Recovering from ransomware: Long Island schools are top targets of cybercriminals
October is Cybersecurity Awareness Month, a nationwide initiative to help people stay safe online. It comes amid growing concern about a rise in cyberattacks, and a Team 12 Investigation has found our schools are among the biggest targets.
Team 12 Investigates reveals a detailed look at what was accessed in recent cyberattacks on schools—and what it took for districts to recover.
Shawn Petretti, superintendent of the Mattituck-Cutchogue School District, vividly remembers the summer of 2022. The district was the victim of a ransomware attack that July.
“A message started popping up on a couple of our computers,” said Petretti. “All of a sudden, there was a phone call from one of our technicians saying they believe we just had a cyberattack.”
The district immediately went into reaction mode. Their first call was to the New York state Division of Homeland Security. Hackers gained access to names, birth dates and addresses—but sensitive data was unscathed.
“We’ve got all hands on deck and went computer to computer throughout the district and unplugged everything,” Petretti said. “To rebuild the servers, reimage all of our machines and get everything ready to go, it took us close to two months.”
Extended Interview with Shawn Petretti:
Team 12 Investigates uncovered that Mattituck-Cutchogue was one of six Long Island school districts to suffer from ransomware attacks in 2022. Three of those incidents were never publicly reported.
Through a records request, we found that cybercriminals hacked into surveillance systems at Merrick, North Merrick and New Hyde Park school districts in April of last year.
The ransomware compromised video servers, disabled lockdown systems and impacted badge access. Some of the systems were down for more than a week before district officials discovered the breach.
The districts reported that no public notification was required because no personal data was taken. They removed impacted DVRs, turned off security camera networks and updated their servers without ever alerting parents at the time. They did, however, notify the FBI.
“The district is in a continuous cycle of improving the various technologies that we use and improving technology training. This includes updates that improve cybersecurity,” Dr. Dominick Palma, superintendent of the Merrick UFSD, said in an email. “Costs for cybersecurity improvements cannot be parsed from overall technology expenditures. The district maintains cyber insurance.”
Team 12 Investigates later learned through a records request that the Merrick UFSD does not allocate any funding for cybersecurity outside of cyber insurance.
North Merrick and New Hyde Park school superintendents did not respond to requests for an interview.
Team 12 Investigates obtained four years’ worth of cyber incident reports from Long Island schools. We found that at least 22 school districts were targets of malicious cyberattacks since 2019 and 16 of them were ransomware attacks.
In some cases, cybercriminals gained access to domain controllers, which are the gatekeepers of user authorization.
The Sewanhaka Central High School District was the victim of a ransomware attack in September 2019. The district had to establish a new network environment, reinstall its transportation and athletics systems and migrate all critical systems to the cloud.
Nassau BOCES Technical services provided a team of engineers and field technicians to help the district with its remediation plan.
In 2020, the Floral Park-Bellerose School District created new networks after domain controllers and ClassLink—which provides identity and access management products for education—were encrypted with ransomware. District officials reported at the time that they did not notify parents because no personal identifiable information was breached.
When asked whether the Floral Park-Bellerose UFSD has implemented cybersecurity upgrades since the ransomware attack, a representative from their public relations firm said that “they decline to participate in the story.”
The investigation into a ransomware attack on the North Babylon School District in 2020 was ongoing at the time of the cyber incident report. The attack disrupted district email and limited student access to instructional materials at a time when students were learning remotely on district-issued devices.
Manhasset School District was the victim of a massive ransomware attack in 2021 that leaked sensitive data on the dark web. According to the cyber incident report obtained by Team 12 Investigates, the district did not release these details to impacted individuals until months later due to an “ongoing investigation.”
A third-party investigation was performed “at the direction of legal counsel,” according to the report, and the name of that cybersecurity firm was redacted.
The West Babylon School district shut down its computer systems in July 2022 due to an “unknown cyberattack.” Team 12 Investigates uncovered that 398 students and 819 teachers were affected. According to records obtained by Team 12 Investigates, hackers accessed addresses, birth dates, names, phone numbers, parent names, parent emails, Individualized Education Program information, English-Language Learner information and teacher state identification.
Sag Harbor, Riverhead, Plainedge, Uniondale and Commack school districts have also been victims of ransomware attacks since 2019.
Team 12 Investigates reached out to nearly two dozen districts that were victims of cyberattacks to talk about their investment in cybersecurity. Two superintendents, including Petretti, did agree to talk openly about the problem.
Superintendent Matthew Gaven knows firsthand the crippling effects of a cyberattack. He worked in the Mineola School District when it was hit with ransomware in 2019. The district has nearly doubled its spending on cybersecurity since.
Gaven now leads the Rockville Centre School District, which also suffered a ransomware attack in 2019.
“You want to make sure that your community’s in the know,” said Gaven. “The risk is obviously the confidentiality of the student and employee data. That's the first risk.”
The Rockville Centre school district had to rebuild a new network and delete compromised accounts to recover from the ransomware attack. It cost the district tens of thousands of dollars to recover from the incident.
Parents might be surprised by the sheer amount of attempted attacks that schools face. Gaven said random attacks happen all the time but are stopped by their new and improved cyber defenses.
“As an educator that has seen a couple of cyberattacks, I think the most important takeaway is trying to stay aware,” Gaven said. “The key thing is making your employees aware, providing them with constant training, and saying ‘Hey, you didn’t notice this one, but you should notice this.’”
Extended interview with Matthew Gaven: