Cyber Incident Victim: Sabineschools
Date:
Jul 2019
Location:
United States of America
Summary
A state of emergency was declared in Louisiana following ransomware attacks impacting multiple public school districts, including Sabine, resulting in significant operational disruptions and data loss. One district lost all server-housed information, including decades of personal and institutional documents, while another maintained critical functions like payroll. The emergency declaration mobilized National Guard cybersecurity resources and froze prices for goods and services to prevent exploitation during recovery efforts. This incident marked the first activation of the state's Cybersecurity Commission, established to enhance response capabilities against such threats. Investigations revealed anomalous network activity preceding the attacks, though the specific ransomware variant and full extent of data compromise remained undetermined at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In mid-July 2019, ransomware attacks targeted three Louisiana public school districts, prompting Governor John Bel Edwards to declare a statewide emergency on July 17. The Monroe City school district was compromised the preceding week, followed by simultaneous attacks on Sabine and Morehouse parishes. The Sabine Parish attack was detected early Sunday morning when a technology supervisor at Florien High School received a 4am alert regarding abnormal bandwidth consumption. Subsequent investigation confirmed ransomware infiltration into district servers. Florien High School Principal Eddie Jones reported complete loss of all data stored exclusively on district servers, including 17 years of personal documents and operational records. Morehouse Parish experienced comparatively limited disruption, maintaining functionality of critical systems such as payroll despite the attack. No ransomware variant was publicly identified, and authorities did not disclose whether data exfiltration occurred alongside encryption.
Louisiana's emergency declaration mobilized the state's Cybersecurity Commission for the first time since its 2017 establishment, enabling National Guard cyber personnel deployment following Colorado's 2018 precedent for ransomware response. The proclamation instituted price controls on goods and services within emergency zones to prevent opportunistic rate hikes by IT contractors during recovery efforts. While state officials emphasized Louisiana's cybersecurity leadership claims from 2017, the incident's full technical scope—including the number of compromised devices, ransom demands, and precise data loss extent—remained undisclosed. Recovery efforts focused on system restoration and infrastructure assessment, with no public attribution to specific threat actors. The coordinated attacks marked one of the earliest instances of statewide emergency powers being invoked for localized ransomware incidents affecting educational institutions.