In response to an inquiry by ���˶���, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ���˶���. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ���˶��� the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ���˶��� uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ���˶���, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ���˶��� at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ���˶��� didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ���˶���.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by ���˶��� and The Acadiana Advocate revealed. The reporting included a data analysis by ���˶��� of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

and other entities notify affected individuals “without unreasonable delay,” 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.” 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.” 

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It’s also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.” 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel … and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.” 

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told ���˶���. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by ���˶���, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with ���˶���, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.” 

Beyond outreach to parents, the hacker — which could be one or multiple people — on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.” 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.” 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.” 

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.” 

He pointed to the company’s , which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told ���˶���. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.” 

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.” 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.” 

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told ���˶���.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.” 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”

, led by researchers at the University of Chicago and New York University, highlights how the scramble to adopt new technologies in schools has served to create an $85 billion industry with significant data security risks for teachers, parents and students. The issue has become particularly pervasive since the pandemic forced students nationwide into remote, online learning. 

Students’ sensitive information is increasingly leaked online following high-profile ransomware attacks and user data monetization is a key business strategy for tech companies, including those that serve the education market, like Google. Yet student privacy is rarely a top consideration when teachers adopt new digital tools, researchers learned in interviews with district technology officials. In fact, schools routinely lack the resources and know-how to assess potential vulnerabilities.

Such a reality could spell trouble: In an analysis of education technologies widely used or endorsed by districts nationwide, researchers discovered privacy risks abound. The analysis relied on , a privacy inspector tool created by the nonprofit news website The Markup which scours websites to uncover data-sharing practices. Those include the use of cookies that track user behaviors to deliver personalized advertisements. Analyzed education tools, they found, make “extensive use of tracking technologies” with potential privacy implications. 

Most alarming to the researchers were the 7.4% that used “session recorders,” a type of tracker that documents a user’s every move. 

“Anyone visiting those sites would have their entire session captured which includes information such as which links they clicked on, what images they hovered over and even data entered into fields but not submitted,” the report notes. “This could include data that users might otherwise consider private such as the autofilling of saved user credentials or social network data.” 

���˶��� caught up with report co-author Jake Chanenson, a University of Chicago Ph.D. student, to gain insight into the report’s findings and to understand why he believes that parents and students should be concerned about how ed tech companies collect, store and use their personal data. 

The conversation has been edited for length and clarity. 

Why did remote learning pique your interest in digital privacy and what are the primary implications that worry you? 

Remote learning can be done well but we all had to get to it very quickly without a plan because we all suddenly got thrown at home because of the global pandemic. Suddenly schools had to scramble and find new solutions to reach their students, to educate their students, without being able to test the field, to think critically about it. They really were, with shoestring and gum, trying to keep their classes together. 

Whether you were in school, whether you were at work, whether you were at neither and still just trying to keep in touch with your friends, you were using anything that came your way because that’s what you had to do. I found that really interesting — and a bit concerning. It’s no one’s fault because we don’t understand the ramifications of these technologies and now that we’ve used them a lot of them are here to stay. 

I don’t want to sound like some sort of demonizing figure saying that all tech is bad — that is certainly not the case. It’s merely the fact that sometimes these promises are oversold, and now we have this added element of data privacy. 

When you interact with any of these platforms, tons and tons of student data — from how you interact with it, how well you do on their assignments, when you do it, if you’re a chronic procrastinator, if you’re always getting your work done, if you seem more interested in your art class than your math class. These are all data points collected by these companies and I wanted to know, ‘What is it they’re collecting? What are they doing with it,’ and, specifically for this study, ‘What are schools thinking about in this space if anything at all?’

This study took a two-pronged approach. You conducted surveys with experts in this space and then used technology to identify information that folks might not be aware of. Let’s discuss the surveys first. How did the school administrators and district technology officials you interviewed view privacy issues? 

Lots of them knew that something wasn’t quite up to snuff in their security and privacy practices. 

The best security and privacy practices that I saw in these school districts were entirely because someone, usually in the IT department, had an independent interest in student privacy. They were going above and beyond what their job descriptions required because they cared about the students. 

That’s not to imply that school officials don’t care about the kids —they care about them very much — but they’re so busy making sure the lights are on and making sure there are teachers for the classrooms, dealing with discipline issues, dealing with staffing concerns. They’re not necessarily focused on data privacy and security. 

Your research takes a unique approach to show the real-world impacts of education technology on student privacy. You identify that some of these tools raise significant privacy implications. How did you go about that?

