Computer hackers demand $40 million ransom from Broward County Public Schools

'We have no intention of paying a ransom,' school district says
Broward County Public Schools computer data held for ransom
Posted at 9:25 AM, Apr 01, 2021
and last updated 2021-04-01 09:25:59-04

FORT LAUDERDALE, Fla. — A South Florida school district's computer system was the target of hackers who earlier this month demanded a $40 million ransom to prevent personal information about students and teachers from being made public.

According to a transcript obtained by the South Florida SunSentinel, hackers with the ransomware group known as Conti engaged in an exchange with a Broward County Public Schools representative, initially demanding $40 million from the district.

"The bad news is that we hacked your network and encrypted your servers, as well as downloaded more than 1 terabyte of your personal data, including financial, contracts, databases and other documents containing (Social Security numbers) addresses (dates of birth) and other information about students and teachers," one of the hackers said in a text message to the school district representative. "If this data is published, you will be subject to huge court and government fines. The good news is that we are businessmen. We want to receive ransom for everything that needs to be kept secret, and don't want to ruin your reputation."

Then the hacker revealed the hefty price tag.

"I am … speechless," the school district representative replied. "Surely this is a mistake? (A)re there extra (zeroes) in that number by mistake?"

The hacker offered a retort.

"According to the records, your revenue is more than ($4 billion). So it is a possible amount for you," the hacker answered.

When the school district representative explained that the ransom could not be met, the hacker later lowered the ransom to $15 million.

"$15M is still completely out of the realm of possibility," the school district representative wrote. "We aren't an (sic) global company generating massive amounts of revenue that we can spend on everything. The taxpayers dollars that create our revenue gets redistributed to pay for salaries, resources, benefits, and more expenditures throughout the district. We understand that this is your career, but we need to be realistic with each other. Do you understand our position?"

But the hacker wasn't buying it.

"Don't play with us, your chiefs have this required amount in Bitcoins," the hacker wrote. "We don't have time, or you pay today, or we upload files today, because we should continue our work with other bigger companies."

The school district representative refuted the claim, saying the district didn't have $15 million in bitcoin and "could not even pay you $10 today let alone millions when our bank is closed."

After weeks of back and forth, the hacker eventually lowered the offer to $10 million.

"We have approval to offer $500,000, but the price ranges you started with are too far off for a taxpayer funded school," the school district representative answered.

Under district policy, that amount is the maximum it can pay without school board approval.

Broward County Public Schools issued a statement March 12 saying it "recently detected a service disruption that impacted the availability of certain systems within the BCPS computer network."

"Upon learning of this incident, BCPS secured its network and commenced an internal investigation," the statement continued. "A cyber security firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems."

In response to several media inquiries about the ransom, the district issued another statement Wednesday saying it has "taken steps to enhance the security of its systems, including additional administrative, technical and physical safeguards."

The district went on to say that efforts to restore all systems "are underway and progressing well."

"We have no intention of paying a ransom," the statement said.

The district went on to say that it is "not aware of any student or employee personal data that has been compromised as a result of this incident."