Toys are seen from a window outside the Providence Public School Department on Westminster Street. (Alexander Castro/Rhode Island Current)
The Providence Public School Department (PPSD) is providing free credit monitoring to approximately 12,000 current and former employees who may have had their personal data — like names, addresses and Social Security numbers — exposed in a recent breach of the school district’s network.
Employees have until Dec. 16, 2024, to sign up for their complimentary credit monitoring services from IdentityIQ. The district has not yet specified the total cost for the contracted monitoring services, which will be provided free of cost to affected employees for five years, school officials wrote in a letter to staff on Friday, Oct. 4. The letter also states the breach may have occurred 12 days earlier than it originally thought.
The letter came three weeks after ransomware group Medusa took credit for the hack and demanded $1 million on Sept. 16. Although the district initially acknowledged that “irregular activity” occurred on its network on Sept. 11, it did not use the term “unauthorized access” until a letter to the community on Sept. 25 — the same day the hackers claimed to have published the allegedly stolen data when the ransom went unpaid.
“After a review of the filenames, PPSD became concerned that certain files listed by the group could potentially include personally identifiable information of employees and some former employees,” school officials wrote in the Oct. 4 letter.
The district also notified the Rhode Island Attorney General’s Office on Friday, said Tim Rondeau, a spokesperson for the AG, in an email Tuesday. Statute requires municipal or state agencies to notify the state’s top legal official about data breaches affecting more than 500 Rhode Islanders within 30 days.
The latest letter from the district noted that an “unauthorized actor” may have accessed the district’s network as early as Aug. 30.
Two weeks of undetected intrusion is not unusual for the Medusa group, which has been documented to use living off the land techniques. This means that once a system is infiltrated, Medusa’s blends in with legitimate software and regular network traffic. Programs related to remote monitoring or management — which allow IT departments to manage the many computers used in big organizations like school districts — are the usual targets, according to cybersecurity firm Darktrace.
District acts relatively fast to provide credit monitoring
Back-to-school season is prime time for ransomers to target education infrastructure — like in 2023, when schools in Prince George’s County, Maryland, were hit with a cyberattack that compromised the data of students, teachers and other district associates before school even began. While a different ransom group was responsible for that attack, the ransomers in Prince George’s County moved on a similar timeline to Medusa’s, with the school district noting initial access may have begun 11 days before IT staff noticed anything was wrong. The district offered Experian credit monitoring services to those affected.
Stolen Providence school district data may be making its way onto the internet
PPSD has been relatively swift in offering credit monitoring services: When the Tucson Unified School District was struck by a breach in January 2023, it didn’t inform the 29,000 people potentially affected until August 2023. The Arizona school district also offered credit monitoring from TransUnion, according to its website.
As school and government ransomware attacks have become more commonplace, officials now seem to lack the luxury of extra time to come up with a crisis communication plan. A 2023 report from security company Sophos found that as threat detection tactics have improved, ransomware actors have quickened their pace to match. In the first half of 2023, detection of ransomware incidents fell from nine days to five on average.
Folders full of files
After initially cautious communication about the hack, the new PPSD letter clarifies somewhat the timeline of events: A forensic analysis of the breach was underway when the district “was alerted that an unverified, anonymous group was claiming to possess PPSD files.”
“While PPSD was not able to verify the claims that this group did in fact possess authentic files, the group posted a list of filenames that they purported to have,” the letter stated. “Those unverified files appear to include documents saved by individual employees to the PPSD shared drive as well as departmental files maintained on internal PPSD servers.”
More clues about the leak’s contents came from a video posted to the “clear” internet, or non-dark-web, on Sept. 28 by an anonymous actor who seems to post the same links teased on Medusa’s dark web blog, each signed with the name Robert. Some of the dump’s alleged contents appear to be quite ordinary, like a recipe for pulled chicken sliders, worksheets for a Spanish class or other lesson materials. But also briefly previewed in the video are Microsoft Excel files, which often take up little space but can contain lots of information — up to 1,048,576 rows of data, according to Microsoft.
Bill Garneau, vice president of operations at CMIT Solutions in Cranston, said in a recent interview with Rhode Island Current that while he’s not familiar with how the Providence school department structures its network, it’s not uncommon for the small and medium-sized businesses his company works with “to cut some corners here and there…It takes a lot of resources to be secure,” Garneau said.
“One of the big items that we do for all of our clients if they have any kind of compliance requirements is to segment their networks into smaller segments,” Garneau said. “They don’t all need to be centrally collected, connected into one system. You need to silo them into their separate buckets so that, should one appendage of the organization get compromised, you’re not going to compromise the whole thing.”
Pen testing is one means of assessing a network’s security and weaknesses by subjecting it to an array of techniques hackers would use. Companies like SecureSchools, which is based in the United Kingdom but offers services to U.S. schools, specialize in cybersecurity testing for schools. While the SecureSchool’s website does not list costs for its highest level of pen testing, it charges between $1.45 and $1.85, plus tax and per student, to test a school district’s security. For PPSD’s 19,000-plus students, that level of testing would cost somewhere around $28,000.
Networks… don’t all need to be centrally collected, connected into one system. You need to silo them into their separate buckets.
– Bill Garneau, vice president of operations at CMIT Solutions in Cranston
But the Providence school district — which is locked in a legal battle with the city over school funding, and remains under state control for up to another three years — has stressed recently that its coffers are light, according to a June letter from the district. The district has argued that the city has not increased its local funding in four years.
“While we appreciate that the City contributed an additional $5.5 million in their fiscal 2025 budget, this increase is just $600,000 more than the City was legally obligated to include four years ago,” the letter reads.
The district has already spent additional money mitigating the attack. Before the breach was publicly confirmed, the school district shut down its network across its schools to prevent further compromise. That led to the district purchasing about $51,000 worth of wifi hotspots and service to help mitigate the loss of its regular connectivity, Jay G. Wégimont, a PPSD spokesperson, said in an email last week.
Wégimont said the school district “invested” in 200 hotspots, with half coming from T-Mobile and the other units “quickly sourced from a local vendor.” T-Mobile provided the units for free but charged $15 per month for six months of a data plan.
“The remaining 100 hotspots, came to a total of $42,500 for a full year of service and equipment,” Wégimont said. “These hotspots will be in use across the District throughout the school year.”
GET THE MORNING HEADLINES.