We looked at the online websites of educational sites and tried to understand, what are the privacy risks here? What we found is that 7.4% of all these websites had a session recorder, which records everything you do when you’re interacting with a web page. How long you hovered over a certain element, how often you scrolled, what you clicked on and what you didn’t click on. 

That’s a scary amount of data collection for something that’s normally an education site. On top of that we found a high prevalence of cookies and other types of trackers that were being sent to third-parties, basically advertising networks, that were taking that data to track these students across the web. As a student, even while I’m doing my work, they’re creating an ad profile of me that not only encompasses who I am as a consumer in my spare time, but who I am as a student inside of school for this more comprehensive picture of who I am to sell me ads. 

That could be upsetting to somebody who thinks that what I’m doing in school is only the business of me and the teacher, my parents and the principal. 

Why would an education technology company use a session recorder? 

We were able to identify that these trackers, like session recorders, were running on these websites, but we don’t have any idea what they’re recording, which is a project that we’re currently working on and trying to understand. 

I can’t make any well-grounded assumptions to what this is being used for, whether it be nefarious or benign. It’s not uncommon for a session recorder to be used for diagnostic information for a technology company if they want to understand how their users use a site so they can improve it. That’s a legitimate use of one of these session recorders, but without knowing what data they collect, it could be that they’re collecting data that isn’t strictly relevant to improving the service or are over-collecting data in the guise of improving the service and retaining it for future use. 

There are, of course, but I won’t speculate on that because I don’t have definitive proof that’s what’s happening. 

Why should people care about districts’ technology procurements? School districts are using a huge swath of digital tools, some from Google and some from tiny tech companies. If school leaders aren’t putting privacy at the forefront of deciding which tools to use, what concerning outcomes can come from that? 

There are several concerning outcomes, the first being that the data these companies collect don’t necessarily sit on their servers. They sometimes are sold to third parties. Some companies state third parties ambiguously and others list out who they are selling it to and why. 

Just on a normative basis, I think that what you do in the classroom shouldn’t be harvested and sold, especially when many of these companies are raking in somewhere between five- and seven-figure contracts to license this technology. It’s not like they don’t have other sources of income, but the things they can take from students can be incredibly alarming: Information about socioemotional behavior, so if I act out in school, if I am in trouble for something that’s happening at home or I’m bullying another student, that data is collected by a specific service and that data is held somewhere. And of course, when you hold data, it’s a security risk. 

There was a big breach in New York City where hundreds of thousands of students had their personal information leaked because a company was holding onto all of this data. It was leaked to hackers who got that data and can do who knows what with it. That’s a huge privacy violation. Some of the things they stole in that particular breach were names, birthdays and standard things you can use to commit identity fraud, which is a problem. But it can also be more sensitive stuff, such as [special education] accommodation lists or if you qualify for free lunch. There’s stuff about disability or your economic status, stuff that is all collected by these ed tech companies and held somewhere. 

Learning management systems have incredible amounts of metadata. ‘Are you someone who procrastinates and only finishes an assignment one minute before it’s due? Did you do it early? Are you someone who didn’t do the reading but showed up to class anyway? Are you someone who took 10 times to get this quiz right or did it only take you one time’ 

These data are recorded and are available for teachers to see, but because teachers can see it, it’s sitting on a server somewhere. 

Because they’re being stored somewhere and they are not being deleted regularly and these companies are not following data minimization principles, it’s a potential privacy risk for these students should another breach happen, which we’ve seen happen again and again and again. 

Breaches have affected sensitive student information. In her book Danielle Citron argues for federal rules that would protect intimate privacy as a civil right. Why are such rules needed and how would they work in an educational context? 

There are certain types of information, like nonconsensual disclosures of intimate images, so-called revenge porn. I think you can make a straight analogy for student data. Just as there should be a zone of intimate privacy around your personal intimate life, your sexuality, whatever else, we should have a similar zone around your educational life. 

Education is a space where students should be able to learn and make mistakes, and if you cannot make those mistakes without being recorded, then that can have repercussions for you later. If you’re not perfect on your first try and someone gets a hold of that, I could see that affecting your college admissions or that could affect an employment record. If I am someone who wants to hire you and I have a list of every student in a school that turns in their assignments early and all of these people were either habitually late or always procrastinating then obviously I’m going to be more interested in hiring the worker that turned stuff in early. But what that list might not tell you is that it was one data point in eighth grade and that one of those students when they were in high school finally got on top of their executive dysfunction and started turning things in on time. 

