In Columbia Falls, A Shaken School District Moves Forward from Cyber Threats

Superintendent: ‘It’s the first time in my career that I’ve ever moved a gun to my bedroom’

By Dillon Tabish
Columbia Falls Police Chief Clint Peters, left, and Steve Bradshaw, Columbia Falls Schools superintendent, address concerns about recent cyber threats during a community meeting on Sept. 18, 2017. Greg Lindstrom | Flathead Beacon

Updated: Oct. 6, Noon

In a career spanning more than 40 years, as a teacher, principal and superintendent across Montana and Alaska, Steve Bradshaw has experienced the gamut of interactions and situations in the world of public education.

But nothing like the situation that played out last month across the Flathead Valley.

“In all honesty, it’s the first time in my career that I’ve ever moved a gun to my bedroom,” Bradshaw, the Columbia Falls school superintendent, said.

“I hate to put it that way. I’ve been in some tough situations in different school districts, but I never have moved a gun to my bedroom. This time the threat was serious enough.”

In mid-September, a series of ominous text messages directed toward Bradshaw and others escalated overnight into violent, graphic cyber threats targeting the valley’s schools, students and families. The bizarre saga shook the community and forced the closure of more than 30 schools across Flathead County for three days as an investigation involving the FBI unveiled an overseas hacking attack by cyber criminals seeking ransom.

Once law enforcement debunked concerns of a public safety threat and divulged that it was all an attempt at extortion, classes resumed and life mostly returned to normal. Except Columbia Falls is still waiting for full resolution.

“In the classroom, things are back to normal, but I’m not sure I can say it’s back to normal overall,” Bradshaw said.

Authorities continue to investigate the overseas hacking group calling itself The Dark Overlord Solutions, a highly sophisticated, high-profile cyber criminal organization that allegedly breached the Columbia Falls school district server and stole troves of personal information, including names, addresses, contact info and medical data for past and present students. The full scope of data that was stolen remains unknown at this time, according to law enforcement.

The hackers sent individual messages to Columbia Falls families, threatening to harm students by name, but have backed off since sending a ransom letter to members of the Columbia Falls school board, as well as Bradshaw, seeking payment via bitcoin, a digital currency. The letter was sent Sept. 18 with three proposed payment options ranging upwards of $150,000 and the deadline to respond was Sept. 23.

Law enforcement and the school district’s insurance company highly recommended the recipients of the ransom letter to neither pay nor communicate with the hackers, who claim they will destroy the information they have stolen if paid.

“The board has been fairly clear on their feelings that they would not pay. That’s pretty much the stance,” Bradshaw said.

The hacking organization appears to be busy elsewhere, too. Earlier this week, Bradshaw received a phone call from a school administrator in Texas, where hackers have apparently followed a similar strategy by stealing information and threatening students and school officials. Splendora School District south of Houston sent out a statement on Oct. 4 saying a group of hackers is threatening a “tiered escalation, which could include direct messages to parents, students and staff … These messages have been via text and/or email, and have been violent and graphic.”

The situation mirrors the Flathead Valley saga, and talking with the Texas administrator, Bradshaw did not paint a bright picture when discussing how it played out here.

“I was real blunt and truthful with him. He wasn’t real excited when we got done talking,” Bradshaw said.

“He thought it was some kind of prank situation and didn’t know the depth of what these people did. His alarm bells were ringing pretty loudly after we spoke.”

Other similar incidents have popped up recently in Alabama and Iowa.

“I would imagine this would become a large-scale problem for school districts around the country,” Bradshaw said.

The Beacon contacted the FBI seeking additional information on the escalation of cyber attacks across the U.S., and the agency responded Friday with a statement:

“Cyber threats are everywhere and are constantly evolving. Mitigating cyber threats continues to be a top priority for both the FBI and the U.S. Government. The FBI works extensively with the public and with private industry to raise awareness of cyber threats. The FBI and state and local law enforcement also rely on quick notification from the public of potential threats, allowing cyber investigators to preserve evidence and work with incident responders to help recover networks. The FBI will continue to devote substantial resources and efforts to bring malicious cyber actors to justice.”

While the public safety threat has subsided, the persistent worry about future cyber attacks remains present. The Columbia Falls school district has bulked up many of its technology safeguards, Bradshaw said. Other school districts across the valley have followed suit.

Yet the reality is that keeping up with technology is expensive, and school districts that are already facing budget constraints are finding themselves in a bind.

“The security and data we have as schools, we’ve got to do a really good job of trying to protect that, but at the same time it’s going to be really challenging,” Bradshaw said.

“We don’t have the resources to put in security like banks. And if Equifax can get hacked, then we can get hacked.”

For example, Columbia Falls school district hired LMG Security, a cyber security firm based in Missoula, to analyze the recent hacking breach and scan the server for stolen information and vulnerabilities. The firm’s typical rate is $185 an hour and as of Sept. 23, the company had worked 180 hours in just Columbia Falls. Other school districts have taken similar measures to ensure firewalls and other safeguards are up to snuff.

The district’s insurance covered much of the cost but the exercise shed light on the high cost of maintaining and building safety measures.

“It’s going to be a very expensive bill,” Bradshaw said. “The amount of info we have on our servers is incredible.”

It’s unclear exactly how the hackers breached the Columbia Falls server, but most experts have said it appears the organization sent out ransomware throughout the internet that looks for weak points in an organization’s networks and servers. Once a vulnerability is discovered through a variety of means, the hackers pounce.

Bradshaw said it appears hackers discovered a “weakness in our system” and stole the information. The Columbia Falls data was then shopped on the so-called dark web, an underground internet network. Law enforcement has declined to discuss specifics of the hacking breach due to the ongoing investigation.

“I give the community of Columbia Falls a lot of credit,” Bradshaw said. “The folks I’ve talked to, they’ve said, ‘We can live with whatever info is out there. We can live with that just as long as our kids are safe.’”

Bradshaw said the school district is devoted to defending against this type of situation in the future, but it comes with a cost.

Most of the technology used throughout the Columbia Falls school district was either donated or bought through general funds remaining at the end of each fiscal year, Bradshaw said.

“There really is no technology budget in our district budget. We will look at trying to change that, but it isn’t cheap,” he said.

In Alaska, where Bradshaw previously worked as an administrator, the school district set a goal of $500,000 a year for technology needs, including security, throughout the district’s schools.

“That was real difficult to do, and that would be almost impossible here with the budget we have,” he said.

Bradshaw said the only other option is floating a mill levy request that would raise tax funds to address technology needs.

“We need to improve security but also get better technology in the hands of our kids,” he said.

Other protective measures are being taken this week. There is no school in Columbia Falls district on Oct. 6 and Oct. 9 as teachers in the elementary, junior high and high schools undergo “Run. Hide. Fight.” training, which teaches staff how to defend against a school attack. The training was already planned before the recent situation emerged, Bradshaw said.

Bradshaw said the difficulty of the situation scared and angered many people in the community, including himself. The fear of his own family’s safety, and the safety of his staff and students, pushed him to an angry place, he said.

“What these guys did to me is total cowardice … If I could get my hands on these guys, I don’t know if I could contain myself,” he said. “I’m a different person if you threaten my children or my wife. I understand why these parents are so angry.”

Moving forward from the recent situation, the relief of avoiding a public safety threat barely keeps at bay the late-night anxiety that haunts many educators like Bradshaw.

“It’s the biggest fear of any school administrator and teacher,” he said. “You shouldn’t have to go to work worried about somebody walking into your building. But that’s the reality.”

Stay Connected with the Daily Roundup.

Sign up for our newsletter and get the best of the Beacon delivered every day to your inbox.