Judson Independent School District paid a more than $500,000 ransom to hackers who threatened to publish “sensitive, identifiable information” on the dark web and crippled the district’s information technology systems for a month, the district announced Wednesday.
Judson ISD restored its phone and email systems late last month after paying the ransom, but district officials did not disclose the amount until Wednesday. The district made an electronic payment on June 29, according to documents obtained via an open records request.
“While these are funds that we would have rather spent on the needs of our employees, students and their families, there was no other choice for the district to ensure your safety — our number one priority,” the district stated in a message on its website.
It is still unclear what information was affected and what steps staff, students, and families should take to ensure their personal information remains safe and secure, the message states.
Judson ISD officials did not respond to requests for comment.
The district of about 24,000 students and 3,200 staff members on June 17 lost access to information technology systems, including phone and email. Judson ISD hired a cybersecurity company, BlueVoyant, last month to help resolve the cyberattack and contacted law enforcement officials.
Judson’s schools resume classes on Aug. 16.
Ransomware attacks are “one of, if not the most common, attacks impacting organizations” today, said Greg White, University of Texas at San Antonio computer science professor and Center for Infrastructure Assurance and Security director, in an email.
While there are many protections organizations can put in place to protect their information, they have two choices once hackers have obtained data that can be used for identity theft purposes, White said. Organizations can either pay the ransom or pay for credit monitoring services for people whose information has been compromised for several years. The first option requires trusting hackers not to release the information they stole, and there is no guarantee they will honor the ransom agreement.
“If the number of individuals whose information has been lost is large, it unfortunately may be the case that the amount demanded in ransom will be less than what would be required to help protect from identity theft,” White said.
To protect information, organizations should implement a “robust backup policy that includes offsite storage of files,” White said. This backup system would allow entities to restore information without paying a ransom, but this strategy will not prevent hackers from gaining access to information that can be used for identity theft purposes. White said organizations should encrypt sensitive information, especially spreadsheets that contain personal data, and consider cybersecurity insurance.