TUSD’s Cyber Shutdown: Why the district didn’t ramp up security sooner

Published: Apr. 19, 2023 at 7:38 PM MST
Email This Link
Share on Pinterest
Share on LinkedIn

TUCSON, Ariz. (13 News) - TUSD leaders called it a “brutal attack” on TUSD’s entire system. The damage was done by “Royal,” a sophisticated group of cybercriminals.

The technology trail of red flags started with a 2018 Auditor General Audit. It reported, “TUSD lacked adequate computer controls that increased the risk of unauthorized access to sensitive information and data loss.”

TUSD “lacked a contingency plan” a Disaster Recovery Plan if the system failed. However, the district reported it would fix the issues.

Two years later in 2020, a follow-up audit showed all of it had been taken care of.

COO Blaine Young said the district had a plan.

“It is our job as the technology professionals and the leaders of technology in this district to determine the pace and sequence that we can move on these things,” said Young.

The district followed up with internal audits in 2021 and 2022.

The auditors discovered that in both years “No written Disaster Recovery Plan” or “Business Continuity Plan” existed districtwide and no policies were in place.

13 News Investigates asked Technical Services Director Rabih Hamadeh to explain.

Hamadeh said, “Yeah, we do have a disaster recovery plan that we used for the cyberattack.”

The district ensured the auditors that it was practicing and testing its Disaster Recovery Plan.

13 News Investigates also discovered another audit in 2021, a state-mandated Financial Audit designed to identify any internal control deficiencies.

However, it raised another red flag.

The audit reveals the district had an issue monitoring, reviewing and addressing IT system reports that identify security threats.

The district had a 5-year capital plan to enhance security measures that included moving the critical systems to the cloud “at a pace that the district can afford to do it,” said Young.

The district moved at its own pace despite warnings from the feds to tighten security because sophisticated cybercriminals have been targeting the education sector.

In January Royal slipped right in putting TUSD’s plan to the test.

Young said, “We invoked the plan and that plan served as our guide.”

“We followed it step, by step, by step,” said Hamadeh. These two leaders quickly learned the hackers out-skilled them.

Some cybersecurity defenses had been outdated or missing

Hamadeh said, “This has been a true disaster, what happened to us on January 30th. You’re dealing with professionals who know what they’re doing.”

Royal stole sensitive data and it took the district 10 days to recover.

Cybersecurity expert Victor Wieczorek of Guide Point Security said, “The devil’s in the details. Being about to recover in a day is not unheard of, but the key there is to practice that recovery.”

The district had been caught off guard.

“Let’s be a little humble here. We can always get better. We can always learn from our mistakes,” said Hamadeh.

The district has been scrambling to speed up the pace and sequence.

Young said, “So we had to move at a much more rapid pace of moving systems to the cloud that would have been moved over about the next 18 months to 2 years.”