Cyber Incident Victim: Cedar Rapids Community School District

The Cedar Rapids Community School District (CRCSD) identified a cybersecurity incident on July 2, 2022, prompting an immediate district-wide closure and suspension of summer activities through July 8. Summer programming, including field trips, was canceled, affecting over 750 enrolled students, though high school baseball and softball games proceeded as scheduled. The district announced plans to resume regular operations by July 11. CRCSD engaged third-party cybersecurity experts and internal IT staff to investigate the breach, restore systems, and implement preventive measures. While initial communications did not disclose the attack’s nature or specific systems compromised, subsequent updates confirmed it involved unauthorized access to sensitive employee data.

Superintendent Noreen Bush confirmed in a letter to parents that CRCSD paid an undisclosed ransom to a third-party entity after consulting cybersecurity and legal advisors, aiming to prevent the release of accessed information. The compromised data included employees’ full names, Social Security numbers, driver’s license numbers, bank account and routing numbers, and medical details such as diagnoses, treatment records, and health insurance information. The district offered affected employees one year of complimentary credit monitoring services. Concurrently, the nearby Linn-Mar Community School District experienced a separate system disruption in early August 2022 but did not confirm whether it constituted a cyberattack or involved data theft. Cybersecurity experts noted schools’ frequent vulnerability due to limited funding for robust defenses, with national reports indicating 1,331 K-12 cybersecurity incidents since 2016 and ransomware costs exceeding $3.56 billion in 2021. The incident underscored operational disruptions, recovery expenses, and the diversion of resources from educational priorities during critical preparation periods for the academic year.