Cedar Rapids schools cyberattack questions remain unanswered

It’s been more than three weeks since the Cedar Rapids Community School District was hit by a cyberattack that allowed unauthorized access to its data network and it took the district an alarming 15 days before it informed current and former staff of the security breach.

In a letter dated July 20, district staff, current and former, were informed that the incident may have involved access to their personal information, potentially involving Social Security numbers, driver’s license numbers, bank account information and medical and/or health insurance data. The district discovered on July 5 that personal information may have been accessed.

Why did it take 20 days for the school district to inform staff of this potentially damaging breach? Were student records also accessed? Were vendors who do business with the school also affected? Why was it necessary to close school facilities for a week? Did the district have to pay a ransom to the attackers? How did this happen, and what steps are being taken to prevent a future cyberattack?

These questions are unanswered because the school district has refused be transparent in any meaningful way. Staff, families, students and taxpayers have been left in the dark by a public institution. The larger community being affected by the attack and response deserves to know much more about what happened.

Superintendent Noreen Bush also sent out a dear colleagues email comparing the district’s response to the cyberattack to its response to the derecho. It touted the positive attitude and hard, round-the-clock work of staff to respond to the attack. She thanked staff for their patience.

But the email also answered none of the nagging questions still lingering. We, too, commend staff who have been on the front line response. But a full explanation would be more welcome than a pep talk.

The school district is making credit monitoring, fraud prevention and other services available to staff, which is the right call. But faster notification could have helped staff react more quickly to protect their information.

We believe when the dust settles the school district must embark on an after-action report explaining its response, including the prolonged absence of transparency. And it must explain what is being done to prevent future attacks. Sweeping this saga under the rug would so a disservice to the community.

(319) 398-8262; editorial@thegazette.com