It’s ultimately nobody’s business how you do in the classroom. You have final grades, but those fine-grained data are nobody else’s business but yours and the teacher’s. You have a safe space to learn and grow and make mistakes in the educational environment and to not be penalized for them outside of that classroom.

Yet even before the first class started, the 133,000-student district in Prince George’s County, Maryland, faced an assault on its security — one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system — among the nation’s 20 largest — joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

“Schools have this delicious trove of data and do not have the same protections” as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George’s County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by ���˶��� of the cyber group’s dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

“Your confidential documents, personal data and sensitive info has been downloaded,” the group wrote in a ransom note obtained by ���˶���. “Published information will be seen by your colleagues, competitors, lawyers, media and the whole world.” 

Ultimately, the district refused to pay the group’s $300,000 ransom demand, leading to a small data breach that doesn’t appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told ���˶��� the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

“It was an inconvenience for sure, but I’ve seen a lot of data breaches over the years and ours is nothing comparable,” Walton said. “I couldn’t imagine that happening when school starts because we’re all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.” 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn’t limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth “Social Security numbers and medical records stolen and shared online,” such attacks have left “classroom technology paralyzed and lessons ended,” First Lady Jill Biden said. “So if we want to safeguard our children’s futures, we must protect their personal data.”

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it’s also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students’ hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

“With all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,” Levin said. “It’s definitely a time where you know people are more likely to make mistakes.”

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

“Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,” the warning notes. “Within the last few weeks, publicly announced ransomware attacks sharply increased.”

‘Exclusive, unique and impressive’

Following a common ransomware playbook in Prince George’s County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the “exclusive, unique and impressive” data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group’s leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang’s leak site, meant to signify the district’s approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, “will be contacted in the coming days.” 

The school system is “offering free credit monitoring and identity protections to all staff,” district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack “may result in unauthorized disclosure of personal information.” 

“We are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,” the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George’s district hasn’t done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told ���˶���, “has not been clearly communicated.” Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George’s County, she fears.

“There have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?” said Stanley, founder of the special education advocacy group “Not knowing what was leaked and who was affected, it’s difficult to say what the ramifications will be.” 

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

“This is only going to get worse,” he said, “until we give schools the resources they need to up their defensive game.” 

Ransomware’s long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington — a development that for locals may feel like déjà vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a “data event” was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to ���˶���. 

It’s unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions — especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became “aware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,” Weinberg said. 

“We reviewed the district’s network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,” Weinberg continued. “Further, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.” 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation’s second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an “encryption event,” tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. “I had my bank account drained last week and had $3 to my name,” one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children’s college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a “time-intensive” review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

“Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,” the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools’s first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

“Disclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,” Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it’s more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

“A lot of times schools are reactive rather than proactive,” she said.  If district leaders aren’t doing enough to protect the data from being stolen in the first place, “then it’s almost too late.”

Des Moines Area Community College is a harder target for cyberattacks and scams than it used to be, President Rob Denson said, but it takes constant effort and vigilance to stay that way.

He and his staff will receive fake attachments, fraudulent messages from people claiming to be coworkers and applicants with intentions of taking financial aid and running rather than attending classes almost every day, despite best efforts to head them off.

“Threat actors are always looking for you to let down your guard,” he said.

Help fund stories like this.

In efforts to keep campus safe, some Iowa community colleges are having to put increasingly more time, manpower and money toward cybersecurity efforts.

Aaron Warner, CEO of cybersecurity company ProCircular, said community colleges are targets for bad actors because they house a lot of sensitive information, their student populations see continuous turnover, and they’re made to be as accessible as possible.

The often-chaotic time just before school starts is also utilized by cybercriminals, as faculty and staff are busier and less likely to catch suspicious emails or other activities.

“It’s an unfortunate byproduct of the fact that they’re a community organization,” Warner said. “They are designed to interact as best as possible with the community. Bad guys take advantage of that.”

When the COVID-19 pandemic forced employees to work from home, Warner said the opportunities to conduct cyberattacks expanded. Gone was the castle-and-moat style of keeping sensitive information on one secure network as data was transferred onto home computers and laptops. The risk of a successful cyberattack or intrusion didn’t so much rise as become more distributed, he said.

DMACC and Iowa Central Community College have already faced in real time what ProCircular simulates for training — a breach in cybersecurity. Iowa Central Community College was hacked in 2018, and DMACC saw a breach in 2021.

Both colleges amped up security efforts in response, which they still keep up today.

