The Providence Public School Department building is seen on Westminster Street in Providence. (Alexander Castro/Rhode Island Current)
The Providence School Board typically broadcasts its meetings to YouTube.
But Wednesday evening’s board meeting would not be televised.
Less than five minutes before the scheduled start time, school board President Erlin Rogel took to social media to express his regret that a weeklong internet outage at Providence schools would also affect the board’s regularly scheduled programming. But the portion of the meeting most germane to the network issues wouldn’t have been broadcast anyway, since it met in executive session.
In a statement issued Thursday, Rogel described the executive session as “regarding the recent breach of the district’s network.” It included a presentation from the Rhode Island Department of Education (RIDE) and the Providence Public School Department (PPSD).
“While I cannot disclose the specific contents of our discussion, I can state that the district is awaiting an analysis of this breach to learn more about its severity and the degree to which any information was exposed,” Rogel wrote. “While we await the results of that analysis, PPSD continues to mobilize every resource available to ensure that learning proceeds with as little disruption as possible.”
Rogel did not respond to multiple requests for comment from Rhode Island Current.
The school board president’s use of the term “breach” differs from the district’s official language, which has tiptoed around the problem’s exact nature. A Sept. 12 letter to the PPSD community described “irregular activity” on the district network, which ultimately led IT staff to shut down internet access across district offices and schools. Internet remains largely absent in Providence schools, aside from a fleet of wifi hotspots enlisted to provide connectivity in the main network’s absence.
A Sept. 16 letter sent from PPSD to community members said a forensic analysis was still ongoing and that “there is no evidence that PPSD data has been affected.”
But on Monday, the hacker group Medusa appeared to take credit for the “irregular activity” with a post to its publicly accessible ransom blog that purported to include 41 watermarked, sometimes partially obscured, screenshots that preview the contents of the 201 gigabytes of data the hackers claim to have stolen, with identifying information — like alleged serial numbers for employee cell phones and parents’ contact information — included.
After penetrating a system, Medusa ransomware works quietly in the background and amasses exploitable data. Once the bounty is big enough, it will encrypt files and make them inaccessible to users. A ransom note is then delivered to victims, with files held hostage unless a ransom is paid. Medusa hackers also employ a “double extortion” method, meaning they not only steal files, but will sell or release the data publicly if payment is not received.
The ransom page suggests PPSD can recover or delete its data by paying $1 million. A $100,000 payment would extend the timer by one day. The deadline is the morning of Sept. 25, according to the hackers’ countdown timer.
Specifics about district kept secure
Jay G. Wégimont, PPSD spokesperson, did not respond to numerous requests for clarification or comment on Friday.
Forensic analyses take time, meaning those answers won’t be available immediately. But it’s still unknown whether the school department has a cyber insurance policy, or the possible costs associated with the usage of hotspots that are currently substituting for a dedicated network. Also up in the air is whether the district successfully awarded a 2024 contract that would renew 4,600 licenses for copies of security software Cortex XDR Pro, a product from Palo Alto labs that promises “out of the box” protections against Medusa with proper installation.
Wégimont did not provide information as to the status of the district’s senior director of information technology, for which a job posting has been online since May. The role is also vacant according to a Jan. 2024 organizational chart. The 2024-2025 budget contains 13 full-time information services roles for PPSD, down three from the previous year.
“We also want to note that our student and staff information systems are also separate from our network,” Superintendent Javier Montañez wrote in a Sept. 16 letter to the PPSD community.
Wégimont did not clarify what this means. Typically, large networks called domains offer varying levels of access for different types of users across IT services for big organizations like school districts.
The clock is running on ransomware attack against Providence schools
Back-to-school for threat actors, too
Perennially underfunded school districts nationwide are a favorite among ransomware actors. A U.S. Government Accountability Office report published in Oct. 2022 cited research that over 647,000 K-12 students were potential victims of ransomware attacks as of 2021. Resulting learning loss ranged from days to weeks, while it took districts’ infrastructure anywhere from two to nine months to recover.
Providence officials have not confirmed ransomware as the source of their network woes. The alleged hack comes at an inopportune time for PPSD, which has been under state control since 2019 and will remain so for up to another three years, state education officials announced last month.
If Medusa leaks the PPSD data it claims to have, and it contains private student information, the leakage could be in violation of the Family Educational Rights and Privacy Act, a federal law meant to shield confidential student data. Best practices determine that affected school districts contact authorities once a breach is suspected. (Schools do not, however, have to contact the U.S. Department of Education about ransomware, although it is recommended so they can receive federal resources.)
“As is standard operating procedure, the District and their professional third-party IT agency contacted RI State Police, Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) last Wednesday,” Wégimont said in a Sept. 18 email.
Kristen Setera, a spokesperson for the FBI Boston Division, declined to comment.
“Generally speaking, we do not comment on specific incidents because victims should feel confident that, when reporting a crime to the FBI, their status as ‘victim’ is paramount to the investigation and that their identity will not be disclosed,” Setera said in a Thursday morning email to Rhode Island Current. “If a victim wants to disclose our involvement, we leave it up to them to do so.”
In the meantime, Providence schools have made do with older technologies. Maribeth Calabro, president of the Providence Teachers Union, did not acknowledge requests for comment from Rhode Island Current, but did previously speak with multiple news outlets about the effects on the district’s teachers. Some are confused about which devices they can or can’t use, Calabro told the Boston Globe, and have opted to teach the old-school way instead, without computers.
A comment Tuesday on a social media post about the potential Providence hack seems to voice one student’s concern: “Bro.. I just want the school wifi back.”
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX