IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

School Admin Shared Non-Public Details of Ransomware Attack with Private Company

In a co-authored report about a 2021 ransomware attack, former administrators of Broward County Public Schools in Florida shared information with Safer School Solutions that they had withheld from the public.

Broward laptop
Tens of thousands of Broward County School District students were given laptop computers so they could attend classes from home during the COVID-19 quarantine.
Wayne K. Roustan/TNS
(TNS) — Former Broward Superintendent Robert Runcie helped write a report for a private company about how his school district responded to crisis situations, revealing details about a ransomware attack that the district had repeatedly refused to share with the public.

The case study was co-authored by former district administrators Brian Katz and Philip Dunn, who started a company last year called Safer School Solutions. Dunn was still employed as the school district’s technology chief in September 2021 when the report was completed. Katz and Runcie had already left.

The report reveals new details about the severity of a 2021 ransomware attack, saying it left 2,000 servers inoperable. The district decided not to immediately contain the virus, first working to ensure students could access online classes, the report says. Law enforcement encouraged the district to offer, but not actually pay ransom to hackers.

Other sections of the report detail how the district dealt with the Parkland shooting and the COVID-19 pandemic. The report is called, “A Tale of 3 Attacks: A public school district’s resilience in an age of bad actors and a global pandemic.”

The report, produced on Safer School Solutions letterhead, also includes detailed information about the company’s services and a proprietary product.

The education advocacy group Chiefs for Change emailed the report in October to its membership of superintendents and state education leaders, normally about 50 people. Runcie was a board member and paid employee of the group at the time and became its interim leader on May 1.

The South Florida Sun Sentinel obtained the case study through public records requests to several education agencies whose leaders are Chiefs for Change members.

Earlier this year, the Fort Lauderdale-based Safer School Solutions received $1 million in security consulting work from six school districts, who were reimbursed by Chiefs for Change. Runcie is heading that project.

“We are committed to helping to create safer educational environments for students to learn and teachers and staff to work every day,” a statement from Safer School Solutions said. “We are so pleased to partner with Chiefs for Change and its member districts on this very important goal.”

But the arrangement has raised a number of ethical red flags, experts say, due to the close ties company officers have to Runcie, the appearance that a case study may actually be a marketing pitch and the company’s use of non-public information about a cyber attack during a time Dunn was still employed with the school district.

“The optics are terrible and I’m just amazed by what’s going on,” said Bob Jarvis, a law professor at Nova Southeastern University who specializes in ethics and public policy. “Was [Dunn] authorized to share this information?”

That is unknown. Dunn and Runcie couldn’t be reached, despite multiple attempts by phone and email. Katz sent an email to the Sun Sentinel referencing the company’s statement, which didn’t address questions about Dunn’s role or the district’s secrecy about the breach.

Current Superintendent Vickie Cartwright, who started a few weeks before the report was completed, was unaware Dunn was working on the report, district spokesman John Sullivan said. Dunn left the district in November 2021, two months after the report was finished.

“The current administration cannot ascertain if permission was sought or granted for the production of this report,” Sullivan said.

Asked if district officials are concerned about the contents, Sullivan said, “The District is in the process of reviewing the report.”

In a section called “Cyber Warfare Comes to School,” the report gives never-before shared details about the severity of the ransomware attack that was discovered on March 7, 2021. Most students were learning remotely at home that semester due to the pandemic.

“In that Sunday morning meeting, after triaging the situation with its woefully underfunded and understaffed IT resources, administrators decided to focus on educational continuity before containing the spread of and remediating the malware,” the report says. “School had to open virtually the next day with minimal disruption to an already tenuous learning environment.”

The district’s strategy included restoring Internet service so teachers could instruct remotely, safeguarding the district’s budget and payroll functions and securing the online system that students used to access virtual instruction, the report says.

The strategy detailed did not involve sharing any of this with the public.

The school district used a crisis public relations firm to help dodge questions from the news media and persuade the public that personal data wasn’t at risk.

The Sun Sentinel frequently asked in 2021 why the district refused to be transparent about the cyberattack.

“There is a balance of transparency and discretion we are trying to achieve as the victim of this crime, to ensure that no further harm befalls us,” Dunn wrote in an April 1 email to communications specialist Keyla Concepcion, in response to the Sun Sentinel’s inquiries. “My question to anyone would be what level of transparency would they deem appropriate if they were the victims of a crime and there was an ongoing investigation against the perpetrators?”

