“The school system has not been locked down as it should have been,” said the police chief.
Leominster public schools were misled when they learned of the extortion payment to repossess their stolen data and emails.
School superintendent Paula Deacon sought advice from Acting Leominster Police Chief Michael Goldman.
“I told him what I know: there are three ways to handle cybersecurity,” Goldman told ABC News. “First, don’t get hacked with proper protection. If you get hacked, restore with uninfected backups.”
“It happened and the school system was not locked down as it should have been,” he said. “There are a lot of systems that have been subjected to this.”
The ransomware was first released a year ago. It takes all IT assets hostage until a ransom is delivered or the files are eradicated. So far, “WannaCry” has infected hundreds of thousands of computer systems in over 150 countries.
Those hackers in particular who dangle the coveted data from the Leominster school system, the chief recalled, have issued an ultimatum to the school saying: “if you want to get your data back, you pay”.
More than a week after being heavily armed by cyber hackers, Deacon admitted in a statement that a “lock” that had been placed on the school system was removed after “a negotiated ransom was been agreed ”.
She wrote that the system was “paying through a bitcoin system” and was now waiting for the system to be “fully restored”.
Most of the keys were returned to the school on Tuesday, Goldman said.
These kinds of issues are “beyond law enforcement,” Goldman explained. While the FBI was made aware, in addition to the IT company that provided the school, there was no viable option other than to pay, he added.
“They should have wiped out the servers and rebuilt them from the start,” Goldman said. “The cost to do so would have exceeded the ransom.”
Goldman explained that the incident was not necessarily a direct attack on Leominster, but targeted all systems – especially outdated software used by some municipalities and businesses – with vulnerabilities that could be exploited.
However, Deacon giving in to the hackers ‘demands angered some in the community who learned that their taxpayers’ money had been used to pay the ransom.
“It’s unpleasant, and it’s upsetting with some dismay in the community that the school shouldn’t be using the funds in this way,” Goldman said. “These are people who are not educated in this sort of thing.”
Yet Goldman bluntly told what he told school and city administrators to learn from the cyber error.
“You got caught with your pants down,” he said. “Pull them up and put on a new belt. Pay it off, which they did, and put safeguards in place to reduce liability.”
In fact, Goldman says he’s convinced the steps Leominster Public Schools have taken to help limit their liability in the event of an attack, again, are sufficient.