Massachusetts school district pays $10,000 in bitcoin ransom to computer hackers
"School system was not locked down as they should have been," says police chief.
Hackers infiltrated a small Massachusetts city's school computers, then swiped the data only to return it for $10,000 in bitcoin.
The Leominster Public Schools were broadsided when they learned of the extortion payment to regain possession of their pilfered data and email.
Paula Deacon, superintendent of the school, reached out to Leominster Interim Police Chief Michael Goldman for advice.
"I told her what I knew: There are three ways to deal with cybersecurity," Goldman told ABC News. "One, don’t get hacked by being properly protected. If you do get hacked restore with uninfected backups."
But Leominster Schools apparently lacked adequate contingencies for the April 14 cyber attack.
"They didn’t have a clean offsite backup," Goldman said, adding that the school was crippled with inefficient systems to ward off the notorious cyber attack known as "Wannacry."
"This happened and the school system was not locked down as they should have been," he said. "There are a lot of systems that have been subjected to this."
The ransomware was first unleashed a year ago. It holds hostage any computer assets until a ransom is remitted or risk the files getting eradicated. So far, "WannaCry" has infected hundreds of thousands of computer systems in over 150 countries.
These particular hackers dangling the Leominster school system's coveted data, the chief recalled, gave an ultimatum to the school stating, "if you want your data back, you pay."
Over a week after being strong-armed by the cyber hackers, Deacon admitted in a statement that "a lock" that was placed on the school's system was removed after "a negotiated ransom was agreed upon."
She wrote that the system "paid through a bitcoin system" and were now waiting for the system to be "fully restored."
As of Tuesday, most of the keys were returned to the school's possession, Goldman assured.
These sort of issues are "beyond law enforcement," Goldman explained. While the FBI was notified, in addition to the computer company that supplied the school, there was no real viable option but to pay up, he added.
"They would have had to wipe the servers and reconstruct them from the beginning," Goldman said. "The cost to do that would have exceeded the ransom."
Goldman explained that the incident wasn't necessarily a direct attack at Leominster, but it was going after any systems -- especially outdated software used by some municipalities and business -- with vulnerabilities that can be exploited.
However, Deacon relenting to the hackers' demands has angered some in the community who learned their taxpayer dollars were used to pay off the ransom.
"It's distasteful, and it's been upsetting with some consternation in the community that the school shouldn't be using funds this way," Goldman said. "That is people who are uneducated in this type of thing."
Still, Goldman bluntly recounted what he said to the school and city administrators to learn from the cyber lapse.
"You got caught with your pants down," he said. "Pull them up and put a new belt on. Pay it, which they did, and put safeguards in place to lessen the liability."
In fact, Goldman says he's confident that the measures Leominster Public Schools have taken to help limit their liability should they be attacked, again, are sufficient.