The district waited three weeks to tell employees or the public about the ransomware attack, confirming it on March 31, 2021, after hackers posted a transcript of failed ransom negotiations online. On that day, the district sent a message to employees encouraging them to stay vigilant by reviewing their account statements and credit reports for any unauthorized activity, while saying there was no evidence anyone’s personal information had been accessed.

Broward school district officials say they learned June 29, 2021, that the hackers had access to employee health plan information. But that was never shared with the public, 50,000 potential victims or a U.S. Department of Health and Human Services data breach portal until late November.

By this point, Runcie, Katz and Dunn had all left the district. Runcie resigned in August after being indicted on a felony perjury charge on an unrelated matter. He’s pleaded not guilty, and his case is still pending.

The district remained tight-lipped after Cartwright started in August. A November letter to potential victims said the district conducted an investigation, but when the Sun Sentinel asked for a copy, a district lawyer said it was never put in writing.

“We’re not going to show the public our security protocols because it only dramatically increases the likelihood of it being done again,” Cartwright said in January.

The Safer School Solutions report touted how the district had kept the ransomware attack under wraps.

“By the time the crisis made the national press two months later, nearly all issues had been resolved with no ransom paid to the attackers and relatively minimal impact to the District,” the report said. “Many within the Broward community had no idea of the scope and scale of the attack until myriad public records requests and voluminous press coverage shed light on just how serious it had been.”

The report complains about media coverage of a $40 million ransom demand from the hackers. The district made a $500,000 counteroffer, drawing criticism from security experts who said paying ransom emboldens hackers. But the report reveals that the district never planned to pay, and law enforcement encouraged officials to make the offer “to keep the threat actors engaged in dialogue in hopes of buying more time.”

“What should have been heralded as an industry-leading response to cyber threats, and a modern playbook for school districts quickly became politicized,” the report said. “Although law enforcement privately applauded the response, the District was unable to tell its side of the story because of the sensitive interests involved.”

School cybersecurity expert Doug Levin said he doesn’t understand why district administrators were so reluctant to share this with the public.

“This would be a good news story for them,” said Levin, who runs the K-12 Security Information Exchange to help school districts combat cyber attacks. “Keeping their school community in the dark is not doing them a service.”

The other two sections of the report discuss the district’s handling of the Stoneman Douglas shooting on Feb. 14, 2018, and the pandemic.

In the Stoneman Douglas section, the authors criticized that the state hired “monitors” to visit schools to ensure doors were locked, visitor access was restricted and schools had identified corners in the classroom where students could hide in the event of an active shooter.

“These visits don’t focus on safety and security holistically, they focus almost entirely on the high impact/low likelihood active assailant event, and more specifically, the exact type of event that occurred on February 14, 2018,” the report states.

The section on COVID-19 praises their transition into remote learning in March 2020, saying they created “one of the most effective online learning systems in the nation, with the fewest number of days of education missed during transition.”

The report doesn’t mention that the school district had the least number of students in the state return to in-person education during the 2020-21 school year and saw the second-biggest drop in student achievement in the state.

Runcie helped prepare this case study with Safer School Solutions as one of his early assignments after he took a job as a part-time “chief in residence” with Chiefs for Change, said Leila Walsh, spokeswoman for the organization.

Former Chiefs for Change CEO Mike Magee emailed the case study to members a few days before an Oct. 12 annual meeting of the group in Chicago.

“Our members told us in the fall of 2021 they wanted the Chiefs for Change Annual Meeting to focus on creating safe and welcoming schools for all,” Walsh said.

She said Safer School Solutions didn’t get paid for the report, and Runcie has received no money from the company. The company statement echoed that.

“Robert Runcie has not received any compensation directly or indirectly from Safer School Solutions for this or any other work,” the statement said.

The report includes contact information for Runcie, Katz and Dunn, saying they can be reached for “product and services-related questions, invitations for speaking engagements and consultation.”

Chiefs for Change started in 2010 as an affiliate of the Foundation for Excellence in Education, an education reform group founded by former Florida Gov. Jeb Bush.

The group split off from Bush’s organization and became its own nonprofit in 2015.

Runcie has served on the Board of Directors for Chiefs for Change since 2017. The organization issued a statement of support for Runcie after a grand jury indicted him last year on the perjury charge.

“He has always shown himself to be a person of the highest integrity,” then-CEO Magee wrote. “I do not know the specifics of the allegations against him; however, I know he is a man of character with a strong moral compass. Chiefs for Change is grateful for Bob’s leadership and is proud that he is a member of our community.”

©2022 South Florida Sun-Sentinel. Distributed by Tribune Content Agency, LLC.