Information About Cybersecurity Incident
Answers to Common Questions
Updated 12/22/2020
1. What happened?
Fairfax County Public Schools (FCPS) – like many other school systems around the country – was the victim of a cybersecurity incident involving a ransomware attack. After learning of the incident, FCPS quickly took action to contain the threat, secure systems, and restore affected servers. As a result, distance learning was not disrupted and FCPS was able to start the school year without any delays.
On the evening of October 9, the attackers posted the information that they stole from FCPS on the dark web. Since that time, we have learned that Maze removed the impacted information from its site and subsequently reposted the information on October 18th. At this time, we believe that the data posted on the 18th is the same information that was posted on the 9th. (updated 10/19/20)
2. What is ransomware?
Ransomware is a form of malware that is used by hackers to prevent users from accessing files, and in some cases, extract and hold data hostage until a ransom is paid. In this case, a sophisticated group of cyber criminals, known as the Maze group, is claiming responsibility for the attack.
Ransomware attacks have become increasingly pervasive in recent months. School systems and state and local governments have become a primary target. Unfortunately, we are one of more than 1,000 educational systems to suffer a ransomware attack in the last year. In the past week alone, multiple school districts were reported to be victims of ransomware attacks.
3. What did FCPS do upon learning of this incident?
After learning of the incident, FCPS quickly took action to contain the threat, secure systems, and restore affected servers. As a result, distance learning was not disrupted and FCPS was able to start the school year without any delays.
We are investigating the incident and have retained leading outside security experts to determine the nature and scope of the incident. We are working closely with the FBI and Virginia State Police and supporting their criminal investigations to bring the attackers to justice.
4. When did FCPS learn of the incident?
FCPS first became aware that it was a victim of a sophisticated ransomware attack in September.
5. What data has been released and do you believe any other types of data have been taken?
At this time, our ongoing investigation has revealed that certain personal information for some students and employees may have been impacted. We are working hard to identify the information that was taken and will notify impacted individuals as appropriate.
6. What will FCPS be doing to help the individuals whose data was taken?
We’re committed to working to protect our community. At this time, we believe only a subset of individuals in the FCPS community, including just a limited number of students, were impacted by the incident. However, out of an abundance of caution, we ware offering credit monitoring and identity restoration services at no cost to all employees and their spouses and minor dependents, regardless of whether their data was impacted by this incident. We will also offer the same complimentary services, to impacted persons we identify during the course of our investigation, as appropriate.
7. What is FCPS doing to enhance its cybersecurity posture?
We are investigating the incident and have retained leading outside security experts to determine the nature and scope of the incident.
We have implemented several cybersecurity-related enhancements and are continuing to evaluate additional steps that may be taken to further harden our defenses. Maintaining continuity of school for our students, faculty and staff, along with safeguarding their data, are top priorities.
8. Did the incident impact distance learning operations?
No. After learning of the incident, FCPS quickly took action to contain the threat, secure systems, and restore affected servers. As a result, distance learning was not disrupted and FCPS was able to start the school year without any delays.
9. Can students and staff continue to connect to the FCPS network?
Distance learning is proceeding as planned. Students and staff should continue to use their computers to access the FCPS network.
10. Was this issue related to the challenges associated with the spring transition to distance learning?
Based on our investigation thus far, this incident appears to be unrelated to the distance learning challenges we experienced in the spring.
11. Why have some individuals received notifications that their data may have been impacted months after the incident?
While we had notified the community of this incident earlier in the fall and had proactively provided credit monitoring and identity restoration services to all current FCPS employees, as part of our ongoing investigation, we’ve subsequently identified additional individuals whose data may have been impacted. In line with our commitment to providing credit monitoring and identity restoration services to those who may need them, we have distributed additional individualized notices to ensure all eligible members of our community who wish to utilize these services have access to them.