District Details Cybersecurity Response After $253K Phishing Theft

Excelsior Springs, Mo. – At the May 13 board meeting of the Excelsior Springs School District, Deputy Superintendent Dr. Mark Bullimore addressed growing concerns from the public and school board following the recent revelation that the district had fallen victim to a phishing scheme, resulting in a $253,692 loss.

Original story: Excelsior Springs School District loses $253,692 in elaborate cyber theft

As reported previously, the district was defrauded through a sophisticated cybercrime in which an individual impersonating a known vendor submitted fraudulent banking information, leading the district to unknowingly reroute payment.

Bullimore explained that the breach stemmed from a compromised vendor account, allowing the attacker to convincingly pose as a trusted contact. In response, the district has implemented new multi-verification redundancies, requiring multiple personnel to confirm any change or payment requests before they are approved.

Community Concern and Context

Board members noted that they had received questions about why the public hadn’t been informed of the incident sooner. Officials explained that because the breach resulted in legal action between the district and the vendor, details remained under closed session for nearly four years while a settlement was negotiated.

“It wasn’t about hiding anything,” one board member said. “It was a legal issue, and there are just certain things you can’t share with the public in real time.”

What’s Been Done Since

According to Bullimore, the district already follows a comprehensive cybersecurity framework required by its insurance provider, the Missouri United School Insurance Council (MUSIC). Additionally, he has been working with Technology Director Jon Coleman to learn more about the cybersecurity protections already in place or that have been strengthened since the breach, which include:

• Two-Factor Authentication: Mandatory for all staff with elevated access since Spring 2023.
  
  
• Password Protocols: Updated in Spring 2025 to require all district passwords to be a minimum of 14 characters, a change estimated to greatly slow down brute force attacks.
  
  
• Annual Training: Cybersecurity and phishing awareness are included in Vector training for all staff. Coleman also distributes email safety reminders throughout the year, including real-world phishing examples and early warnings from statewide cybersecurity consortiums.
  
  
• Daily Monitoring: The district conducts constant surveillance of its networks and systems, using alert protocols to catch abnormal activity and suspicious behavior.
  
  
• Secure Platforms: The district uses Gmail’s built-in phishing protections, Securly web filtering on all accounts, and Sophos endpoint detection software for all MacBooks, desktops, and servers.
  
  
• Managed Student Devices: All Chromebooks and iPads are managed by the district, limiting students to only pre-approved apps and extensions.
  
  
• Restricted Software Installation: No staff, including administrators, can install or remove software without technology department approval.
  
  
• Critical Updates & Alerts: Patches and updates are installed promptly. The district also subscribes to cybersecurity intelligence services for real-time threat alerts.
  
  
• Upcoming Training: Beginning in the 2025–26 school year, all buildings will hold a 30-minute face-to-face training on email safety and best practices for both certified and classified staff.
  
  

Bullimore noted that while no system is 100% immune to cybercrime, the district is doing all it can to stay ahead of potential threats. “It really is an arms race,” he said. “As soon as we close one door, they’re looking for another way in. But we’re staying vigilant.”

Despite the financial setback, district officials emphasized their commitment to learning from the incident and improving security awareness at every level. As cyber threats continue to grow across industries, from school districts to hospitals, Excelsior Springs School District leaders say transparency and proactive defense are their top priorities moving forward.