Ransom for data approved by Little Rock School Board

Little Rock school chief defends secrecy

Little Rock School superintendent Jermall Wright talks about the LRSD's low letter grades during a press conference on Wednesday, Nov. 9 2022, at the LRSD headquarters in Little Rock. .(Arkansas Democrat-Gazette/Thomas Metthe)
Little Rock School superintendent Jermall Wright talks about the LRSD's low letter grades during a press conference on Wednesday, Nov. 9 2022, at the LRSD headquarters in Little Rock. .(Arkansas Democrat-Gazette/Thomas Metthe)

The Little Rock School Board on Monday authorized Superintendent Jermall Wright to enter into a settlement to end, as favorably as possible for the district, a cyberattack on the 21,000-student school system's data networks.

Wright told the board at the 40-minute special meeting -- during which a previously unannounced Nov. 21 private meeting of the board was disclosed -- that a possible agreement with the attackers was reached earlier Monday.

The terms of that agreement -- or ransom -- will cost the capital city school system more than a quarter of a million dollars, according to information read aloud Monday by board member Leigh Ann Wilson.

Wilson made the motion to pursue the settlement, noting a $250,000 cost to the district plus "fees" before she was told by a fellow board member that she was not supposed to announce dollar amounts.

Wright told the board repeatedly that the data breach was "horrible, horrible, horrible"; that he wouldn't wish the situation on anyone; and that every option facing district officials to resolve the cyberattack had negative impacts.

"We are doing our very best to try to protect the data that was taken from us," Wright said. "I want people to understand that we are not the enemy. The enemy is the folks who attacked our system."

The superintendent said that withholding details from the public about the data breach was necessary to the effort of protecting information about district vendors and employees while trying to resolve the issue.

The board vote was 6-3 with board President Greg Adams along with board members Michael Mason, Sandrekkia Morning, Evelyn Callaway, Joyce Wesley and Wilson voting for the motion to pursue a settlement agreement. Board members Vicki Hatter, Norma Johnson and Ali Noland voted against it.

Johnson said she could not in good conscience vote for the motion. She questioned how those who hacked into the district's technology networks could be trusted not to repeat the action later.

"I cannot support paying criminals for criminal acts," Johnson said.

Adams said he found the vote to pursue a settlement "offensive" but necessary for the "security and lives of our families."

Callaway warned that arguing about the board's unannounced private meeting on Nov. 21 and delaying a decision on paying the network hackers puts students and parents in danger.

During Monday's meeting, Hatter periodically challenged the board's system of governance in regard to calling and holding an undisclosed meeting Nov. 21 on the data breach.

Wright said the district will seek an opinion from the Arkansas attorney general's office on whether a meeting on a cyberattack of the district's networks could be exempted from public disclosure under state laws that restrict the release of written school safety and security plans.

Except as specifically provided by law, the Arkansas Freedom of Information Act calls for all meetings of public governing bodies to be public meetings and says the time and place of each regular meeting shall be furnished to anyone who requests that information. In the event of a special or emergency meeting, notice to area media organizations must be provided at least two hours before the starting time.

Adams started Monday's meeting by saying that district leaders must exercise discretion in their comments until the cyberattack matter is resolved.

Wright then read a lengthy statement in which he disclosed the 6 p.m. Nov. 21 board meeting that dealt with the extent of the data breach, the ransom demands and the protocols taken to protect the district.

He said the district was advised by independent computer forensics experts to make every effort not to publicize the cyberattack to avoid more extensive stealing of data and increased disruption to the district.

"Public discussion of the situation at the time would have risked harming thousands of LRSD patrons and employees whose personal information could have been publicly disclosed by the threat actors," Wright said.

That November meeting was held on the Zoom online platform. All board members participated except Hatter, Noland and Mason.

At that meeting, the board authorized entering into negotiations with the "TAs" or threat actors, while steps were pursued to protect district systems, Wright said.

The district did seek legal advice on the private meeting and the requirements of the Freedom of Information Act.

Wright cited Arkansas Code Annotated 6-15-1304, 10-4-429, 10-4-429, and 25-19-105 as statutes that exempt school safety plans and other security measures from public disclosure. He said the measures protect records related to cyberattacks -- but not meetings on the topic.

"LRSD intends to seek an opinion from the Arkansas attorney general on how to strike the appropriate balance between the requirements of the Freedom of Information Act and the risk of harm to the public," Wright read from his statement.

He said school boards should not have to choose between strict compliance with the Freedom of Information Act and exposing thousands of employees and others to the risks of a cyberattack.

The superintendent also said that as of Monday night, the district remains involved in an active investigation and that the matter is not resolved. He said he anticipates being able to share more details later -- after the district's data is returned.

Monday's meeting comes after Wright told employees and the Arkansas Democrat-Gazette last Thursday that the 21,000-student district was a victim of a data network breach and that the district had employed external computer forensics experts to determine the scope of the problem.

"Although the investigation is still ongoing, our forensic partners have determined that some data may have been taken from our network," Wright said last week in a message to employees that he forwarded to the newspaper.

"At this time, we do not know exactly what data may be at issue, but we are working as quickly as possible to ascertain that information," he said last week.

"If it is determined that any student, guardian, employee, or vendor information was impacted, we will work with these individuals to provide appropriate resources to protect their personal information," he also wrote.

District leaders notified law enforcement about the problem, Wright said, and would cooperate with any police inquiries. That notice included submitting an "IC3 report" of suspected internet crime to the FBI.

Wright has said that the "suspicious activity" in the district's technology network was initially detected Nov. 11, prompting an immediate response that included moving affected devices offline.

The network problems became more publicly apparent when the district announced last week that interim grade reports for students for this nine-weeks grading period were delayed and no later release date was set.

Arkansas Education Secretary Johnny Key said Monday before the special meeting that the Departments of Education and Information Services have been assisting the Little Rock district on the cyberattack.

An attack on individual districts could threaten state systems, he said, but state systems have not been compromised by this attack.

"We remain vigilant in our monitoring and detection of any threats," he said.

In 2019, the state Division of Elementary and Secondary Education established the K-12 Cyber Threat Response Team to assist districts with this type of event, Key said. That team, along with other state parties, have been deployed to assist the Little Rock system. Little Rock has brought in third-party providers for incident response and forensics reports along with still others to lead the crisis communication services.

"This cyberattack on LRSD is a clear example of the threat school districts can face, and the impact can be costly to the district and the taxpayers," Key said. "The need for cyber training for all users, as well as a system of cyber threat prevention and detection, is more important than ever."

Philip Huff, director of cyber security research at the University of Arkansas at Little Rock, said earlier Monday that cyberattacks on the nation's school districts are not unusual because cash-strapped public school districts typically run their data systems on shoestring security budgets.

Huff described cyberattackers as organized crime members who operate in countries where the laws are lax and they are not easily prosecuted.

The attackers take a couple of approaches to the illegal access to the data -- either encrypting so it can't be accessed or used by a school system or publicly posting personal information, including birth dates and social security numbers, which can then be used fraudulently.

The attackers make their ransom demands to be paid, not by a check mailed to a post office box, but instead in crypto-currency, such as bitcoin, that can be easily and anonymously moved across international borders.

Huff acknowledged that there is typically reluctance to negotiate or pay ransoms to regain access to data networks. But he said the cyberattackers are motivated by money and are often open to negotiations to get that money.

"You should consider everything you can to minimize the damage," Huff said about protecting victims.