Finalsite says no data stolen during ransomware attack affecting 3,000 US public schools

Education software provider Finalsite said on Monday that no data was stolen during a ransomware attack that started on January 4. 

Finalsite provides website services to thousands of public schools across the US and the attack took place at a particularly inopportune time. As schools braced for snow days and potential COVID-19 disruptions on Friday, officials found their websites and email systems out of commission, making it more difficult to communicate changes with parents. 

“Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data, etc.,” the company said on January 7. On Sunday, the company said that all client websites are back online.

Finalsite CEO Jon Moser told reporters on Monday that the company has hired data privacy attorneys at Mullen Coughlin LLC and cyber forensic investigators at Charles River Associates to help with the recovery process. 

Moser explained that they now know which ransomware group conducted the attack and have “achieved containment of threat actor activity.” They know how the ransomware group got in and said they “have found no evidence that client data has been viewed, compromised or extracted.”

The company said it primarily holds “publicly-facing information found on school and district websites” but some customers use the company’s directories or messages/eNotify modules that may contain demographic data ranging from names to email addresses and phone numbers. 

“Some clients use Finalsite payment integrations with third-party organizations. These payments are processed through a secure third party. Finalsite does not transmit or store any credit card data,” the company said. “Finalsite does not store academic records, social security numbers, or any other confidential information. Again, Finalsite has no evidence that any data was compromised as a result of this incident.”

The company told ZDNet it is unable to share which ransomware group was responsible for the attack. 

A spokesperson for the company also took issue with reports on social media that schools were unhappy with how Finalsite dealt with the outages. 

One Reddit user said a number of school districts complained that they were unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol.  

“The impact of this outage is far greater than the attention it has received,” the user wrote.

Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on Finalsite.