Update of March 12: After this story appeared on March 9, DataBreaches.net received a call from Superintendent Bradshaw, who had been out of town when my email had arrived. This story has been updated – and corrected occasionally – to incorporate his answers.
If students are at risk of significant emotional damage because highly sensitive information has been hacked and held for an extortion payment, should a school district pay or not? And if they do pay, should they admit that publicly? Last year, Columbia Falls Schools in Montana found themselves caught in the middle between hackers’ threats and pressure not to cave in to extortionists.
When the hackers known as TheDarkOverlord (TDO) attacked a small school district in Montana last September, the story did not initially make national news. Most people had probably never even heard of School District Six or Columbia Falls Schools, a district that has two elementary schools, one junior high school, and one high school to cover 2,400 students in a large area of northern Flathead County, Montana.
But as more details emerged, it became clear that this attack was exponentially more frightening than any of the hackers’ previously known attacks. Without being anywhere near their target physically, TDO had managed to instill terror in a community by sending out personalized threat messages to parents and students as well as district administrators. Threats of violence were punctuated with phrases such as “blood splattering the hallways.”
[Note: DataBreaches.net refers to TDO in the plural because it appears that there is more than one individual involved as part of a collective.]
As fear spread to other schools in the area, more and more schools decided to close while the threats were evaluated and investigated. Within a matter of days, more than 15,000 students in more than 30 public and private schools and one community college were told their schools were closed.
Adding to the community’s fear, the hackers – who seem to relish being referred to as “savages” – had let it be known that they had managed to gain access to the school’s security cameras and were able to watch what was going on.
It came as no surprise to read that even the Superintentent of Columbia Falls Schools had been terrified. Steve Bradshaw told the Flathead Beacon:
“In all honesty, it’s the first time in my career that I’ve ever moved a gun to my bedroom,” Bradshaw, the Columbia Falls school superintendent, said.
Although parents and school personnel did not know it at first, the risk of actual physical violence to the parents and students was slim to nonexistent. Not only is TDO not in the Montana area as far as anyone in law enforcement knows, there is nothing in their known history that would predict that they would actually commit violence with their own hands.
But there was still a significant risk of harm that could not be ignored. If the district did not pay TDO’s extortion demand, would TDO release or dump highly sensitive data that they claimed that they had acquired from counseling and school health records? Could they name and shame or expose a vulnerable student in such a way that it might lead a vulnerable student to commit violence or suicide?
Based on my past interviews with these hackers, I could not rule out that possibility. It was a possibility that kept me up nights, worrying.
Thankfully, there was no tragedy in Columbia Falls last year. I was relieved, but I also wondered why TDO hadn’t dumped data or taken any other harsh measures. Had they had a change of heart (unlikely but not impossible)? Had the district paid their extortion demand? Or was there some other explanation for their lack of punitive response?
I could find no news reports indicating that the district had made any extortion payment. To the contrary, a report by NBC in November quoted Superintendent Bradshaw as saying that Columbia Falls had decided not to pay the extortion. One week earlier, Bradshaw had also told another news outlet that the district had declined to pay the ransom.
What Bradshaw didn’t tell either news outlet – because he did not know, it now appears – was that weeks earlier, a partial payment had been made to the hackers through an intermediary. The payment was certainly not as much as the hackers had demanded, but DataBreaches.net can now reveal that there was a payment and some details about it.
A “Test” Payment
By agreement with TDO, DataBreaches.net will not be revealing the bitcoin address used for payment, but TDO gave this site the address and then signed a message from it that this site was able to verify.
Of course, the address by itself does not prove who made a payment to it or for what purpose, but TDO also provided this site with digitally signed emails (DKIM) with headers and paths. The email chain revealed that Superintendent Bradshaw and someone claiming to be from the Flathead County Sheriff’s Office had been in email communication and negotiations with TDO.
On September 21, for example, Superintendent Bradshaw had emailed TDO:
We request that the Flathead County Sheriff’s Office continue to negotiate on our behalf as our agent. The email address for all communications is [redacted by DataBreaches.net]. Option 3 seems the best. We are a small community with limited resource we need to discuss amounts.
The “Option 3,” reference was to the third option outlined in TDO’s ransom letter to the District. Instead of paying $150,000 in BTC over the course of a year, the District could get a discounted rate of $75,000 if they paid it all in BTC by 2017-10-20 23:59 UTC.
