Stride Identifies a Cyberattack on Its Systems and Network
Stride, Inc. (NYSE: LRN) reported a ransomware attack on its network, confirmed as a criminal act. The company quickly acted to contain the threat and is cooperating with federal law enforcement. Importantly, the attack did not affect the Learning Management System used by students, and all major corporate systems remain operational. Some student and employee information may have been accessed, prompting a payment to the attacker through cyber insurance to prevent data misuse. The company emphasizes the ongoing investigation and believes the incident will not materially impact its business or financial results.
- No disruption to Learning Management System or educational services.
- All major corporate systems remain operational.
- Proactive engagement with cyber insurance to mitigate data misuse.
- Potential data access of student and employee information.
- Dependence on the attacker adhering to negotiated terms.
HERNDON, Va.--(BUSINESS WIRE)--K12 Inc. (NYSE: LRN) (“Stride” or “we”) – to be Stride, Inc. effective December 16, 2020 – has detected unauthorized activity on its network, which has since been confirmed as a criminal attack in the form of ransomware.
Upon identifying unusual system activity, we quickly initiated our response, taking steps to contain the threat and lock down impacted systems, notifying federal law enforcement authorities, and working with an industry-leading third-party forensics team to investigate and assist with the incident.
Importantly, students at the schools we serve continue to learn. Based on our investigation to date, the attack did not affect the Learning Management System (“LMS”) that is used to deliver educational content to students and to host student accounts – no data on the LMS was compromised nor has the delivery of services over the LMS been interrupted in any way. Our client schools – charter and district online schools – are still open, operating, and secure, as they have been since the start of the pandemic. Additionally, all major corporate systems – including payroll, accounting, enrollment, financial reporting, procurement, and shipping – have remained operational through this incident.
We do believe that the attacker accessed certain parts of our corporate back-office systems, including some student and employee information on those systems, but it will take further time to determine the scope of the information accessed.
We carry insurance, including cyber insurance, which we believe to be commensurate with our size and the nature of our operations. We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.
While there is always a risk that the threat actor will not adhere to negotiated terms, based on the specific characteristics of the case, and the guidance we have received about the attack and the threat actor, we believe the payment was a reasonable measure to take in order to prevent misuse of any information the attacker obtained.
Stride considers the security and integrity of our systems and network among our top priorities, particularly considering the large shift this year to remote learning and work due to COVID-19. While no company can ever eliminate the risk of a cyberattack, we are working extensively with an industry-leading third-party forensics firm to ensure that we are taking all appropriate steps to prevent any incident like this from happening again.
In addition, as part of our response to this incident, we have assembled a team of advisors on data security compliance, including former United States Attorneys and state Attorneys General with experience in handling criminal cyberattacks, and other technical advisors. The team includes Catherine Hanaway, former US Attorney for the Eastern District of Missouri; William Lockyer, former California state Attorney General; and John Byron (J.B.) Van Hollen, former Wisconsin state Attorney General and former US Attorney for the Western District of Wisconsin. The team will assist in guiding our efforts in response to this incident, including compliance with state and federal laws, continued cooperation with law enforcement, and communications with outside parties concerning the incident.
This investigation is active and ongoing and our systems are operating with minimal impact. Based on the information currently known and our investigation to date, we do not believe the incident will have a material impact on our business, operations or financial results.
Forward-Looking Information
This press release contains certain forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. We have tried, whenever possible, to identify these forward-looking statements using words such as “anticipates,” “believes,” “estimates,” “continues,” “likely,” “may,” “opportunity,” “potential,” “projects,” “will,” “expects,” “plans,” “intends” and similar expressions to identify forward-looking statements, whether in the negative or the affirmative. These statements reflect our current beliefs and are based upon information currently available to us. Accordingly, such forward-looking statements involve known and unknown risks, uncertainties and other factors which could cause our actual results, performance or achievements to differ materially from those expressed in, or implied by, such statements. These risks, uncertainties, factors and contingencies include, but are not limited to: reduction of per pupil funding amounts at the schools we serve; inability to achieve a sufficient level of new enrollments to sustain our business model; failure to replace students who have graduated from the terminal grade in a school or have left our programs for other reasons with new students of a sufficient number; inability to maintain our current rate of retention of students enrolled in our courses; an increase in the amount of failures to enter into new school contracts or renew existing contracts, in part or in their entirety; the failure of perceived industry trends and projections resulting from the expected effects of COVID-19 on virtual education; failure of the schools we serve or us to comply with federal, state and local regulations, resulting in a loss of funding, an obligation to repay funds previously received or contractual remedies; governmental investigations that could result in fines, penalties, settlements, or injunctive relief; declines or variations in academic performance outcomes of the students and schools we serve as curriculum standards, testing programs and state accountability metrics evolve; harm to our reputation resulting from poor performance or misconduct by operators or us in any school in our industry and/or in any school in which we operate; legal and regulatory challenges from opponents of virtual public education or for-profit education companies; changes in national and local economic and business conditions and other factors such as natural disasters, pandemics and outbreaks of contagious diseases and other adverse public health developments, such as COVID-19; discrepancies in interpretation of legislation by regulatory agencies that may lead to payment or funding disputes; termination of our contracts, or a reduction in the scope of services with schools; failure to develop the career learning education business; entry of new competitors with superior technologies and lower prices; unsuccessful integration of mergers, acquisitions and joint ventures; failure to further develop, maintain and enhance our technology, products, services and brands; inadequate recruiting, training and retention of effective teachers and employees; infringement of our intellectual property; disruptions to our Internet-based learning and delivery systems, including but not limited to our data storage systems, resulting from cybersecurity attacks; misuse or unauthorized disclosure of student and personal data; our inability to assess and contain the cyberattack; legal, reputational and financial risks resulting from this or additional cyberattacks; the vulnerability of business continuity plans during the cyberattack, and other risks and uncertainties associated with our business described in our filings with the Securities and Exchange Commission.
Although we believe the expectations reflected in such forward-looking statements are based upon reasonable assumptions, we can give no assurance that the expectations will be attained or that any deviation will not be material. All information in this presentation is as of today’s date, and we undertake no obligation to update any forward-looking statement to conform the statement to actual results or changes in our expectations.
About Stride, Inc.
Stride, Inc. (NYSE: LRN) – formerly K12 Inc. – helps students reach their full potential through inspired teaching and personalized learning. The company has transformed the teaching and learning experience for millions of people by providing innovative, high-quality, tech-enabled education solutions, curriculum, and programs directly to students, schools, the military, and enterprises in primary, secondary, and post-secondary settings. Stride is a premier provider of K-12 education for students, schools, and districts, including career learning services through middle and high school curriculum. For adult learners, Stride delivers professional skills training in healthcare and technology, as well as staffing and talent development for Fortune 500 companies. Stride has delivered millions of courses over the past decade and serves learners in all 50 states and more than 100 countries. The company is a proud sponsor of the Future of School, a nonprofit organization dedicated to closing the gap between the pace of technology and the pace of change in education. More information can be found at stridelearning.com, K12.com, destinationsacademy.com, galvanize.com, techelevator.com, medcerts.com.