Skip to content

Louisiana’s COMPASS Teacher Eval System Still Down Following Statewide Cyberattack

November 21, 2019

UPDATE 11-25-19: CIS is once again operational.


On Monday, November 18, 2019, Louisiana’s state office computer systems experienced a cyberattack. As a precaution, the state shut down those systems, with the expectation that computers in some offices would be back in operation the same day, and others, within days.

However, as of this writing (Thursday evening), Louisiana’s teacher evaluation system, the Compass Information System (CIS), is still not in operation.

The Louisiana Department of Education (LDOE) website is up, as is the email system. On November 21, 2019, at 4:52 a.m., LDOE curriculum supervisor, Jackie Bobbett, was able to send the following email to Louisiana’s curriculum review team regarding the cyberattack:

Please be advised that the LDOE has been affected by the cyber attack that began Monday. We apologize for any delays in responses.

We appreciate your patience during this time and will update you as we have more information.

LDOE Academic Content Team

In a November 19, 2019, update, the governor’s office did say it might take “several days” to restore service, and the November 21, 2019, Shreveport Times reports that Louisiana’s Department of Motor Vehicles (DMV) is closed until Monday, November 25, 2019, and that according to Governor Edwards, “the ransomware attack was ‘largely unsuccessful’ because the state didn’t lose its data and didn’t pay a ransom.”

From the Office of the Governor, dated November 19, 2019:

“While it is nearly impossible to prevent all cyber attacks, because we have prioritized improving Louisiana’s cybersecurity capabilities, we were able to quickly neutralize the threat. The majority of the service interruption seen by employees and the public yesterday was due to our aggressive actions to combat the attack,” Commissioner of Administration Jay Dardenne said. “We are confident we did not have any lost data and we appreciate the public’s patience as we continue to bring services online over the next few days.”

Gov. Edwards prioritized increasing and improving cybersecurity capabilities in Louisiana, leading to the creation of Emergency Support Function 17, which is why Louisiana was able to quickly and aggressively respond to Monday’s attempted ransomware attack. Yesterday’s service interruption was largely due to the state Office of Technology Services’ aggressive response to prevent additional infection of state servers and not due to the attempted ransomware attack.

Online services and email started to come back online yesterday afternoon, though full service restoration may take several days.

OTS has confirmed that this attempted ransomware attack is similar to the ransomware targeted at local school districts and government entities across the country this summer. There is no anticipated data loss and the state did not pay a ransom. OTS staff continues to expand its security presence following the incident, both from systems and training perspectives.

Louisiana State Police and several federal agencies are investigating this attempted ransomware attack.

Louisiana’s ESF-17 team consists of leaders from OTS, the Governor’s Office of Homeland Security, LSP, the Louisiana National Guard, state university systems and other cybersecurity experts.

As of this writing, LDOE has not released a public statement regarding CIS and the November 18, 2019, cyberattack.

As for the governor’s office comparing the current attack to that which occured to several Louisiana school districts in the summer of 2019, LDOE offers this cyber incident Q & A presentation, including this slide detailing how that ransomware works:

As of July 30, four parish school systems have been affected by a cyber incident. This incident has inflicted a huge impact on IT resources and varying levels of data encryption and loss.

The Cybersecurity Response Team has identified the current cyber attack as the RYUK strain of ransomware. It is similar to another ransomware strain called HERMES.

This particular strain is delivered to its victims via links and emails.

RYUK operates in 2 steps – a dropper and an executable payload.

  • The dropper is the initial infection that creates a executable which triggers the actual attack.
  • Unfortunately the dropper is deleted when the initial infection installation is complete, so finding that original trigger is very difficult.

The Cybersecurity Response Team has identified that the initial triggers may have infected these school systems as far back as several months. These schools systems were actively monitoring and using tools for finding and fixing infections; however, this executable payload appears to have waited patiently to trigger its full attack at a later point in time versus immediately upon initial infection.

It is this delay that has brought about the phased network secure protocol the Cybersecurity Response Team is asking schools to implement immediately. We want schools to have the ability to block the secondary mechanism from executing and encrypting all data it can reach on the school’s network.

For more details on RYUK ransomware and how it works, see this Secure World Expo article, “Special Security Advisory: ‘Ryuk Ransomware Targeing Organzations Globally.'”

security breach


Interested in scheduling Mercedes Schneider for a speaking engagement? Click here.


Want to read about the history of charter schools and vouchers?

School Choice: The End of Public Education? 

school choice cover  (Click image to enlarge)

Schneider is a southern Louisiana native, career teacher, trained researcher, and author of two other books: A Chronicle of Echoes: Who’s Who In the Implosion of American Public Education and Common Core Dilemma: Who Owns Our Schools?. You should buy these books. They’re great. No, really.

both books

Don’t care to buy from Amazon? Purchase my books from Powell’s City of Books instead.

One Comment
  1. Laura H. Chapman permalink

    This cyberattack is the tip of an iceberg. There is widespread concern that attacks of this kind (and others) are also capturing data for training aritificial Intelligence (AI) systems. That data bonaza is needed for even more sophisticated attacks, some of these not for monetary gain but for political advantage.
    See this report for what the technies are trying to understand and also forge into policies.

    Click to access 1c6q2kc4v_50335.pdf

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s