Cyber Incident Victim: Francis Howell School District
Date:
Feb 2023
Location:
United States of America
Summary
A cyberattack targeting the Francis Howell School District disrupted network systems through malware that encrypted certain infrastructure, prompting temporary remote learning. The district engaged third-party specialists and notified federal law enforcement, though investigations remained unconfirmed. Safety systems, including building access controls, alarms, and HVAC, were verified operational with alternative measures implemented despite persistent internet outages affecting instruction. This incident aligns with a regional pattern of attacks on educational institutions, reflecting broader industry trends where ransomware increasingly impacts schools.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A cyberattack disrupted Francis Howell School District's computer systems, prompting the district to transition all schools to remote learning on Tuesday and Wednesday in February 2023. Superintendent Kenneth Roumpos disclosed the incident in a community message on Wednesday, February 20, attributing the disruption to "unexpected activity" on the district's network. Attackers deployed malware to encrypt specific systems, forcing the district to notify federal law enforcement and engage third-party cybersecurity specialists to investigate the attack’s origins and assess potential data or operational impacts. While the FBI’s St. Louis office declined to confirm or deny involvement, district personnel initiated safety evaluations across critical infrastructure, including key fob access, intercom systems, exterior door communications, fire alarms, and HVAC controls. Despite unresolved internet outages, the district permitted students to return for in-person classes on Thursday, though instructional internet access remained unavailable for the remainder of the week.
The attack required immediate operational adjustments to maintain building security and basic functionality. District staff implemented contingency measures to compensate for disabled network-dependent systems, ensuring physical security protocols remained functional without internet connectivity. Superintendent Roumpos emphasized confidence in these workarounds but did not disclose technical details about the malware's propagation or the full scope of encrypted systems. Francis Howell joined multiple St. Louis-area education networks targeted in recent years, including Rockwood School District's 2021 "data privacy incident" involving file-access restrictions from malware and the University of Missouri’s June 2023 breach by the CLoP ransomware group. A Sophos study cited in district communications underscored broader sector vulnerability, noting 80% of surveyed education providers experienced ransomware attacks, reflecting an accelerating threat trend against schools. No further details about data compromise, ransom demands, or forensic findings were released publicly by the district or investigators.