More details needed on Cedar Rapids schools data breach

When it comes to a July cyberattack that disrupted its data systems, the Cedar Rapids Community School District clearly can’t be accused of oversharing.

We know school officials learned of the cyberattack in early July. A few days later it was determined that the personal information of current and former district employees had been breached. A few weeks later the district informed employees that data including Social Security numbers, driver’s license numbers, bank account and routing numbers, and medical information including diagnosis and treatment information or health insurance information had been compromised.

In recent days, we’ve learned, thanks to the reporting of The Gazette’s Grace King, that the school district paid a ransom to hackers in an effort to keep that data from being released. The district has a $5 million cyberattack insurance policy.

But we still have no idea how much ransom was paid, nor do we know the identity of the attackers. The district has declined to respond to several questions from The Gazette, including how much ransom was paid, what school systems are still affected and will problems will be ironed out by the first day of school on Aug. 23? Additionally, the district should explain why the path of paying a third-party was the best path for the district.

We still don’t know if student data was affected, nor do we know the full extent of the data breach. Most importantly, we don’t have an explanation of what steps the district is taking to prevent a future cyberattack. We understand the need for caution, but as a taxpayer supported public institution, the district has an obligation to shed far more light on the incident, its impact and aftermath and maintain public trust.

There’s no law that requires the district to disclose the amount of ransom paid. But we agree with Iowa Freedom of Information Executive Director Randy Evans, who told King that district residents and its employees are “entitled” to know.

“I don’t believe there a legal basis to keep the public in the dark forever,” Evans told King. “The amount of ransom that was paid is probably going to be more embarrassing to the district than anything else.”

That’s clearly not a good enough reason to withhold information, especially in an organization that lists every paid bill on its website.

Linn-Mar schools also reported a disruption in its phones and data systems, but has not characterized it as a cyberattack. District officials have provided little information.

These are serious, potentially damaging incidents. The public deserves to know how they happened and how they will be prevented in the future.

(319) 398-8262; editorial@thegazette.com