Before Buffalo Public Schools was hit by a ransomware attack that cost it $10 million, the district knew it had vulnerabilities.
Weeks before the attack, the district’s IT staff discussed cyber insurance, federally recommended cybersecurity measures, and a report showing that thousands of employee emails had been exposed, according to emails obtained by the Daily Dot through a public records request.
But in December 2020, just months before the Buffalo school district was attacked, IT staff were sharing concerns about the possibility of a cyberattack.
“Can you offer to me some insight on the discussions and any actions that were taken in the past toward securing cybersecurity insurance?” Chief Technology Officer Myra Burden asked another IT staffer in an email.
In a follow-up email, Burden also asked staffers to read a federal advisory on K-12 ransomware attacks and “take a cursory look at some of the recommended mitigations from a potential cost perspective.”
But Buffalo had no cyber insurance policy by the time the attack happened in mid-March. And it still doesn’t have one, the district told the Daily Dot.
If the district did anything to brace against cyberattacks, it wasn’t enough to stop the one that hit the district in mid-March. The district’s lawyer told local news that the attack would end up costing nearly $9.8 million as of October.
Ransomware is a growing problem for schools that has only accelerated since the pandemic forced classes to go online, experts say. Districts across the country have been extorted seemingly indiscriminately by cybercriminals holding their computer systems hostage.
But insurance can make a big difference.
By comparison, Clark County Public Schools in Las Vegas serves ten times as many students but only had to pay up to its $100,000 insurance deductible for a ransomware attack in November 2020—a hundredth of Buffalo’s costs—according to records the Nevada district provided to the Daily Dot.
While the district serving New York’s second-largest city was forced to pay millions of dollars in out-of-pocket recovery costs, the Daily Dot has found several examples of much smaller districts that were protected by insurance policies.
Haverhill Public Schools in Massachusetts was hit by the same strain of ransomware the month after Buffalo’s attack. But the 8,000-student district had cyber insurance, keeping their bill at $10,000.
Buffalo has more than 30,000 students and wound up wasting $10 million just to get those kids back in classes
In February, just weeks before the attack, Buffalo Public Schools received another indication that it was vulnerable.
IT staff had received a free report from the cybersecurity company KnowBe4 showing that 7,288 district emails had been found in hundreds of publicly available breaches, with many of the breaches including passwords.
“Credential information such as this makes these users prime targets for attackers who may be able to use just this data alone to gain unauthorized access to systems,” the report read.
These kinds of vulnerabilities can leave agencies and companies open to ransomware attacks and phishing scams, according to KnowBe4. The company offers a range of cybersecurity services including training, cyberattack simulations, and password security tests.
The district has not publicly explained how hackers accessed their systems or whether exposed emails played a role.
A KnowBe4 spokesperson confirmed that reports like the one Buffalo received are not sent out unsolicited, but are available for anyone to request, meaning Buffalo was looking at its risk level in advance of the attack.
While the free report may be a sales tactic for the company—it doesn’t include any actionable details about the exposed data—the Buffalo IT staff appeared to take it seriously.
“Thought I should share,” one staffer wrote in an email as he forwarded the report to Burden.
“FYI,” the chief technology officer wrote as she forwarded the report to another staff member.
Now, nearly a year later, files obtained in the attack on the Buffalo district are still available on the hacking group’s public website, the Daily Dot had confirmed.
A Buffalo Public Schools spokesperson and Chief Technology Officer Burden did not immediately respond to requests for comment.