Baltimore County schools ignored warnings before 2020 cyberattack, audit finds

The November 2020 ransomware attack began when a contractor mistakenly opened a malicious attachment, an audit found.
school hallway lined by lockers
(Getty Images)

Weak security procedures and failure to adopt IT recommendations over the years made Baltimore County Public Schools more susceptible to a November 2020 ransomware attack that has cost the district nearly $10 million in recovery and upgrade expenses, according to a report published Monday by a state auditor.

In its report on its investigation into the incident — which caused classes to be canceled for several days and left retired teachers unable to access payments well into 2022 — the Maryland Office of the Inspector General for Education found that the district disregarded recommendations about data and network vulnerabilities made in audits dating back to 2008.

In the years leading up to the Nov. 24, 2020 ransomware incident, the Maryland Office of Legislative Audits analyzed Baltimore County schools’ IT three times, with two of those inspections — including one delivered just five days before the payload went off — revealing that the district’s database servers were accessible to the public.

The district’s network was infiltrated 15 days before the attack, when a school employee received an email claiming to be from a college official and containing an attachment designed to appear as an invoice, the inspector general found. The school employee attempted to open the attachment, and when it did not, that person called in a Baltimore County Public Schools tech liaison — a fellow employee with basic IT knowledge, tasked with helping colleagues with simple tech requests in order to ease the burden on the districtwide technology staff.


The liaison suspected the email was malicious and forwarded it to a cybersecurity contractor. The contractor proceeded to mistakenly open the attachment using an unsecured, school-issued email address — rather than their own secured email domain — which sent the malware rippling across the BCPS system, where it remained undetected until it encrypted data and disabled computers.

“This delay allowed the malware to disable systematically critical functions within the BCPS network that could have prevented the malware from facilitating its attack,” the report reads.

The inspector general found that BCPS’ technology and cybersecurity staff took “immediate action” once it was evident the network was compromised. And in the two years since, the district has made several of the long-overdue changes that had been urged in previous audits, including moving its databases into an encrypted cloud environment, implementing multi-factor authentication for all employee accounts and upgrading firewall and antivirus tools. The district has also moved “all essential network functions” to cloud hosting and is installing software patches regularly, the report reads.

Still, it’s been a costly road for the 111,000-student district, which has spent $9.7 million on recoveries and upgrades, though inspector general said the upgrades have also shaved about $1 million off BCPS’ prior IT spending.

Shortly after the Office of the Inspector General for Education issued its report Monday, BCPS Superintendent Darryl Williams announced he would not seek an additional four-year contract. Williams’ statement did not mention the cyberattack.


The November 2020 ransomware incident also remains under investigation by state and federal authorities. The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday published a congressionally mandated review of K-12 cybersecurity, laying out a roadmap for schools to improve their network defenses.

Latest Podcasts