Thousands of Schools' Websites Go Down After Ransomware Attack on Software Provider Finalsite

• By Kristal Kuykendall
• 01/07/22

Editor's Note: An updated report is available: "Finalsite Says Ransomware Actor Identified; Client Sites Back Online" posted on Monday, Jan. 10.

Thousands of K–12 schools and universities found their websites inaccessible this week after their website software provider, Finalsite, was hit by a ransomware attack on Tuesday and was still working to restore full functionality Friday afternoon.

The company said in a statement on its website that it had full access to its files and data throughout the incident and a forensic investigation was under way. “We have no evidence that our data or client data has been taken.” Finalsite also noted that its database information on client schools is limited to names and email addresses and the company does not store payment information, academic records, Social Security numbers or other personal information.

“It's important to note that the malware is not what took our sites offline,” Finalsite Director of Communications Morgan Delack told THEjournal on Friday. “We did so proactively — and immediately — upon learning of the issue in order to protect our data. The reconnection of our websites is taking so long because we had to rebuild everything in a clean, safe environment again. At this time, we have no evidence that data was compromised, and we credit that to our early actions.”

Delack estimated that about 5,000 of its almost 8,000 global customers had been affected by the incident, though on Monday that total was revised to 3,000.

Finalsite, with offices in Connecticut and the U.K., provides website, marketing, and communications platforms for schools and universities in 108 countries. It is a portfolio company of Veritas Capital.

Late Thursday, Finalsite held a webinar for clients affected by the outage, where company leaders spoke about what happened and why the cause of the outage hadn’t been shared until the outage was in its third day, according to a transcript of the webinar shared with THEjournal.com.

Initially, on Tuesday, Finalsite posted on its status page for its customers that it was “investigating an issue leading to increased error rates and performance issues,” and it posted updates about the “continued outage” several times a day without mentioning the cause of the outage, until just after noon on Thursday.

At 12:04 p.m. on Thursday, Finalsite acknowledged that ransomware was the cause and said in a new status update that the ransomwaare had been detected on Tuesday.

“We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” the status update said. “The Finalsite security team monitors our network systems 24 hours a day, seven days a week. On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment. We immediately took steps to secure our systems and to contain the activity. We quickly launched an investigation into the event with the assistance of third-party forensic specialists, and began proactively taking certain systems offline.

“In the ensuing time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore backup systems and bring our network back to full performance, in a safe and secure manner. Third-party forensic specialists are assisting us in bringing things back slowly and carefully to ensure the environment is safe and stable.”

Late Friday afternoon, the company said “We’re continuing to work to restore admin access as quickly as possible, and many more sites can now log in. We are continuing to restore styling, calendar events, and constituents for directories and will update you on our progress along the way.”

Speakers on the webinar held Thursday afternoon included CEO and Founder Jon Moser and the chief officers of revenue, marketing, product, and communications.

“Many of you have said, why haven’t you been more upfront with us about what is happening until now? As you’ve read in our letter, because of the nature of the incident, we have had to hold back some information until now and are grateful for your understanding of these difficult circumstances,” the officers said, according to the webinar transcript. “After isolating and shifting away from the affected infrastructure components, we needed to rebuild aspects of our network. It's taking us longer to tune this rebuilt infrastructure than we originally anticipated.”

The company leaders emphasized that they take security “extremely seriously and are frequently updating protocols” based upon any best practices and new information.

“The Finalsite security team has strict security measures in place to protect the information in our care, and have worked to add further technical safeguards to our environment,” the transcript reads. “We’ve invested $2.5 million into hosting security and our team monitors our network systems 24 hours a day, seven days a week. As we learn more about this incident, we are taking additional steps to further secure the environment and prevent this type of attack from occurring again.”

Cybersecurity experts and even the U.S. Department of Education have warned in recent months of a marked increase in cyberattacks on schools and universities, and the K–12 Cybersecurity Act of 2021, signed into law in October, directs the Cybersecurity and Infrastructure Security Agency to identify risks and provide resources for schools to better protect their IT security.