The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

A 2020 ransomware attack is still harming Baltimore teachers

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! RIP to Liz Sheridan and Estelle Harris who played Jerry and George's mothers on “Seinfeld” and contributed to some of the show's greatest episodes. 

Below: Ukraine's IT Army is identifying killed Russian soldiers with facial recognition and contacting their families, and NATO's prepping the globe's largest annual cyber exercise. 

Sixteen months later, Baltimore County schools are still dealing with fallout from a cyber attack

A major ransomware attack hit the Baltimore County school system in November 2020 and retired teachers are still suffering its effects.

Those retirees have been unable to change their medical insurance payments for more than a year since the attacks — even when they change policies. 

That means the district owes some retirees thousands of dollars for benefits they’re paying for but not receiving. Others are underpaying and will one day have hefty bills coming due.

The glitch, which affects up to 9,000 retirees, is one of the longest-lasting effects of the devastating ransomware attack that cost the district roughly $10 million in recovery costs. Because the district declined to pay the ransom hackers demanded to unlock its computer systems, it lost access to large portions of its data. 

The district hired a contractor who built a database of over and under payments and expects to have the problems sorted out by May 1, according to letters to retirees the district shared with me. But retirees say they’ve struggled to get answers to basic questions from the district and doubt the problems will be fixed on time.

The story highlights the large number of individuals bearing the collateral damage for thousands of ransomware attacks that have hit local governments, school systems and businesses in recent years. The damage can continue long after the hacking gangs have moved on to other targets. 

The problems caused by the Baltimore attack are particularly onerous. For example:

  • Because many retirees have moved out of state or aren’t in contact with the district, some may not even know that they’re being over or under charged. That means retirees on fixed incomes may face bills they can’t afford to pay.
  • Some retirees are still making insurance payments for spouses who have died.

“The emails I get express frustration and anger,” Angela Leitzer, chairperson for TABCO-R, a division of the Baltimore County teachers union for retirees, told me. “People are worried they’ll be stuck with a big bill that they won’t be able to pay. … Extra money being taken out may be affecting their quality of life right now.”

Leitzer followed up by email later: “I realized that the answer to your question about how retirees are feeling about all of these problems is lack of trust,” she wrote. “It is difficult for them to believe in the school system in any way at this point.”

Owed money

In some cases, retired teachers are owed thousands of dollars.

Retiree Susan Allen told the local Fox TV station that she switched to a cheaper benefits package specifically to have extra spending money. More than a year later, she’s still not getting that extra cash and the district owes her about $4,000, she said.

“The frustrating part is the lack of transparency and the lack of definitive answers to our questions,” another retired teacher and TABCO-R member Ed Kitlowski told me. “This has been going on for a while and everyone is living with financial anxiety.”

BCPS spokesman Charles Herndon told me by email that the district has “greatly recovered from the attack, which profoundly impacted our financial operations including those affecting retiree benefits” and that the district’s “goal is to resolve these issues as soon as possible.”

Leitzer has received a slew of emails from members of her organization laying out their concerns.

  • Because benefit payments are difficult to parse and payments for multiple benefits are all lumped together, most retirees didn’t become aware of the incorrect payments until roughly a year after the ransomware attack — meaning the amount they owed or were owed by the district was already substantial.
  • The union division for retirees only began getting calls and emails about the discrepancies in January this year, Leitzer told me.

Several retirees also fear they’ve become targets for hackers and scammers because of information compromised during the attack, she said. 

While that’s certainly possible, most people’s personal information has been compromised in numerous breaches, so it’s notoriously difficult to tie nefarious uses of their personal information to a particular breach.

From Herndon: “There has been no evidence that any personal information of either current or former employees or retirees was compromised or accessed, and that remains the case today. Following the ransomware attack in November 2020, BCPS has offered free credit monitoring to employees, including our retirees.”

Most importantly, retirees are frustrated that the process is still dragging on.

“At this point, a lot of promises have been made, but no one’s yet received a check refunding their money,” Leitzer told me. “No one’s received a bill saying, ‘this is what you owe.’ ” 

The keys

Ukraine’s IT Army is contacting mothers of dead Russian soldiers identified through facial recognition

Ukrainian officials have run more than 8,600 facial recognition searches on dead or captured Russian soldiers, Drew Harwell reports. Ukraine’s IT Army, a volunteer force of activists and hackers, says it has used those identifications to tell the families of 582 Russians that they had died. They have even sent some family members pictures of the soldiers' corpses.

  • Some Ukrainians say this use of face-scanning software is an effective way of cracking through Russian state censorship to tell citizens about the war’s human costs. 
  • But the technology is also raising questions about the effectiveness of such a strategy and even the future of war. 

“If it were Russian soldiers doing this with Ukrainian mothers, we might say, ‘Oh, my God, that’s barbaric,’ ” surveillance researcher Stephanie Hare said. “And is it actually working? Or is it making them say: ‘Look at these lawless, cruel Ukrainians, doing this to our boys?’ ”

NATO members prepping ‘live fire’ cyber defense exercise

The NATO event dubbed “Locked Shields” is the largest annual cyber training event in the world. Similar events — which basically take the military concept of training exercises and move them to the cyber domain — are held by individual governments and militaries. It will test how both military and civilian governments can cooperate during a major cyber assault. 

The training exercise, which will run Tuesday through Friday, will draw on real world events, the organizers said — but using fictitious names and scenarios. The training comes as NATO nations are on high alert for potential Russian cyberattacks related to its invasion of Ukraine. 

“According to the scenario, a fictional island country, Berylia, is experiencing a deteriorating security situation,” the organizers said in a news release. “A number of hostile events have coincided with coordinated cyberattacks against Berylian major military and civilian IT systems.”

The event is hosted by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. Ukraine recently joined the center even though it is not a NATO member. 

North Korean hackers stole more than $600 million from a video game, U.S. says

U.S. authorities blamed the North Korean government hacking gang known as the Lazarus Group for the breach, Aaron reports

The hackers went after the video game Axie Infinity’s underlying blockchain. At the time of the heist, their haul was worth around $625 million, making it one of the largest cryptothefts to date.

The United Nations has accused Pyongyang of targeting cryptocurrency exchanges and related sites to fund its nuclear and ballistic missile ambitions amid crippling international sanctions. The U.S. government has previously sanctioned the Lazarus Group and has said it was responsible for the 2014 hacking of Sony Pictures Entertainment.

Chat room

CISA Director Jen Easterly, Dragos CEO Rob Lee and Silverado Policy Accelerator chairman Dmitri Alperovitch among others participated in a “60 Minutes” segment on cybersecurity risks amid the war in Ukraine and recent warnings about targeting of industrial systems:

More from Lee:

The Daily Dot's Mikael Thalen:

Global cyberspace

Russia’s propaganda machine takes another hit (Politico Europe)

Malawi police accused of hacking website of investigative media organization (Voice of America)

Cyber insecurity

Ransomware groups go after a new target: Russian organizations (The Record)

How Cryptocurrency Gave Birth to the Ransomware Epidemic (Motherboard)

Industry report

British Encryption Startup Arqit Overstates Its Prospects, Former Staff and Others Say (Wall Street Journal)


  • The Joint Service Academy Cybersecurity Summit kicks off at 10:30 a.m. Wednesday.
  • The Atlantic Council hosts an event on recently discovered malware targeting industrial control systems at 9:30 a.m. Friday.

Secure log off

Thanks for reading. See you tomorrow.