School Board Agrees to Pay Ransom to Resolve Cyberattack

In mid-November, Home Access Center (HAC), the portal through which students are able to access their grades and attendance records, shut down unexpectedly. HAC is just one website that is connected to a broader digital system known as E-School which also includes  Teacher Access Center (TAC) and E-Finance, a website that stores sensitive personal information about Little Rock School District employees. The crisis was compounded by confusion among students and teachers while interim grade reports were repeatedly delayed. Soon enough, suspicion of foul play spread throughout the school.

Just weeks later, on December 1, these rumors were confirmed in a statement released by Dr. Jermall Wright, superintendent of the LRSD, in which he announced that the district had “detected unauthorized activity on its network” and “hired independent computer forensic experts to help [them] determine the nature and scope of the activity.”

But days prior to that official public announcement, the Little Rock School Board held an emergency meeting behind closed doors, potentially violating ethical rules in an effort to discuss the threats to digital privacy and the data of students, teachers, and administrators. In that meeting, board members authorized a negotiation with the individuals who hacked the software in hopes of regaining access to E-School. Three of the board’s nine members skipped the secret meeting due to concern over its constitutionality. All gatherings of the school board must be open to the public under laws established by the Freedom of Information Act (FOIA) except when they concern sensitive security issues. In his later statement, the superintendent maintained that the district never violated the law. 

“I was frustrated by the board’s decision to hold a private meeting, and I refused to participate in that meeting. That said, I have a lot of empathy for my fellow board members who were trying to address a very sensitive security issue and were acting on the advice of legal counsel,” Little Rock School Board member Ali Noland said. “However, as an attorney, I knew that the private meeting did not fall under any existing FOIA exemption and was, therefore, illegal. I urged Dr. Wright and [Director] Adams to hold a public meeting so the board could vote on whether or not to pay the ransom.”

On December 5, a public meeting was held. With six members voting in favor, the board passed a controversial plan to pay a $250,000 ransom in order to resolve the issue. Three members voted against the plan: Noland, Michael Mason, and Vicky Hatter. It remains unclear whether the money will be coming from an insurance plan or the district’s own budget and in what form the payment will be transferred to the perpetrators of the attack.

“My main concern was that we are dealing with criminals, and there is no guarantee that, once we paid the money, they would uphold their end of the bargain by returning or destroying our data,” Noland said. “The FBI has also issued guidance advising victims of cyber attacks not to pay the ransom because paying encourages more attacks.”

Some teachers expressed understanding but were also frustrated by the issue.

 “I felt like it was probably the only decision they could have made,” Jamie Howe, an AP Language and Composition teacher, said. “My husband works in IT security, and I’ve heard him talk about this for years. There’s not much you can do if you don’t have solid backups. It makes me wonder if our IT is funded in the way it should be in order to keep up with threats.”

Howe says her inability to enter attendance and transfer grades from Schoology made her job more difficult. These issues also affected students as semester exams begin.

“All my teachers complain about not being able to put in grades and that honestly affects me a lot,” junior Cameron Green said. “Because if I don’t know what my grade is, I don’t know how much I need to study for that class for the exam.”

There are still many unanswered questions, including whose data was leaked and how much information the hackers gained access to. The district has promised to share details as soon as possible but has not said how long the process will take.

“Once this cyber security issue is resolved, we will be able to provide more information and notify individuals whose data may have been stolen from our system and provide those individuals with the appropriate monitoring and protection resources necessary,” Superintendent Wright said in an email sent to all LRSD employees. 

If anything, this incident has sparked critical conversation about privacy and security online, leading those such as social studies teacher Adam Kirby to embrace the inevitability of situations like this one in the years to come. 

“I think it would be great if my privacy could be protected. But it is a trade off that we make when we live in an online world,” Kirby said.