Cyber Incident Victim: Baltimore City Public Schools
Date:
Feb 2025
Location:
United States of America
Summary
Baltimore City Public Schools experienced a cybersecurity incident impacting certain IT systems, leading to unauthorized access to documents containing personal information of some current and former personnel, volunteers, contractors, and a small subset of students. The organization engaged law enforcement and cybersecurity experts, implemented system security measures including endpoint detection software and password resets, and notified affected individuals with offers of complimentary credit monitoring services. Additional safeguards were introduced to strengthen defenses against future threats following a forensic audit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 13, 2025, Baltimore City Public Schools detected unauthorized access to certain IT systems within its network, triggering an immediate response that included notifying law enforcement agencies. The district initiated an internal investigation while working to secure affected systems. Forensic analysis conducted with external cybersecurity experts and law enforcement determined criminal actors potentially accessed documents containing sensitive information. The compromised data involved personal details of current and former employees, volunteers, and contractors, along with files pertaining to fewer than 1.5% of the student population. While the investigation confirmed data exposure, specific technical details about the attack vector, duration of unauthorized access, or exact data extraction methods were not publicly disclosed. The district maintained operations during the investigation through unaffected systems while forensic teams worked to contain the breach.
Baltimore City Public Schools began mailing notification letters to impacted individuals on April 22, 2025 – approximately ten weeks after detecting the incident – providing details about the compromised information and offering complimentary credit monitoring services. The district established a dedicated call center to assist affected parties with enrollment in mitigation services and inquiries about the breach. In response to the incident, administrators implemented multiple cybersecurity upgrades including enterprise-wide deployment of endpoint detection and response software and mandatory password resets across all accounts. The district committed to ongoing evaluation of existing security protocols based on findings from the forensic audit, though specific vulnerabilities exploited in the attack were not detailed publicly. No evidence emerged suggesting misuse of compromised data prior to notification, though the district acknowledged potential risks of identity theft and fraud for affected individuals in regulatory disclosures.