TUSD’s Cyber Shutdown: Staffers share experience in classroom; district explains mistakes made

TUCSON, Ariz. (13 News) - The Tucson Unified School District is still recovering from a ransomware attack that crippled operations for nearly two weeks.

13 News Investigates is taking an in-depth look at the situation and will take you through what we’ve discovered about what lessons have been learned by the education system.

13 News Investigates obtained documents and talked to cybersecurity experts, education officials and the district. We are not disclosing the identity of the educators, who fear retaliation by the district for describing the experience in the classrooms.

On Monday, Jan. 30, a ransomware notification was received in schools throughout the district.

A message arrived through the printers stating, “Hello, if you are reading this, it means that your system(s) were hit by Royal,” and the entire system shut down.

TUSD insiders shared their experiences inside the classrooms on the day of the ransomware attack. A staffer said, “People didn’t know what was going on.”

The meltdown spanned the spectrum from tutors to teachers.

The staffer said, “People were frustrated. They were worried.”

A lot of teachers plan ahead using a lot of technology so when that day hit, another staffer said, “It was like, ‘What do we do now?’ You couldn’t access your OneDrive where teachers keep all their stuff.”

Staffers told 13 News Investigates that many veteran teachers reverted to old-school ways. While newer teachers who’ve relied heavily on technology struggled to pivot.

A staffer said, “They couldn’t access their lessons, their assignments or directions to kids because they weren’t allowed to.”

The staff was not allowed to communicate through email.

The debilitating breach was described later by Technical Services Executive Director Rabih Hamadeh during a February board meeting.

He said, “The first day was absorbing the shock of what happened and trying to figure out the scope of the infiltration and the damage.”

The district discovered it had been “brutally attacked” by, as COO Blaine Young told the board, “folks with very well bad intentions to hurt our district.”

Cybersecurity experts say these hackers are relentless.

Victor Wieczorek of Guidepost Security said, “So we are seeing a growing trend in these threat actors targeting the education sector specifically.”

He explained attacks ramped up during the pandemic as schools moved to remote learning. Cyber experts report education is now in the top two most targeted sectors and ransomware is the number one threat.

Guidepost Security tracked data showing 18 ransomware attacks in the education sector in January of this year alone.

Wieczorek said, “They’re having a lot of success, unfortunately with K-12 institutions who have not prioritized cybersecurity in years past. Despite all of the guidance and legislation that’s been coming down through the pandemic.”

Was that the case for TUSD?

The feds and cybersecurity operations sent out more warnings, reports and recommendations. The district says it didn’t place it as a high enough priority.

Hamadeh told 13 News Investigates, “Let’s be a little bit humble here. We can always get better. We can always learn from our mistakes. I’m still a student of technology and I’m still learning.”

Warnings have emerged about the risks of ransomware, specifically used by sophisticated hackers like Royal.

This report by the feds details how Royal hijacks systems.

Hamadeh said, “Because those cyber professionals are really professionals and they’re really good, we’re ramping up the training for our technicians as well, to be cyber experts at a level of 2023, not at a level of 2018, 2019, because this has been a true disaster of what happened to us on January 30th.”

According to the district, it is a disaster that requires a long and grueling road to recovery.

Copyright 2023 13 News. All rights reserved.