Buffalo schools still reeling from hack

The March ransomware attack was a lot worse than district officials have let on. Their lack of transparency has rankled parents and staff.

How bad was the hack of the Buffalo school district’s computer system in mid-March?

The paper equivalent of lost documents would fill KeyBank Center to the rafters, one source told Investigative Post. The missing records include decades of teaching materials, student records and some 5,000 applications for admission to schools in September. Systems essential to the operation of the district, such as legal and accounting, are crippled.

The hack has caused minimal disruption to classroom instruction and distance learning, but it’s impacted the physical operation of school buildings. Automated functions such as operation of heating and cooling systems have been disrupted, for example. 

School district officials have been largely mum about the impact of the hack and the silence has rankled some parents, teachers and other district employees. 

“We are really, truly and meaningfully being left in the dark,” said Wendy Mistretta, parent and president of the District Parent Coordinating Council. “Not only is it not transparent, it seems to be intentionally like they’re hiding information that we should be owed.”

Dowdall discusses her story on WBEN

District officials downplayed the impact of the hack when it happened and refused to answer questions from Investigative Post for this story.

“We are still actively restoring services. Beyond that, we are advised not to talk about the attack itself,” Elena Cala, the district’s spokesperson, said in an email.

This story is based on interviews with a dozen parents, teachers and other staff from the district. Most spoke on the condition they were not identified for fear of retaliation from the district.

Many expressed their loss of faith and trust in the administration. 

“A lot of people are paying the price and there doesn’t seem to be a whole lot of accountability,” one source told Investigative Post.

Hacks becoming more common

The district quickly began working with the FBI after the attack happened on March 12, a Friday. Superintendent Kriner Cash approved an emergency contract with GreyCastle Security for a cybersecurity investigation to assess the damage and collect what they could for the investigation. Instruction resumed remotely for all students the following Wednesday.

The district appeared to downplay the scope of the hack in public comments. 

“Staff has restored the functionality of equipment, systems, and applications in the majority of our buildings over the weekend and today,” Cash said in a press release the Monday following the attack. According to that release, 54 of 67 building locations reported no disruption to internet and wireless systems. 

But the hack affected district operations well beyond what the press release addressed.

Dowdall discusses her story on WBFO

Attacks like these at school districts are not uncommon – 2,474 complaints were filed with the FBI last year, with losses estimated at $30 million.

Buffalo schools operate thousands of computers and a few hundred servers. While the computers themselves — used by students, teachers and other staff — remained largely unaffected, the servers were wiped out from the attack.  

The March 12 attack involved the placement of malware designed to encrypt data so it is no longer available to the system’s operator. Data is held hostage until a ransom is paid, hence the term ransomware attack. If a ransom isn’t paid, the data remains unavailable or is destroyed or released to the public.

“School districts are operating on a shoestring budget oftentimes, and you have a lot of people, particularly with virtual learning, who need to have access to the network,” said cybersecurity expert John Sancenito, president of Information Network Associates. “If they can encrypt and put a district’s ability to operate in a virtual environment out of business, then basically there’s more of a temptation for the school district to pay the ransom.”

“They need their information, they need it in a hurry, they need to have access to their systems,” Sancenito said.

The FBI doesn’t encourage paying ransoms because doing so doesn’t guarantee files will be recovered. In Buffalo’s case, a ransom wasn’t immediately demanded. It still hasn’t been. 

But it is almost guaranteed that the data is lost forever, one source told Investigative Post. Unless the attackers are apprehended, there’s no way to know if data has been destroyed. 

Ransomware and similar hacks are no stranger to Buffalo schools, sources said. The district experienced a couple of smaller, more easily manageable hacks earlier in the school year, sources said, putting cybersecurity on their radar.

“I think the biggest question is, ‘How could you not know this was coming?’” one source said.

Vast amount of data lost

Many of the systems targeted by the attack were located at central administration in City Hall. Systems ranging from legal and accounting to transportation and food service were all encrypted and destroyed. 

Important documents like legal records, transcripts, diplomas and student permanent records are all among the wreckage.  

