Cyber Incident Victim: Lebanon School District

On or around June 15, 2023, the Lebanon School District experienced a ransomware attack. The district’s outgoing Superintendent, Joanne Roberts, confirmed the incident. Upon discovery, the district immediately engaged outside cybersecurity experts to assist in securing its systems and to conduct an investigation into the nature and scope of the attack. As a precautionary containment measure, the district proactively shut down several critical systems to prevent further spread or damage. These systems included payroll operations and PowerSchool, a database platform essential for managing student information and records.

The investigation into the attack remained ongoing at the time of reporting. Preliminary findings indicated that, despite the intrusion, there was no evidence discovered of unauthorized acquisition or misuse of personal information belonging to students or staff. The district acknowledged that while it maintains a robust data security program with safeguards designed to mitigate such risks, ransomware attacks are increasingly sophisticated and have targeted organizations across numerous sectors, including education. The Lebanon School District serves approximately 1,600 students and employs 360 staff members, all of whom were potentially affected by the system disruptions.

The district followed a comprehensive response protocol by notifying a wide range of parties about the security incident. Notifications were made to district staff, parents of students, and the district’s insurance carrier. The incident was also formally reported to the U.S. Department of Education and to local and federal law enforcement agencies. The Lebanon Police Department’s cyber crimes unit, supervised by Lt. Richard Norris, became involved in the investigation. Norris confirmed his unit was working directly with the school district and its insurance carrier to investigate the attack.

Lt. Norris provided additional details regarding the attackers' actions, noting that an initial demand letter had been issued by the threat actors. This initial communication did not request any monetary payment. To the knowledge of law enforcement, a subsequent demand letter containing a ransom request had not been received at the time of their reporting. The police department actively monitored the dark web for any evidence that data exfiltrated during the attack was being published or otherwise misused maliciously, with a commitment to notify the school district immediately if such evidence was discovered. Norris stated that it is very common in these types of attacks for information to have been removed from the compromised system, indicating a strong possibility of data exfiltration having occurred.

The immediate impact of the incident was operational disruption caused by the preemptive shutdown of key systems. The disabling of the PowerSchool system affected access to student information management, while the payroll system outage impacted financial operations. The district committed to providing ongoing updates to the community as the investigation progressed further. In the wake of the attack, the district initiated an internal review of its existing processes and procedures to identify opportunities to further bolster its data security program and strengthen its defenses against future cyber threats.

This incident occurred during a leadership transition for the school district. Superintendent Joanne Roberts, who was overseeing the initial response, had her last day in the position on June 30, 2023, after nearly nine years with the district. The incoming superintendent, Amy Allen, formerly an assistant superintendent in the Manchester School District, was scheduled to assume the role on July 1, 2023, inheriting the ongoing management of the incident response and recovery efforts.