$40 million dollars or else.
That was the opening ransom demand from the cyber attackers who hacked into the Broward County Public Schools computer system in early March. $40 million, or the personal information of teachers, students, and staff would be released.
“This is such a disturbing thing to happen to kids and to people who have dedicated their lives to kids, right?” said Broward School Board member Sarah Leonardi.
Leonardi says there’s no evidence that the hackers have accessed personal information, but they certainly act like they have. The cybersecurity website, Databreaches.net, obtained messages exchanged between the hackers and someone representing the school district. Here’s a sample, uncorrected for typos and grammatical errors:
Hackers: “The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.
District: “I am... speechless. Surely this is a mistake? Are there extra zero's in that number by mistake?”
Hackers: “According to the records, your revenue is more than 4billions...”
District: “I am so confused, this is a PUBLIC school district, public, meaning it is free for students to attend. You cannot possibly think we have anything close to this!”
“From the exchanges and the text I’ve read, it appears that these cybercriminals misunderstood who they’re dealing with,” said Dr. Yair Levy, chair of Nova Southeastern University’s cybersecurity department.
The hackers eventually lowered their demand to $15 million, and then to $10 million.
Hackers: “What is your position?”
District: “My position is shock and horror that anyone thinks a taxpayer-funded district could afford this kind of money!”
Here’s another sample of the messages:
Hackers: “Don’t play with us, your chiefs have the required amount in Bitcoins...”
District: “What is a chief?? We don’t have bitcoins! This is a school district, no one here uses a cryptocurrency... we could not even pay you $10 today let alone millions when our bank is closed.”
“We struggle to make ends meet every single year because of underfunding from the legislature and things like that, not to make it political but it is pretty ridiculous that they think we’re bathing in money,” Leonardi said. “The district is definitely a victim here.”
Broward Public Schools released a statement saying in part, “Efforts to restore all systems are underway and progressing well. We have no intention of paying a ransom. At this point in the investigation, we are not aware of any student or employee personal data that has been compromised as a result of this incident.”
Dr. Levy says cybercriminals usually get away with it because they’re operating from countries such as Russia, unfriendly to the United States, out of reach of American law enforcement agencies.
“We cannot request from those countries and their authorities to indict them or investigate them, it’s a major issue,” Levy explained.
One bedrock principle in these situations, Dr. Levy said, is to never negotiate with cybercriminals, and to get law enforcement involved as soon as possible.
The district says the FBI and the Secret Service are investigating.