IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cedar Rapids School District Pays Ransom for Cyber Attack

Having consulted with cybersecurity experts and legal counsel, an Iowa school district has paid an undisclosed ransom after a cyber attack last month compromised the personal data of employees.

Ransomware attack, binary code
(TNS) — The Cedar Rapids school district paid a ransom in hopes of keeping personal data compromised in a cyber attack last month from being released, the school superintendent has told parents.

"As part of the process to resolve this matter, CRCSD made payment to a third-party entity to ensure critical information that may have been accessed was not released," Superintendent Noreen Bush wrote Friday in a letter to parents. "We made this decision after consulting closely with cybersecurity experts and legal counsel and determining it was in the best interest of our school community."

Her letter did not disclose the amount of ransom that was paid, nor provide the name of the group that launched the attack.

Both Cedar Rapids and Linn-Mar school districts experienced disruptions in their computer systems within a month of each other starting in July, shutting down some operations for days as the start of the new academic year approaches Aug. 23.

Bush, in her letter to parents, said that since the cyber attack was uncovered, "we have worked with our internal IT staff and third-party cybersecurity experts to help resolve this matter and to take steps to ensure something similar does not happen again."

Schools make "easy targets" for cyber attackers because they often are not prepared enough to keep highly valuable personal data from being compromised, a local security expert said.

The Cedar Rapids Community School District identified a cybersecurity breach July 2. The district canceled its summer school the following week from July 5-8, impacting more than 750 children enrolled in programs.

The Linn-Mar Community School District announced Aug. 2 it was investigating the source of its phones going down and its computer systems being disrupted earlier this month.

Aaron Warner, founder and chief executive officer of ProCircular, a computer security service in Coralville, said schools are easy targets because they are some of the least prepared for an attack.

"When you're attacked like this you feel like a victim. It's terrible, and it takes awhile to walk it off," Warner said.

Personal information from staff was included in data stolen from Cedar Rapids schools, including staff members' full names, Social Security numbers, driver's license numbers, bank account and routing numbers, and medical information including diagnosis and treatment information or health insurance information. The district said it would offer a free year's worth of crediting monitoring services to affected employees to see if the data is used.

The Linn-Mar district has not disclosed whether personal data on its staff was compromised.

Warner said attackers would be interested in such data because they can sell it to people who want to use the information to create new identities or buy medical information to get prescriptions for drugs they can resell.

Warner could not comment whether ProCircular is working with Cedar Rapids and Linn-Mar school districts to restore their systems or increase their cybersecurity.

"The fact of the matter is every company is going to go through this," said Warner, whose company has handled hundreds of cybersecurity incidents — most of them in Iowa. "We do a lot of research to stay ahead of the game and stay sharp."

ProCircular provides cybersecurity services to a large number of clients in public and private organizations in Iowa, including Cedar Rapids-based Folience, the parent company of The Gazette.

Linn-Mar district officials have not described the issue they're facing as a cyber attack. They are working with third-party specialists to assess the impact and recover the district's systems.

"We are on schedule for students and staff as planned," said Shannon Bisgard, superintendent of the Linn-Mar Community School District.

Schools don't have funding to make significant improvements in cybersecurity, making them vulnerable to attacks, Warner said.

As of March 2022, the nation's K-12 schools have experienced 1,331 reported cybersecurity-related incidents since 2016, according to an annual report on The State of K-12 Cybersecurity released earlier this year by nonprofit K12 Security Information Exchange, which works to protect K-12 schools from cyber attacks.

Comparitech, which provides information, tools and reviews to help its readers improve cybersecurity and privacy online, estimates ransomware attacks cost K-12 schools and colleges $3.56 billion in 2021 in the United States. Additional costs include recovery as schools work to restore computers, recover data and improve security to prevent future attacks.

Recovering large quantities of data is time consuming, expensive and error-prone, Warner said. What you can't add up is the cost of having everyone in a school district focused on cybersecurity instead of on educating students, he said.

"The cost of that distraction eclipses any technical issues that come up," Warner said. "It's all anyone will talk about for the next year, and it takes away from the mission of the organization."

Sometimes it will take a "deep investigation" to be aware of a hacker. Other times, it's obvious because the hacker wants it to be, like in the case of a ransomware attack that demands payment in exchange for allowing computers to work again, Warner said.

When a cybersecurity breach does happens, Warner said it's time to pause and come up with a plan.

"Chances are the hackers were in that computer system for almost a year already," Warner said. "Pause, get your plan together, work out the scope of the damage."

Des Moines Area Community College experienced a ransomware attack last summer that caused a nearly two-week internet outage and several days of canceled classes.

Mark Clark, executive director of information solutions, said officials "were watching the attack as it was happening," Clark said. They were able to quickly cut off the internet connection, so the hackers would not have access to student information systems.

College officials called their insurance company, Holmes Murphy & Associates and Beazley Cyber Insurance, who put together a response team that included a law firm, forensic teams, ransomware negotiators and information technology to stop the attack and get systems up and running again.

Clark did not disclose how much ransom the cyber attackers asked for, but said the college did not pay.

Another company monitored the dark web for 30 days for any information leaked from the college, Clark said. "They didn't come up with anything," he said.

"You can't say 'luck' and 'breach' in the same sentence," Clark said. "We were fortunate to be able to lock things down the way we did, but unfortunately we got hit."

The school's cybersecurity insurance premium increased dramatically during the 2021-22 school year, Clark said. Additional security measures were put in place, and since then the cost of insurance has decreased. Clark did not share the amount the school pays for cybersecurity insurance.

Doug Jacobson, director at the Center for Cybersecurity Innovation and Outreach at Iowa State University, said the cost of cybersecurity insurance is increasing as attacks increase.

Jacobson said the attack on Cedar Rapids and Linn-Mar schools could have been strategically timed. Cyber attackers "like to play off confusion" and the start of the school year is "chaotic," he said.


Two-factor authentication, an extra layer of protection used to ensure the security of online accounts beyond just a username and password, is one of the most effective measures to protect against cyber attacks. Two-factor authentication could include getting a text or call to your phone with a security code.

"The bad guy is going to know your password, but there's a good chance he doesn't also physically have your phone," Warner said.

For consumers, Warner also suggested services such as LifeLock, which for a fee looks for identity threats, alerts the user of potential threats and helps restore the identity if the user is a victim of identity theft.

The three national credit rating agencies — Experian, Equifax and TransUnion — offer a free credit report and, for a fee, ongoing crediting monitoring services.

Finally, Warner encouraged everyone to back up data on their home computer to a hard drive, which can be purchased for $50, and take it to the bank for storage in a safety deposit box. Warner said he does that about once a year.

"At least you have pictures of your family," he said.

©2022 The Gazette (Cedar Rapids, Iowa). Distributed by Tribune Content Agency, LLC.