One source estimated the district lost hundreds of terabytes of data. To put that in perspective, one terabyte is equal to 1,000 gigabytes. One gigabyte alone could store over 650,000 text files. Nearly all the documents, spreadsheets and databases needed to run a school district are gone.

Support our nonprofit newsroom with a donation today

Paper copies of some digitized records that remain in storage will eventually be reentered into systems. But many other records that exist only in digital form are lost forever.

“It’s like they never existed,” one source said.

The loss has slowed the reopening of Buffalo schools to in-classroom instruction, which has caused some parents to wonder what was lost. 

Mistretta, the parent leader, has been attempting to find out more.

In one school-based management team meeting following the attack, she and others were told by officials that bringing students back for in-person learning would be delayed because of lost data needed to route students to school.

“It really messed up our system of providing transportation for our kids,” Mistretta said. “I don’t know why the district doesn’t say that.”

In subsequent meetings with senior administrators, she was told student applications were among the documents lost in the attack, as well. Lost applications include those for children entering the district in kindergarten and pre-kindergarten and students seeking placement in magnet schools and other specialized programs, including Bennett Park Montessori, City Honors and Hutchinson Central Technical High School. 

“Basically all of their applications were wiped out and they’re putting everything back in the system,” Mistretta told Investigative Post. 

That’s likely to delay when parents learn if their child has been accepted for their requested placement.

Concerns about identity theft

Another consequence of the hack: personal information might have been exposed, which could be used in identity theft schemes. 

“This is a lot of personal, private information that we don’t know if it has been accessed, or who has access to it,” Mistretta said. 

One teacher told Investigative Post: “We were told, ‘Oh, your personal information is fine.’ “Now we’re hearing rumors that no, that’s not the case.”

The teacher went on to say that personal information of one of her colleagues was used by someone else to apply for unemployment. She said she’s heard of similar stories about other teachers, as well.

“Now we’re all warning each other,” the teacher said.

Our Weekly Newsletter

Phil Rumore, president of the Buffalo Teachers Federation, said he’s heard similar accounts from teachers. He’s frustrated with the lack of communication from the district. He said the district is obligated to inform teachers if personal information has been compromised. Rumore said the union is prepared to take legal action if necessary and has written to the superintendent expressing its concerns.

The aftermath of the hack seems to have caused minimal disruption to instruction. That’s not to say teachers and students haven’t suffered the effects.

Any documents students, teachers and other staff saved to their personal drives– or H: drives– that were stored on district systems were lost, several sources told Investigative Post. Years of lesson plans were destroyed. Some students lost portfolios, final projects and college application essays.

One staff member lost over a decade of materials.

“I can’t tell you the man-hours it will take for us to recreate these documents,” the source said. “It takes us away from the kids.”  

Seemingly simple building functions have become difficult to manage as well. Heating and cooling systems of school buildings, typically automated, must now be manually operated. 

Lack of communication 

Parents, teachers and other staff all complained to Investigative Post about a lack of communication from the district’s senior staff.

“I fear that there’s a lack of transparency because they’re afraid that if they say too much they could be held accountable legally for something,” Mistretta said. “It’s that kind of hesitancy to be transparent because of legal issues that leave families very confused.”

Other parents share her concerns.

“It was obviously extremely disruptive and seems like it continues to be without a lot of information provided to parents,” said Jessica Bauer Walker, parent and president of Buffalo’s Community Health Worker Parent Association.

School board members have discussed the attack in meetings, but only in executive sessions that are closed to the public. Parents, teachers and other staff haven’t received any formal update since the attack happened in March.

The ongoing investigation doesn’t mean the district can’t communicate, at least according to Sancenito, the cybersecurity expert.

“These things are very difficult to investigate and it really requires a lot of patience on everyone’s part. It should be though, that the district is giving some level of communication back to the parents and the media to at least tell them where they stand with things and give them a little bit more insight into the process, even if they can’t talk about the details.”

On April 19, the district submitted a request for prequalification seeking to identify qualified vendors to rebuild their systems. Cost is not a listed factor. Experience with “IT Disaster Recovery” is. Responses were due May 3.