Situation:
A small, private performing arts school in the Northeast was the victim of a ransomware attack originating in Russia/Eastern Europe, using software known as Conti that remains the target of an FBI investigation.
The attackers stole data from a school server that contained personally identifiable information (including social security numbers) of more than 200,000 current and former students and employees as well as applicants of the school. In addition, they took the school’s network offline and demanded millions of dollars to unlock the network and return the missing data.
BMCG was engaged via outside counsel to provide counsel on strategy and communications as they worked through the process–and consequences–of the data breach. As an approved cyber response provider, BMCG’s fees were paid for by the client’s insurance.
Actions / Recommendations:
- Immediately, BMCG helped the school communicate with students and employees about the network outage with the goal to alleviate concern by providing needed information without alarming the community about the broader risk.
- Once the cyber experts were able to negotiate a deal to retrieve the data, BMCG created a communications/roll-out plan to accomplish the following:
- Demonstrate that steps were taken to immediately address the situation and that throughout the school was organized and thorough in its response
- Retain confidence of key stakeholders by accepting responsibility and being as open as possible
- Respond quickly and effectively to any misinformation
- BMCG drafted all materials including a community letter, talking points, FAQs, Hard Qs, content for a microsite, and guidance for incoming calls from concerned stakeholders.
- Additionally, BMCG helped the school highlight all of the IT security improvements it had made and was continuing to make, including creating a more robust data retention plan.
Results:
When the breach was announced, there were critical calls, particularly from former applicants, but those calls were primarily from individuals not associated with the school. The community email showed compassion, remorse and accepted responsibility so that stakeholders, while concerned, gave the school the benefit of the doubt that it had done everything it should. With the forward-looking announcement, the school was able to commit to making more IT infrastructure improvements.