Cyberattack impairs systems at Tucson Unified District

Sarah Lapidus, Arizona Republic
Updated ·2 min read
The Tucson Unified School District office building on Jan. 31, 2023.
The Tucson Unified School District office building on Jan. 31, 2023.

The computer systems at southern Arizona's largest school district went down after a cyberattack early Monday.

On Tuesday, the Tucson Unified School District's building was mostly empty. Because the internet was down, most administrative employees at the district's offices temporarily worked from home.

Students continued their regular school schedule, and staff were working to develop alternative learning plans and using hotspots as needed, said the school district in a statement.

The Federal Bureau of Investigation said it was assisting the school district and Tucson Police Department with the ongoing ransomware attack.

The district said it is working with national external cybersecutiy experts to investigate the security incident, noting "the forensic investigation is in its early stages and is ongoing."

The Arizona Republic received a copy of a note allegedly sent to the district from the source of the cyberattack, Royal.

Education news: Tom Horne's return as school chief generates excitement — and worry

“If you are reading this it means that your system(s) were hit by Royal,” the note stated. “Most likely what happened was that you decided to save some money on your securi(ty). Alas, as a result your critical data was not only encrypted but also copied. From there it can be published online. Then anyone on the internet from the darknet and even your employees will be able to see your internal documentation.”

The note also stated that Royal would decrypt and restore the data if paid a “modest royalty.”

Royal is a human-operated ransomware, according to the federal Office of Health and Social Services. It was first observed in 2022 and has increased its activity since then, demanding ransoms up to millions of dollars.

According to a 2018 performance audit, the most recent performance audit of the school district by the Arizona auditor general, security of the district’s computer systems was an issue that needed to be addressed.

The audit said the school district lacked “adequate computer controls.”

“These poor controls exposed the District to an increased risk of unauthorized access to sensitive information and data loss,” the report stated.

The audit found not only that the district had weak password requirements, but also that former employees could still access the school district’s network and systems.

The audit found 17 network user accounts, 13 student information system user accounts and 41 accounting system user accounts linked to former employees. Ten of those accounts were linked to terminated employees who had the ability to access the district’s network using a virtual private network, or VPN.

In addition, the auditor noted the district lacked a contingency plan in the event of a system or equipment failure or interruption.

The district responded to the audit stating that, by Aug. 1, 2018, it would strengthen its password requirements, remove system access for terminated or transferred employees and finalize its Disaster Recovery Plan.

This article originally appeared on Arizona Republic: Cyberattack impairs systems at Tucson Unified School District