Cedar Rapids schools pay ransom in cyberattack


HR King
May 29, 2001
CEDAR RAPIDS — The Cedar Rapids school district paid a ransom in hopes of keeping personal data compromised in a cyberattack last month from being released, the school superintendent has told parents.

“As part of the process to resolve this matter, CRCSD made payment to a third-party entity to ensure critical information that may have been accessed was not released,” Superintendent Noreen Bush wrote Friday in a letter to parents. “We made this decision after consulting closely with cyber security experts and legal counsel and determining it was in the best interest of our school community.”

Her letter did not disclose the amount of ransom that was paid, nor provide the name of the group that launched the attack.


Both Cedar Rapids and Linn-Mar school districts experienced disruptions in their computer systems within a month of each other starting in July, shutting down some operations for days as the start of the new academic year approaches Aug. 23.

Bush, in her letter to parents, said that since the cyberattack was uncovered, “we have worked with our internal IT staff and third-party cyber security experts to help resolve this matter and to take steps to ensure something similar does not happen again.”

Schools make “easy targets” for cyberattackers because they often are not prepared enough to keep highly valuable personal data from being compromised, a local security expert said.

The Cedar Rapids Community School District identified a cybersecurity breach July 2. The district canceled its summer school the following week from July 5-8, impacting more than 750 children enrolled in programs.

The Linn-Mar Community School District announced Aug. 2 it was investigating the source of its phones going down and its computer systems being disrupted earlier this month.

Aaron Warner, founder and chief executive officer of ProCircular, a computer security service in Coralville, said schools are easy targets because they are some of the least prepared for an attack.

Daily News​

Newsletter Signup
Delivered to your inbox every day

“When you’re attacked like this you feel like a victim. It’s terrible, and it takes awhile to walk it off,” Warner said.

Personal information from staff was included in data stolen from Cedar Rapids schools, including staff members’ full names, Social Security numbers, driver’s license numbers, bank account and routing numbers, and medical information including diagnosis and treatment information or health insurance information. The district said it would offer a free year’s worth of crediting monitoring services to affected employees to see if the data is used.

The Linn-Mar district has not disclosed whether personal data on its staff was compromised.

Warner said attackers would be interested in such data because they can sell it to people who want to use the information to create new identities or buy medical information to get prescriptions for drugs they can resell.

Warner could not comment whether ProCircular is working with Cedar Rapids and Linn-Mar school districts to restore their systems or increase their cybersecurity.

“The fact of the matter is every company is going to go through this,” said Warner, whose company has handled hundreds of cybersecurity incidents — most of them in Iowa. “We do a lot of research to stay ahead of the game and stay sharp.”

ProCircular provides cybersecurity services to a large number of clients in public and private organizations in Iowa, including Cedar Rapids-based Folience, the parent company of The Gazette.

Linn-Mar district officials have not described the issue they’re facing as a cyberattack. They are working with third-party specialists to assess the impact and recover the district’s systems.

“We are on schedule for students and staff as planned,” said Shannon Bisgard, superintendent of the Linn-Mar Community School District.

Schools don’t have funding to make significant improvements in cybersecurity, making them vulnerable to attacks, Warner said.

As of March 2022, the nation’s K-12 schools have experienced 1,331 reported cybersecurity-related incidents since 2016, according to an annual report on The State of K-12 Cybersecurity released earlier this year by nonprofit K12 Security Information Exchange, which works to protect K-12 schools from cyberattacks.

Comparitech, which provides information, tools and reviews to help its readers improve cybersecurity and privacy online, estimates ransomware attacks cost K-12 schools and colleges $3.56 billion in 2021 in the United States. Additional costs include recovery as schools work to restore computers, recover data and improve security to prevent future attacks.

Recovering large quantities of data is time consuming, expensive and error-prone, Warner said. What you can’t add up is the cost of having everyone in a school district focused on cybersecurity instead of on educating students, he said.

“The cost of that distraction eclipses any technical issues that come up,” Warner said. “It’s all anyone will talk about for the next year, and it takes away from the mission of the organization.”

Sometimes it will take a “deep investigation” to be aware of a hacker. Other times, it’s obvious because the hacker wants it to be, like in the case of a ransomware attack that demands payment in exchange for allowing computers to work again, Warner said.

When a cybersecurity breach does happens, Warner said it’s time to pause and come up with a plan.

“Chances are the hackers were in that computer system for almost a year already,” Warner said. “Pause, get your plan together, work out the scope of the damage.”

Des Moines Area Community College experienced a ransomware attack last summer that caused a nearly two-week internet outage and several days of canceled classes.

Mark Clark, executive director of information solutions, said officials “were watching the attack as it was happening,” Clark said. They were able to quickly cut off the internet connection, so the hackers would not have access to student information systems.

College officials called their insurance company, Holmes Murphy & Associates and Beazley Cyber Insurance, who put together a response team that included a law firm, forensic teams, ransomware negotiators and information technology to stop the attack and get systems up and running again.

Clark did not disclose how much ransom the cyberattackers asked for, but said the college did not pay.

Another company monitored the dark web for 30 days for any information leaked from the college, Clark said. “They didn’t come up with anything,” he said.

“You can’t say ‘luck’ and ‘breach’ in the same sentence,” Clark said. “We were fortunate to be able to lock things down the way we did, but unfortunately we got hit.”

The school’s cybersecurity insurance premium increased dramatically during the 2021-22 school year, Clark said. Additional security measures were put in place, and since then the cost of insurance has decreased. Clark did not share the amount the school pays for cybersecurity insurance.

Doug Jacobson, director at the Center for Cybersecurity Innovation and Outreach at Iowa State University, said the cost of cybersecurity insurance is increasing as attacks increase.

Jacobson said the attack on Cedar Rapids and Linn-Mar schools could have been strategically timed. Cyberattackers “like to play off confusion” and the start of the school year is “chaotic,” he said.

  • Like
Reactions: Moral


HR Legend
Dec 26, 2018
Reynolds will give CRCSD funds to cover this to help Hinson's reelection bid.


HR Legend
Sep 21, 2005
Don't click on attachments or weblinks from addresses outside of your domain. We have this talk every year.

Tom Paris

HR Legend
Gold Member
Oct 1, 2001
Don't click on attachments or weblinks from addresses outside of your domain. We have this talk every year.
I forwarded 3 emails asking for my password to our district spam this week. It’s getting worse, plus we have people who actually respond to these.
  • Like
Reactions: Moral


HR Legend
Gold Member
Feb 17, 2004
Our college software filters out links and attachments from outside email address. If we get an email attachment or link it goes to IT for them to approve.
  • Like
Reactions: cigaretteman

Bank of Hawk

HR Heisman
Gold Member
Feb 24, 2007
The company I rep, sends out fake phishing emails nearly once a month or so. Some of them are very good fakes. I’ve never fallen for them, but I can see how some could. But I’ve been told if you fall for it, you have to re-complete the IT security course to re gain access.

Also all emails from outside the intranet are clearly marked as coming from outside and no graphics work on emails from outside the intranet. There is an army of IT professionals working round the clock. Also, most sensitive information is stored on a old school DOS based system, I’m told it’s highly secure to store it that way.

But that story said the school stores their employees medical conditions and prescriptions, I have to wonder why it’s necessary for someone’s employer to store that info.
Last edited:


HR Legend
Jul 8, 2001
I've seen organizations docking bonuses after X amount of time clicking on the phising links they send out, and you better believe that nobody is screwing that up