Infiltration Of Malware Can Occur Even When Phishing Is Flagged

February 1, 2024

According to the Maryland Office of the Inspector General, Baltimore County Public Schools (BCPS) failed to act on several state recommendations to help mitigate cyber-attacks before a breach disrupted school operations and cost the school system millions of dollars in damages and repairs.

After a November 2020 cyberattack caused by a phishing email, operations at BCPS were impaired for several days, affecting the school system's website and remote learning programs.

The IG's report found that the initial network compromise occurred 15 days before the network disruption and came in as an e-mail. A teacher flagged the e-mail as suspicious, sending it to in-house tech support, who then forwarded the e-mail to a contracted tech support supervisor, according to the report. Unfortunately, the contractor mistakenly opened the suspicious email with the attachment using their unsecured BCPS email domain account rather than in a secured email domain. Consequently, opening the attachment in the unsecured environment delivered the undetected malware into the BCPS IT network.

Moreover, the OIGE report says BCPS did not fully implement several network recommendations from the Maryland Office of Legislative Audits in recent audit reports, including the relocation of publicly accessible database servers and the adequate maintenance of internal network servers. BCPS has implemented an array of new network security measures since the cyber-attack, the report says.

The report says the network upgrades and damages from the cyber-attack cost BCPS nearly $10 million. An investigation by the FBI and Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is ongoing, the report says. Luke Barr "Baltimore schools cyber attack cost nearly $10M: State IG" abcnews.go.com (Jan. 25, 2023)

 

Commentary

 

Two lessons to take away from this incident merit examination.

First, the use of a malicious payload attached to an email remains the single most common way malware is introduced into a network system. Not selecting links, opening attachments, or downloading files from unknown or unexpected sources are some of the easiest ways of preventing a system infection.

In this matter, the employee who received the email did the right thing. Ironically, it was a contractor, an expert on the matter, who committed the error.

The second lesson is that recommendations were ignored to relocate publicly-accessible database servers to a more protected network segment and to better maintain internal network servers, presumably to keep them updated and patched. These oversights created risk.

When budgeting for educational institutions, monies spent on prevention, training, and upgrading equipment, software, and defenses will be far less of an expense than remediating, repairing, and replacing a compromised network or servers.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Do You Give Effective Feedback? You Make The Call

Eighty percent of employees, who say they receive meaningful feedback, are fully engaged. Do you give effective feedback? You make the call and join the conversation.

Ask Leslie: What Should Employers Know About The New DOL Overtime Exemption Rule?

An employer asks Leslie Zieren, Esq. about the new federal overtime exemption rule.

RiskTrends™ Podcast: FTC Bans Noncompete Agreements: What Employers Need To Know

McCalmon attorneys and special guest, Brian McCalmon, Esq. discuss the new FTC rule eliminating noncompete agreements. Learn about possible impacts on your organization.

When Harassment Is Alleged, An Investigation Is Necessary To Curb Exposure

An investigation provides the factual basis for appropriate responsive actions. Learn why they limit exposure.

Division Between Jurisdictions Creates Questions Surrounding ERISA Claims

All but one of plaintiffs' ERISA claims against the plan sponsor were dismissed. The remaining claim was settled, but plaintiffs now seek a review of the dismissed claims.