Some of the emails I was provided were signed by “FCSO” (for the Flathead County Sheriff’s Office). Whoever was writing emails signed by FCSO never signed their emails as anything other than “FCSO,” and DataBreaches.net does not know the identity of the participant from the sheriff’s office. Indeed, this site has no real proof that the person signing emails as FCSO was actually employed by FCSO. For all this site knows, it could have been a federal agent.
In any event, “FCSO” subsequently introduced a fourth party to the email communications and negotiations. On October 10, “FCSO” emailed TDO:
You will be contacted shortly by email from an individual who will be making this initial payment on our behalf. The email will come from the email address [redacted by DataBreaches.net] and you can consider that they are acting on our behalf. This initial payment will be a smaller amount of $5,000 and is designed to test whether we can send payments to you reliably.
Shortly thereafter, the intermediary established themselves with TDO and then made a payment to that bitcoin address. The BTC payment was slightly more than 1 BTC – an amount that was the then-equivalent of USD $5,000.00.
In a conversation with DataBreaches.net on March 12, Superintendent Bradshaw stated that not only was he not aware that any payment had been made to the wallet, but he had – and still has – no idea who paid the hackers, who the intermediary was, or what the source of the funds was. All he knows, he tells me, is that the district did not pay and its insurer did not pay.
But if TDO anticipated that there would be more to come, they were wrong, because although the October 10th payment went smoothly and TDO confirmed receiving it, the district subsequently appeared to renege on any agreement and declined to pay. In actuality, the district may not have been reneging if they didn’t even know any payment had been made, and the Superintendent claims he was pretty much kept in the dark about how others were responding to the hackers.
DataBreaches.net was not given all of the intervening emails, but an email dated October 23 from “FCSO” to TDO began:
FCSO and SD6 continued to work thoughout the weekend in a good faith effort to me [sic] the demands. We have been unable to overcome mounting pressure from outside sources around the country to discontinue further payments as well as communications. With that said, FCSO will discontinue the monitoring of this account. We recognize the $5,000 we worked diligently to provide you is lower that [sic] your demand.
The monitored account that FCSO referred to was a Gmail account that they had created for this matter.
But who were those outside sources around the country exerting “mounting pressure” on them not to pay and not to communicate? Were they other school districts or school board associations who didn’t want CFSD to encourage TDO to attack districts by rewarding them with ransom payments? Was it insurance companies? How about government agencies?
Based on my conversation with the Superintendent on March 12, it appears that any pressure the Superintendent was feeling was from his own community. The district had held meetings with parents to keep them apprised of the situation and according to Superintendent Bradshaw, the parents were militant about the district not paying ransom. As one parent expressed it at a meeting, “It will be a cold day in Hell before you spend my tax dollars paying these assholes off.”
Questions, But No Answers
As of this updated story, we still do not know for sure who made the payment or the source of the funds to pay the hackers, but Superintendent Bradshaw firmly denied that it was the district or the district’s insurer.
Sheriff Chuck Curry of the FCSO never responded to a voicemail requesting he contact this site to discuss the extortion payment and case, so we could not clarify whether it was really someone from the FCSO emailing TDO, and we do not know whether the county was the source of the $5,000.00 payment.
But should the payment to the hackers have been revealed?
We need to have a serious discussion about what to do in these miserable situations – pay or not pay, but we also need transparency so we can understand how decisions that have been made in the past potentially affected outcomes.
There are those who may raise the issue of whether this site is being gamed by TDO for its own purposes. Of course it is. It is not to TDO’s advantage to have people think that victims can just not pay anything and escape unscathed. I can see why TDO would want to use the media to let the public know that they had received a payment, lest other future victims decide not to pay anything, erroneously thinking that CFSD hadn’t paid anything and nothing bad happened.
But there is also a real story and real issues here that we should address. The U.S. Education Department and FBI have sent out alerts to schools about the need to secure data against attacks, but I harbor little hope that most entities will promptly and effectively secure their data or purge what may be no longer needed.
So assuming that districts still fail to adequately secure personal information, what should districts do the next time someone comes along and hacks extremely sensitive counseling records or health records? Should they pay or not pay? And if they pay, should they disclose that? And if they can’t afford to pay, should the FBI or federal agencies make payments to TDO to protect children from having sensitive files revealed?
These are not easy questions to answer.
On a positive note, however, I am happy to update this story with Superintendent Bradshaw’s comments that the students in the district coped really well with everything that happened to them and they feel safe again in their schools. The parents and school personnel seem to have done a great job of helping the kids feel safe, and the kids are now focused on other issues. As one student put it in talking about the loss of a fellow student to cancer, if they are able to overcome that loss, they can overcome anything, and they live in a great community. It sure sounds like it.