TOP PHOTO: Campbell County Board members met on Tuesday evening to discuss a data breach risk assessment. School board members pictured left to right Jeffrey Miller, Ronnie Lasley and Randy Heatherly.

By Charlotte Underwood

JACKSBORO, TN (WLAF) – A data breach risk assessment investigation was discussed by Campbell County Board of Education members on Tuesday evening regarding a security “incident” that occurred in March. The assessment revealed that one of the school’s IT employees had placed software on school laptops to use for crypto-currency mining for his own gain. The employee in question Adam Lawson was suspended in March when the investigation began and has since resigned his position. The data risk assessment revealed there had been no data breach of student and employee information.

The school system had contracted with Constangy Brooks Smith & Prophete LLP after discovering a data security incident in March.

According to the risk assessment letter sent to Director of Schools Jennifer Fields, and the BOE attorney by Constangy, in March 2024, Campbell County School System “became aware that one of its network administrators may have been misusing CCSS resources. During a student testing day, a student contacted CCSS technical administrators with an issue regarding their testing software. When investigating the issue on the student’s CCSS laptop, a network administrator discovered that the TOR browser was running on the student laptop. The administrator then investigated a staff computer and similarly discovered TOR running in the background. The network administrator began investigating further and on March 19, 2024, discovered the TOR browser was being deployed through Active Directory. The deployment was traced to a hidden folder on the Active Directory server but by the time the network administrator found the root path of the TOR browser, the hidden folder was deleted. The network administrator pulled logs surrounding the hidden folder and discovered a different network administrator, Adam Lawson, had deleted the hidden folder. On March 21, 2024, Mr. Lawson was subsequently suspended pending an investigation. CCSS later discovered that the TOR browser had been deployed to approximately 3,500 student devices and approximately 100 staff devices.”

The school system reported the Incident to its cyber carrier, Great American Insurance Group (“GAIG”), on March 19, 2024, and “was immediately referred to Constangy for legal counsel regarding its further response to, and investigation of, the Incident.”

A forensic investigation of the CCSS network was conducted by Kroll. Forensic images of CCSS servers as well as the computers used by Mr. Lawson during his employment were collected.

According to the risk assessment letter, “The computers used by Mr. Lawson were encrypted with BitLocker which Kroll eventually was able to bypass. Through the investigation Kroll determined the following timeline of events.

Beginning in May 2023, Mr. Lawson began taking notes on the process of mining crypto currencies. In July 2023, Kroll observed the deployment of a miner for Monero to CCSS systems. In November 2023, Mr. Lawson created a note called “My Info” which contained setup details and wallet information for mining Monero. In December 2023, during the CCSS holiday break, Mr. Lawson continued preparing to activate the mining operation. Services were set up to run the mining operation, the mining services ran from December 2023 to March 20, 2024, when CCSS deleted the task. Kroll’s investigation revealed no evidence of file or folder access by Mr. Lawson outside of the creation of a folder containing the mining software for deployment on a CCSS domain controller. By all evidence, Mr. Lawson’s actions were solely for the purpose of operating a Monero mining scheme utilizing CCSS systems.”

The letter goes on to give a legal analysis stating that “the forensic investigation identified that Mr. Lawson utilized CCSS resources to conduct a Monero mining operation. Kroll’s investigation was able to determine that CCSS’s successfully addressed the compromise, and there was no evidence of data access, staging, or exfiltration by Mr. Lawson as part of this scheme. In Tennessee, in order to constitute a breach, there must be evidence of unauthorized acquisition of sensitive data that compromises the security, confidentiality, or integrity of PI. Where there is no acquisition of data, there can be no breach. Because there was no acquisition of data, this Incident does not constitute a breach as defined by the applicable law and does not give rise to consumer notification or regulatory reporting obligations.” (WLAF NEWS PUBLISHED – 06/12/2024-6AM)

Related