It’s happened to most of us or someone we know. An email or Facebook account gets hacked, or a debit card connected to a bank account or credit card is compromised.
We’ve heard of companies being hacked as someone opened an email and clicked a link that caused a virus to enter the network, or someone connects to an outside server.
This week, it was a school district in East Texas, and the results were as good as any crime show on television.
On Tuesday, Athens ISD realized something was wrong. The student files, including classroom assignments and much more, were on the server, but were renamed. The files were there but frozen or locked down. The jargon is “encrypted.”
Either way, with school starting Monday, the scramble began.
That’s when an email popped up. Subject: Ransom. The email was in broken English and demanded $50,000 to release the data back to the school.
The district had to make a decision.
There is no playbook for getting kids back to school during a pandemic. There are playbooks for server issues. There is not a playbook with a chapter titled, “How to deal with cyber terrorists demanding a ransom and holding valuable school data and files hostage during a pandemic.”
On the fly, Athens ISD came up with a Plan A and B. The decisions were judged and talked about. While that was going on, district officials surprised everyone by coming up with a Plan C.
On Wednesday night, the board of trustees voted to pay the $50,000 ransom.
Superintendent Janie Sims boldly made the announcement of the payment of the ransom, and Athens ISD Communications Specialist Toni Clay went on television trying to explain the move. Meanwhile, computer expects were disagreeing with the decision and the ransom. The top comment seemed to be “this is a waste of taxpayers’ money.”
Just over a year ago, I was part of a corporation that was hacked. So I called the really smart computer guy who brought us back online in four days and was able to make sure no personal data was released. He said, “$50,000? They got off cheap. That’s a great deal. I hope the public understands that.”
I’m not sure they did.
With $50,000 to spend, the school decided to negotiate with the cyber hostages. Over the next 48 hours, district officials got the amount down to $25,000. The hackers came back with a final email, still in broken English, agreeing to that amount.
Technology Director Tony Brooks and his team were working around the clock during the negotiations and while the public was weighing in with opinions on the $50,000 payment.
Also, the school was dealing with a Plan B.
“No one was ever excited to be negotiating with these criminals. There were a few reasons the board and administration felt paying the ransom was the lesser of two evils,” Clay said. “Paying was upon the advice of the federal cyber security team we were working with.”
Paying also meant saving money. The district has insurance for these types of issues and only would have to pay the deductible. The alternative would be to hire more employees and have current employees work overtime for two months to get the server back up and all the files re-written .
It could also have caused a delay in school.
While all of this was being considered, the work continued on the district’s current server. However, it was also discovered the current firewall was strong enough that the hackers could not actually take the files and see them, use them or try to sell them. They also noticed the data was backed up this past Saturday night — not on the backup server, but the backup to the backup.
This was like the third-string quarterback winning the Super Bowl.
They had the data and could now go to work restoring it.
Like a winning coach, Brooks said in his victory press conference, “It felt incredible.” The server team won. I guess there is no “i” in server.
The school could now send out a final offer to the attackers, “zero dollars.”
Athens ISD will delay school until Aug. 10 as officials get everything ready.
There’s a saying, “Some things you just don’t learn in school.” In this case, that sentence is true, and because it happened in school, it’s also false!
Athens made all the right decisions and crafty negotiations no one saw coming. Sure, it’s going to be a great lesson someday in the classrooms, but they also wrote a lesson plan for others.