015

Cyberattack

When the first signs of a massive cyberattack became apparent in the Tangipahoa Parish School System’s computers, administrators thought it was something that could be handled quickly.

At the time, in late July, three other Louisiana school districts had been attacked that week, prompting Gov. John Bel Edwards to declare a state of emergency and activate the state's cybersecurity-specific emergency support function for the first time since its creation in 2017.

Because they had been warned about the signs and were on the lookout, the Tangipahoa officials thought the impact wouldn't be so severe.

They were wrong.

“It was very eye-opening for all of us,” district Assistant Superintendent Ron Genco said, now five months after the cyberattack.

In those first days, hackers demanding $1 million worth of Bitcoin had frozen the district’s 10,000 computers and accessed the two servers that have backed up every piece of data since 2009.

Payroll was inaccessible. The internet-based phone systems were down. Administrators weren’t able to access data.

And kids were due back in classrooms in two weeks.

“That Monday morning we had individuals from State Police, the FBI, some of our technology people, Homeland Security, and when they began to peel back the layers they said ‘look, you’re under a cyberattack,’” Genco said. “Once it was explained our first thought was how do we get out from under this? Is there a button you could click? And when people started telling us the process, we realized this is not anything we’re getting through in a week or two weeks.”

It took IT and technology department staff close to a month to manually wipe the district’s 10,000 computers. Staff lost any files that were stored only on their computers.

Normally, parents could log onto a website and enter their home address to find their children's bus route and the approximate time their driver would come by on a school day. But the hack forced transportation staff to resort to paper maps and highlighters designating routes — they posted photos online to inform parents.

Some teachers kept student data and lesson plans in cloud-based software, which meant they were still accessible. But many other teachers had to use the parish’s libraries and Southeastern University’s computer labs to create timetables and print resources in the days before their classrooms opened to a new cohort of kids.

It took enormous effort — almost $300,000 in hiring temporary employees and paying overtime — but, when school opened on Aug. 12 , the only difference visible to students was a lack of Chromebooks and technology.

“It was time-intensive and something we hope we never have to do again, and we hope none of our other school districts need to fight that fight either,” Genco said.

Authorities think the ransomware virus infiltrated through an email opened by a staff member, said district chief financial officer Brett Schnadelbach.

It’s likely the virus sat dormant on someone’s computer, eventually wending through other network computers until it found access to the servers and gained control of most of the district’s system, he said.

One saving grace, Schnadelbach said, is that the district’s monthly payroll had been processed three days prior to the attack. But there were still ongoing glitches when the next pay period rolled around.

Schnadelbach’s accounting team lost access to its payroll software completely, meaning they had to reload an old version of the software from 2010 and manually input anything that had changed in the last decade. There were new staff members who hadn’t been accounted for, and others who had retired years prior.

Every employee had to fill out hiring paperwork again, amounting to about 2,800 files that had to be scanned into a new online system.

“The real solution is storing your backups in a place where they’re not internet accessible, like hard drives or tape drives, and that way if you do have this experience you could rebuild from that," Schnadelbach said. "It’s our biggest regret. If we’d have had a backup system that was offline dating back 30 days, we could’ve re-input that and been up and running in no time. But hindsight’s always 20/20.”

The district, which serves almost 20,000 students according to the most recent Louisiana Department of Education data, still has not fully recovered.

As the end of the year approaches, Schnadelbach said, accounting employees are compiling 1099 and W-2 forms for tax season. But they need to reload the paper copies of every financial record since before July.

The State Legislative Auditor has granted a 60-day extension to the Dec. 31 deadline to submit financial information for audit, Schnadelbach said, but that too will need to be compiled from paper copies kept in a warehouse.

The district has put tighter filters on incoming system emails and ongoing training for employees about cybersecurity. The school board has opted to pay just over $13,000 a year for $1 million in cyber insurance going forward, an option they’ve declined the last two years.

The district has put in a $100,000 claim from its general liability insurance and is spending another $200,000 from the general fund to cover recovery expenses.

Administrators are confident the most draining period of the attack is over and hope they can be a lesson for other agencies in protecting their assets.

“We’re a lot better today than we were yesterday, and we’ll just keep moving forward,” Genco said.

Email Emma Kennedy at ekennedy@theadvocate.com.