蜜桃影视

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

Providence public school officials last Friday were about to finalize a credit monitoring agreement to provide protection for district teachers and staff after a recent ransomware attack on the district鈥檚 network.

Then over the weekend, a video preview of selected data allegedly stolen from the Providence Public School Department (PPSD) showed up on a regular website. The site is accessible via any internet browser 鈥� what鈥檚 sometimes called the 鈥渃learnet鈥� 鈥� unlike the dark web ransom page where cybercriminal group Medusa first alleged to .

While a forensic analysis of the breach continues, the credit monitoring agreement with an unspecified vendor was finalized as of Thursday and the district was drafting a letter to go out to the staff 鈥渧ery soon鈥� with information on how to access those services, spokesperson Jay G. W茅gimont said in an email.

鈥淔irst and foremost, the safety and security of our staff members is of utmost importance, and the District continues to make decisions with that in mind,鈥� W茅gimont said.

鈥淲e will also continue to explore any additional services we can offer to protect the security of our staff members and students.鈥�

Meanwhile, the data breach has yet to be formally reported to the Rhode Island Attorney General鈥檚 office, said spokesperson Brian Hodge. requires any municipal or government agency to inform the AG鈥檚 office, credit reporting agencies, and people affected by a breach within 30 days of the breach鈥檚 confirmation.

PPSD first used the wording 鈥渦nauthorized access鈥� to describe the breach in a Sept. 25 letter from Superintendent Javier Monta帽ez, although the Providence School Board had used the term 鈥渂reach鈥� in a public statement on Sept. 18.

Providence Mayor Brett Smiley was 鈥渆ncouraged鈥� the district was advising potentially affected staff and finalizing the credit monitoring agreement, spokesperson Anthony Vega said in a statement emailed Tuesday to Rhode Island Current.

The Providence City Council declined to comment, said spokesperson Roxie Richner in an email. Gov. Dan Mckee鈥檚 office did not respond to a request for comment.

鈥楻obert鈥� makes a video

Ransomware group Medusa first took public credit for the pirated PPSD data on Sept. 16, when it demanded a $1 million ransom to be paid by the morning of Sept. 25.

Rhode Island Current previously reported that the alleged ransom landing page did not provide access to files, but did show file and folder names, as well as partially obscured screenshots of the allegedly stolen data.

The clearnet-hosted leak includes a 24-minute screen recording in which someone clicks through an assortment of the allegedly leaked files and folders on an otherwise empty Windows desktop. The post sports a disclaimer that its author is 鈥渘ot engaged in illegal activities鈥� and showcases leaks only for 鈥減ossible information security problems.鈥�

The author signs off: 鈥淭raditional thanks to The Providence Public School Department for the provided data. Do not skimp on information security. Always yours. Robert.鈥�

While the uploader does not explicitly brand themself as affiliated with Medusa, the 鈥淩obert鈥� source appears to share all the same leaks Medusa does, and both sources use the same encrypted messaging address, according to threat researchers at Bitdefender.

Ransomware attacks, and Medusa鈥檚 methodology as well, have long been associated with social engineering 鈥� like getting people to click phishing links in emails. But it鈥檚 becoming more common that outdated hardware or software are to blame, said Bill Garneau, vice president of operations at CMIT Solutions in Cranston.

鈥淲hat we鈥檝e started to see in terms of ransomware is, it鈥檚 not only business email compromise,鈥� Garneau said. 鈥淭hreat actors out there are really pursuing systems that are out of compliance.鈥�

That could mean equipment at the end of its manufacturer-supported lifespan, or software that needs to be patched. Garneau鈥檚 company uses a crafted by the National Institute of Standards and Technology. One of its standards is to patch devices within 30 days of the patch release, before threat actors can exploit the vulnerabilities patches are meant to fix.

鈥淚f there鈥檚 a patch available, it鈥檚 because there鈥檚 a bad guy out there that knows that there鈥檚 a vulnerability, and there鈥檚 somebody that鈥檚 knocking on doors trying to find it,鈥� Garneau said.

To insure or not to insure?

Cyber insurance policies can cover some costs incurred by attacks. But they can鈥檛 prevent future threats or suddenly make insecure networks better, Garneau noted.

鈥淚nsurance is great, right? But that鈥檚 not going to solve any problem,鈥� Garneau said.

PPSD has not responded to requests about whether the district has cyber insurance. According to Lauren Greene, a spokesperson for the Rhode Island League of Cities and Towns, no public entity would disclose that information anyway. 鈥淎s you can understand, it poses a security risk for municipalities to disclose if and what type of cybersecurity insurance that they have,鈥� Greene said in an email.

鈥淢unicipalities continue to prioritize training for their staff in order to mitigate risk and draw awareness to the constantly evolving threats,鈥� Greene added, and noted that a community鈥檚 IT staff may work across multiple areas or departments like public safety and schools.

A released Monday, however, showed that states-level IT officials and security officers are not feeling confident about the budgets for their states鈥� IT infrastructure.

鈥淭he attack surface is expanding as state leaders鈥� reliance on information becomes increasingly central to the operation of government itself,鈥� Srini Subramanian, principal of Deloitte & Touche LLP, said in an with States Newsroom. 鈥淎nd CISOs (chief information security officers) have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.鈥�

Those challenges were reflected in the survey numbers, which found almost half of respondents did not know their state鈥檚 budget for cybersecurity. Roughly 40% of state IT officers said they did not have enough funds to comply with regulations or other legal requirements.

That finding echoes a , which scores and analyzes municipal bonds. 鈥淲hile robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,鈥� wrote Gregory Sobel, a Moody鈥檚 analyst and assistant vice president, in the report.

Moody鈥檚 also noted that one survey showed 92% of local governments had cyber insurance, a twofold increase over five years. But that popularity came with higher rates: One county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022. Those higher costs are also in addition to stricter stipulations on risk management practices before a policy will pay out, like better firewalls, consistent data backups and multi-factor authentication.

Douglas W. Hubbard, the CEO of consulting firm Hubbard Decision Research and coauthor of 鈥淗ow to Measure Anything in Cybersecurity Risk,鈥� told Rhode Island Current in an email that schools should exhaust the low-cost, shared or free resources available to help them manage cyber risk. Examples include (CISA) or a by the Federal Communications Commission for K-12 schools.

鈥淔or specific cybersecurity recommendations鈥�there are a few things that are so fundamental that administrators don鈥檛 really even need a risk analysis to get started,鈥� Hubbard said. They include training staff and students on best practices including strong passwords or avoiding mysterious links. Multi-factor authentication is 鈥減robably the single most effective technology a school could implement,鈥� even if it involves an upfront cost, Hubbard said.

鈥淭he fundamental responsibilities of the schools should include at least using the resources which have been made available to them through the programs I mentioned,鈥� Hubbard said. 鈥淚f they aren鈥檛 doing at least that, there is room for blame.鈥�

This article was corrected to show that Rhode Island state law requires municipal agencies to notify affected parties and the state Attorney General within 30 days of a data breach. The article originally stated 45 days, which is the timeframe required for individuals to report a breach. 

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: [email protected]. Follow Rhode Island Current on and .

Did you use this article in your work?

We鈥檇 love to hear how 蜜桃影视鈥檚 reporting is helping educators, researchers, and policymakers.