On Your Dime: Providence Schools data breach to cost hundreds of thousands of dollars
by TAMARA SACHARCZYK, NBC 10 NEWS
PROVIDENCE, R.I. (WJAR) — The Providence Public Schools data breach that compromised the personal information of thousands of current and former employees, along with students, will cost the district nearly half a million dollars, according to initial estimates.
The district announced in September that an “unauthorized actor” had accessed information from its servers after unusual activity was found.
It was later revealed that the state’s largest school district fell victim to a ransomware attack.
A group called Medusa claimed responsibility for the hack and demanded a $1 million ransom.
The district did not pay the ransom, but contracts obtained by the NBC 10 I-Team show Providence Schools did pay up to recover from the breach.
Providence Schools is expected to spend an estimated $290,000 for credit monitoring for the 12,000 current and former employees whose personal information was compromised.
The district also hired two third-party vendors for hundreds of thousands of to investigate what happened and restore critical services.
Documents obtained by the NBC 10 I-Team show the district hired CrowdStrike on Sept. 19 at the direction of its attorneys, Henneous Carroll Lombardo LLC.
The company charges $450 per consultant, per hour, for Incident Response Services.
The initial estimate for services is $78,000, a combination of the incident triage and tools used.
The amount of money paid to CrowdStrike could rise, as the company charges $500 per physical device, such a removeable hard drive, if the retention period is longer than 90 days.
Virtual evidence, such as system images, could cost the district $25 per gigabyte if stored for longer than 90 days.
Providence Schools also signed a contract with Custom Computer Specialists for an estimated $113,820.
The Lincoln-based company was hired to begin the investigation, perform forensic analysis, help the district report and communicate the breach to law enforcement and other entities, and help build clean networks and configure new firewalls.
The price tag came as a surprise to Providence City Councilor Miguel Sanchez, who is calling for transparency from the district.
“We don’t know a lot of this stuff, that’s why we have been pretty consistent in asking for a budget book, line by line items,” Sanchez said.
Providence Schools waited over a week to notify the public about the data breach.
“No one at PPSD has spoken to the council in any formal way about the data breach,” Sanchez said. “We all represent the people of Providence, our students, our neighbors, so when they come in to ask us questions about this, and we don’t have those answers, it’s definitely very frustrating.”
- NBC 10 I-TEAM: Rhode Island bans standard ambulance diversions
Providence School Superintendent Dr. Javier Montañez declined our request for an interview when we asked where the money is coming from, but in an email, a PPSD spokesperson said the district is reviewing its budget to “determine areas where we can offset this unexpected cost.”
Providence isn’t the only district to get hit by cybercriminals.
Johnson and Wales University Director of Cybersecurity Douglas Tondreau said it happens more often than you’d think.
“It’s happening to many school districts, so they’re not the only ones. Even universities are getting hit by these targets, so I think it’s not an if, it’s really when,” Tondreau said.
Several local cities and towns have been hacked in recent years.
Back in 2019, the computer system at Coventry Public School’s was infected with malware.
Tondreau said districts should invest in cybersecurity measures, but many fail to do so.
“When you do get attacked like that, what that tells me is you have not done the due diligence to make sure you have invested some of those environments,” he said.
The full cost of the cyberattack in Providence won’t be known for months to come.
The district told NBC 10 I-Team it’s closely tracking expenses and will adjust its spending as needed.