A small school district that takes pride it its school spirit is disputing thousands of dollars-worth of international phone calls after its landline phone system was compromised in an apparent hacking scheme.
The superintendent of Gardner Community Consolidated School District 72C, located in the village of Gardner along historic Route 66 in Grundy County, said Gardner Grade School was struck by malicious hackers last July 4th when officials were not in the building.
According to superintendent Ron Harris, someone remotely hijacked the school’s phones and forwarded hundreds of calls to high-toll international phone lines in Eastern Europe, South America and the Caribbean. By the time the hack was discovered, cyber criminals had racked-up nearly $8,000 in calls.
“We’re a public school,” Harris said. “There’s never been a time when we’ve made any phone calls to Bosnia or Ecuador or any calls like that.”
The malicious hackers even circumvented an international call block that the school’s local phone company, Call One, put in place with its long-distance provider, Level 3 (now called Century Link).
Gardner was in the process of switching phone providers last Summer when the hacks occurred. The change in providers, according to the school, was made for unrelated reasons.
Because the school said it risked losing access to its phone system, it stopped disputing its phone bill with the new provider in January and paid for the fraudulent calls. However, the school said it still owes its old provider, Call One, about $4,000.
Harris said the school typically spends less than $300 on its monthly phone bills. He said thousands of dollars meant for educational programs is at risk because of the fraudulent phone calls.
“For us to have to pay this takes away from that pot of money that we can use to provide those services for our kids,” Harris said.
Harris said he is sharing the district’s story with the public so other school districts can protect their phone systems.
Cyber security expert Nick Percoco said the attacks are most likely automated and come from well-organized criminal groups. He said malicious hackers create computer programs that call random phone numbers looking for voicemail systems with weak passwords. And once they are inside a phone, the criminals take control.
“Every time someone calls one of those phone numbers, they make money,” Percoco said.
The FCC said cyber criminals typically target business phone systems, but consumers with residential voicemail should also beware. Consumers and small businesses can protect their landline phones by choosing a complex voicemail password and disabling their call forwarding features.
If your landline is compromised, contact police and your phone provider. However, you may still be on the hook for paying for the bogus calls.
Gardner Grade School has since reconfigured its phone system and shut down remote voicemail access.
“We’ve worked to get some credits, but still feel that these charges were fraudulent and ultimately we feel that they should be removed,” said building and grounds supervisor Mike Cornale.
Call One said the district did not take actions necessary to help avoid the fraud.
“Call One notified the District right away when the underlying long-distance provider, Level 3, detected fraudulent international calls on the District’s phone system and Call One immediately worked with Level 3 to block all international calls through Level 3,” Keith Black of Call One wrote to NBC 5 Investigates. “Unfortunately, the District did not take prompt action to protect the integrity of its self-provided phone system, which allowed hackers to further compromise that phone system. Call One was charged for those fraudulent calls by the underlying long-distance provider, Level 3. We agreed to, and did, issue a substantial credit to the District, representing all charges other than what we were required to pay Level 3.”
School officials, however, argue Call One sent emails to two school employees who do not work during the summer months when the hack occurred.
“If someone sees that you go from $300 a month to almost $4,000 and you had 184 calls to Bosnia and Ecuador and Cuba in a three day period, something’s wrong,” Harris. “I would have hoped they would pick up the phone and make a personal contact with the customer.”
The long-distance provider, Century Link (formerly Level 3), told NBC 5 Investigates that because Gardner is not its “direct customer”, it could not comment further.