Grace Ferguson reports:
When the personal information of students and employees at Fairfax County Public Schools showed up on the dark web in October 2020, the Virginia school district had been in a standoff with hackers for nearly a month.
Even with help from the FBI, Virginia State Police, and a hired cybersecurity firm, the district admitted it couldn’t stop the hacker group known as Maze from making employees’ social security numbers available to the public.
But details of how the attack happened, and how much it ultimately cost taxpayers, are shrouded in secrecy. Fairfax County Public Schools has ignored a public records request the Daily Dot sent nearly two months ago, as well as over half a dozen phone calls and emails about the unacknowledged request, which it is required by law to respond to.
Read more on DailyDot.
I can see how a district might try to exempt revelations about their cybersecurity as it may leave them vulnerable to other attacks, but there is certain information they really should have disclosed under open records laws.
So why hasn’t the Daily Dot filed a freedom of information lawsuit? The Fairfax County Public Schools has been less than transparent on the financial aspects of the breach since the beginning, as this site reiterated in one of our follow-ups on the breach. In fact, the Daily Dot could have usefully gone through this site to find all the reporting on ransomware incidents in school districts and all the requests this site sent for information that were never answered. Those requests and districts’ failure to respond to them would support a lawsuit showing a pattern of denying the public information that should be provided.