controls against advanced persistent threats or ransomware execution pathways.
- What could have been done better: Proactive security updates, given the prior major cyber incident in 2020, could have potentially prevented this intrusion.
## Recommendations
- Prevention measures for similar incidents: Review and strengthen endpoint detection and response capabilities; enforce multi-factor authentication organization-wide; conduct regular vulnerability scanning and penetration testing; review and apply all prior security recommendations made after the 2020 incident.