Cyber Incident Victim: Fauquier County Public Schools

On September 12, 2023, Fauquier County Public Schools, a school district operating 20 elementary, middle, and high schools for more than 11,200 students in Virginia, suffered a ransomware attack. The district, located approximately an hour from Washington, D.C., confirmed the incident and stated it immediately engaged cybersecurity experts and notified the appropriate law enforcement agencies upon discovery. An internal investigation was launched, and an incident response team that included some of the country’s leading cybersecurity experts was created to manage the situation. Despite the severity of the attack, the impact was described as minimal, and the district remained fully operational, with classrooms staying open. The district expressed gratitude to its teachers and staff for remaining focused on student education during the event. At the time of the initial statement, the district did not believe any personal student or staff information had been compromised, presenting an optimistic outlook on the data's security.

The notorious LockBit ransomware gang, a Russian-affiliated group known as the most prolific ransomware operation as of September 2023, subsequently claimed responsibility for the attack. The gang announced its involvement on Sunday, October 1, 2023, through its dark web leak site. In its post, LockBit gave the school district a deadline of October 19, 2023, to pay an undisclosed ransom. The threat implied that if the ransom was not paid by the specified date, the data allegedly stolen from the school district's systems would be published or sold. The school district did not respond to requests for comment regarding what specific information might have been taken or whether it intended to pay the ransom demanded by the attackers. This public claim by the ransomware group stood in contrast to the school's initial assessment that no data was compromised.

Official breach notification filings with state authorities, however, later confirmed that personal data was indeed acquired during the incident. A data breach notification was submitted to the Office of the Maine Attorney General, as the breach affected two residents of that state. The filing, submitted by outside counsel for the school district, provided detailed information about the scope and nature of the breach. It stated that the breach was an external system breach, specifically categorized as a ransomware attack. The date the breach occurred was identified as September 9, 2023, which is three days prior to the date the district publicly stated it discovered the incident on September 12, 2023. This discrepancy indicates the attack began prior to its detection.

The total number of persons affected by the data breach was reported to be 13,919 individuals. This figure significantly exceeds the district's total student population of 11,200, indicating that the compromised data included information on staff, former students, or other individuals associated with the school system. The information acquired in the breach included names or other personal identifiers in combination with other sensitive data, though the specific types of accompanying data were not detailed in the public filing. The scale of this data loss confirms that the LockBit gang did successfully exfiltrate a substantial amount of personal information, contradicting the school district's initial public statement that no data was believed to be compromised.

The method of consumer notification for affected individuals was planned to be written notice. The date scheduled for this consumer notification was October 19, 2023, which coincidentally was the exact same deadline set by the LockBit gang for the payment of the ransom. This suggests a coordinated response plan, where the district intended to formally inform victims of the data compromise on the same day the threat of public data release would be realized if no ransom was paid. The school district offered identity theft protection services to the affected individuals. The service provided was Experian IdentityWorks, and it was offered for a duration of two years to help protect the victims from potential fraud and identity theft resulting from the exposure of their personal information.

This incident occurred within a broader context of escalating ransomware attacks targeting educational institutions. Since the beginning of the school year, dozens of K-12 schools and universities have been targeted by ransomware gangs. These groups strategically time their attacks for the beginning and the end of school years, calculating that the immense pressure of opening day, final exams, and graduations will coerce school administrations into paying exorbitant ransoms to quickly restore operations and avoid disruption. Another school district, Prince George's County Public Schools, located about an hour and a half away from Fauquier County, suffered a similar attack on August 15, which crippled the schools’ email and phone lines, demonstrating the regional and widespread nature of this threat.

Over the preceding two months, ransomware gangs had added dozens of K-12 schools to their dedicated leak sites, which are platforms used to threaten victims and publicly release stolen data if ransoms are not paid. This trend was a continuation of attacks from the previous school year, which affected schools across numerous states including Minnesota, Iowa, West Virginia, California, Pennsylvania, New Hampshire, Arizona, and Massachusetts. The consequences for victim schools vary widely; some face days-long shutdowns that disrupt education, while others, like Fauquier County Public Schools, manage to avoid grievous operational impacts and remain open despite the attack. The outcomes often depend on the preparedness, response capabilities, and resources available to the targeted institution.

The LockBit gang itself operated with near impunity at the time of this attack, maintaining its status as the most dominant and active ransomware group. In the month leading up to and including the attack on the school district, LockBit was responsible for crippling a major hospital network in New York, a city in France, and an electrical organization run by the government of Montreal. This pattern of high-impact attacks against critical infrastructure and public services highlights the significant threat posed by this group and the broader ransomware ecosystem. The targeting of a public school district aligns with their pattern of attacking organizations that are perceived as vulnerable and under pressure to pay quickly to protect sensitive data and maintain essential services.

The incident at Fauquier County Public Schools exemplifies the dual threat of modern ransomware attacks: the encryption of systems to disrupt operations and the theft of sensitive data to extort payment. While the district successfully mitigated the operational disruption, the data exfiltration component had serious consequences for the privacy of nearly 14,000 individuals. The delay between the breach's occurrence on September 9 and its discovery on September 12 provided the attackers with a window to access and copy data from the network. The subsequent timeline, from the official discovery on September 12 to LockBit's public claim on October 1 and the planned consumer notification on October 19, outlines a typical incident response and extortion timeline faced by victims of such attacks. The offering of credit monitoring services is a standard remedial action taken to mitigate the harm to affected individuals whose personal information has been exposed in a cybersecurity breach.