Baltimore County Public Schools failed to act on several state recommendations to help mitigate cyber attacks before a hack disrupted school operations and cost the school system millions of dollars in damages and repairs, according to a report from a state inspector general.
BCPS was hacked using a phishing email in November 2020 — a process that disrupted the school system’s website and remote learning programs for several days, according to the report from the Maryland Office of the Inspector General for Education.
The inspector general’s report found that the initial network compromise occurred 15 days before the network disruption and came in the form of an e-mail.
A teacher flagged the e-mail to the in-house tech support who forwarded the e-mail to a contracted tech support supervisor, according to the report.
“The OIGE investigation revealed that the contractor mistakenly opened the email with the attachment using their unsecured BCPS email domain account and not in their secured email domain. Consequently, opening the attachment in the unsecured environment served as the catalyst, which delivered the undetected malware into the BCPS IT network,” the report says.
The OIGE report says BCPS did not fully implement several network recommendations from the Maryland Office of Legislative Audits in recent audit reports, including the relocation of publicly accessible database servers and the adequate maintenance of internal network servers. BCPS has implemented an array of new network security measures since the cyber attack, the report says.
The report says the network upgrades and damages from the cyber attack cost BCPS nearly $10 million.
An investigation by the FBI and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is ongoing, the report says.
BCPS did not immediately respond to ABC News’ request for comment.