116 3rd St SE
Cedar Rapids, Iowa 52401
CEDAR RAPIDS — The Cedar Rapids school district may never tell the public how much it paid in ransom to a criminal group that this summer attacked it computers — a payment that likely was “absolutely necessary,” a local security expert said.
In an email last week to families, Superintendent Noreen Bush said the district made an undisclosed payment to a “third party” entity to ensure critical information that may have been accessed was not released. The attack was discovered right before the Fourth of July.
The emails to families were sent Friday less than 10 minutes after The Gazette received a document fulfilling a public records request submitted over four weeks earlier — July 14 — to the school district requesting records on the cybersecurity incident.
Much of the document was redacted. The district’s cybersecurity experts and legal counsel required that certain information remain confidential to prevent any increased risk to the district during recovery efforts, according to district officials. This could include details about the incident itself or the district’s response to it.
The district’s cybersecurity insurance includes coverage of up to a $5 million liability limit and a $50,000 deductible for each claim.
District officials did not respond to questions from The Gazette about how much ransom was paid, why data was still released if the district paid the ransom, what school systems if any are still affected and if the district will be prepared for the first day of school in one week on Aug. 23.
The Cedar Rapids Community School District identified a cybersecurity breach July 2. The district canceled its summer school the following week from July 5-8, impacting more than 750 children enrolled in programs.
Personal information from staff was included in data stolen from Cedar Rapids schools. The data of 8,790 Iowans may have been compromised in the cybersecurity incident, according to a letter to the Iowa Attorney General’s Office from McDonald Hopkins, a law firm in Chicago representing the school district.
The district said it would offer a free year’s worth of crediting monitoring services to affected employees to see if the data is being used.
Randy Evans, executive director of the Iowa Freedom of Information Council, said while there isn’t a state law that requires the school district to disclose the amount of ransom paid, residents and employees are “entitled” to know.
“I don’t believe there a legal basis to keep the public in the dark forever,” Evans said. “The amount of ransom that was paid is probably going to be more embarrassing to the district than anything else.”
Aaron Warner, founder and chief executive officer of ProCircular, a computer security service in Coralville, said he recommends paying a ransom in fewer than 2 percent of cases ProCircular has handled.
“It’s infrequent, but sometimes it’s absolutely necessary,” he said.
ProCircular works with a number of school districts in Iowa and throughout the Midwest. Warner said he is not able to comment specifically on any client.
Warner could not say if ProCircular is working with the Cedar Rapids school district to restore its systems or increase its cybersecurity going forward.
In ransomware cases similar to this, the hacker often will encrypt data and charge a ransom for the code needed to unlock it, Warner said. Security experts weigh the advantages and disadvantages of paying ransom in a ransomware attack, he said.
Questions include: How valuable is the data stolen? How high is the cost of down time? How likely is it you’ll get a decryption key if you pay the ransom? How credible is the threat?
“If you have good backups and are able to restore your systems, it’s unlikely you need to pay ransom,” Warner said.
If the ransomware attacker has control of a network and, in this case, students are preparing to go back to class, sometimes there aren’t any other choices but to pay the ransom. The alternative is to spend years rebuilding the systems, Warner said.
Paying a ransom can often cost less than the cost of restoring systems from scratch and the “hundreds of thousands of dollars a day” it could cost not being able to do business because of the cybersecurity attack, Warner said.
Warner said in ransomware attacks, it’s rarely made public how much ransom was demanded or paid.
“I think it’s less important to publish how much they had to pay than it is whether or not they had to pay,” he said. “The goal is to get students to into school.”
Beyond schools, ProCircular also provides cybersecurity services to a large number of clients in public and private organizations in Iowa, including Cedar Rapids-based Folience, the parent company of The Gazette.
Comments: (319) 398-8411; firstname.lastname@example.org