Colleges work to stop ‘ghost student’ scam

One problem DMACC has worked to curb is “ghost students,” or applicants who use fake or stolen identities to seek financial aid. Denson said the college started seeing more fraudulent applications around two years ago, coming in groups from certain areas in different states and filing for loans without any intent of actually attending classes.

For around a year, DMACC staff have been calling every applicant to confirm their identity before putting their information into the system, Denson said. While this practice has cut down on ghost student applications, it’s not the easiest task to undertake.

In fall 2022, DMACC admitted more than 1,600 full-time, first-time students. Admissions staff and recruiters called each applicant and recorded the confirmation of their identity in the DMACC system — a time-consuming process, Denson said, as many students aren’t easy to reach over phone or email.

“It’s a terrible use of time, it’s not the best use of their skills, but it’s something we’ve got to do,” Denson said. “What we don’t want to do is get a fraudulent app inside of our learning management system.”

At its peak in late July 2022, Denson said the college was receiving around 15 fraudulent applications a day. Since implementing this practice, Denson said that number has decreased significantly, but one or two a day still pop up.

Denson said the amount of time and manpower needed to verify so many applicants pulls people away from their other work.

“We would rather have recruiters out recruiting and advisors talking to students about their career, rather than verifying somebody’s identity,” he said.

In order to lower the risk of a fake student infiltrating Iowa Central Community College’s systems, President Jesse Ulrich said staff purges all records of inactive students — those who applied but never signed up for classes or interacted with the college in any way — every semester.

Cybersecurity is costly

Staff and faculty at both community colleges receive training on how to spot and report phishing, and receive random test phishing emails. Iowa Central Community College has members of its IT team dedicated to servers and infrastructure, and DMACC has a cybersecurity expert on retainer.

Security software, training and insurance all require funds, Ulrich said, which could be used in other areas of the college.

“Anytime you are putting more resources into cybersecurity, whether that’s through people, software, paying more for insurance; all of those things pull from the general fund or other areas of our funds to be able to really meet the core purpose of community colleges,” Ulrich said.

Both colleges have cyber insurance; Denson said the college’s annual insurance cost is five times what it was, and the deductible has doubled.

Even divulging details on its cybersecurity insurance could put the college at risk, Ulrich said, as threat actors will look through public records to determine how well-insured schools are and use that in attacks.

“It’s kind of a lose-lose situation for higher ed when we’re put in that situation,” he said.

However, having these safeguards isn’t really a choice, Denson said — it’s a necessity, and one that isn’t going away soon.

According to SonicWall’s 2023 , educational institutions were cyber criminal’s top targets for malware attacks. At the recent annual Community Colleges for Iowa conference, Ulrich said cybersecurity was among the top 10 challenges facing higher education today.

ProCircular works with more than just community colleges to evaluate cybersecurity efforts, but the leaders at colleges Warner has met are among the most understanding of the issues and how to tackle them, he said. Much of the company’s training involves ensuring people know what to look for, how to respond in the event of a breach and helping them allocate resources in the right areas.

U.S. Rep. Zach Nunn introduced in April to help curb cyber attacks against K-12 schools by increasing available resources, expanding cyber attack prevention information sharing and improve national tracking of cyber attacks. While no bills targeting cybersecurity in higher education have been introduced, a spokesperson for Nunn’s office said they are working with as many entities as possible to help tighten cybersecurity across the board.

Community Colleges for Iowa Executive Director Emily Shields said there has been interest in the state Legislature in working to curb cybersecurity breaches in higher education, but many of the best practices suggested in discussions are already being practiced by community colleges.

When it comes to funding, Shields said colleges would rather see more dollars go into general funds than specific silos like cybersecurity, as it allows them to be more flexible in allocating resources.

The organization has worked to help keep colleges informed about cybersecurity threats and avenues to help fend off attacks, in the event one does occur, she said.

“The conversation always is not if this is going to happen in your college, it’s when,” Shields said. “Everybody’s anticipating. You will have cyberattacks, probably plural — it’s making sure you’re ready for that.”

is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on and .

Such unrelenting attacks — this time against a Bergen County, New Jersey, district —are what brought the first lady as well as some 200 federal cybersecurity officials, school district leaders and tech company executives together for a first-ever White House summit on strengthening school district defenses.

“It’s going to take all of us,” Biden said. 

The breaches have grinded school technology systems nationwide “to a halt,” the first lady said at the East Room gathering, forcing some districts to cancel classes as reams of sensitive student, parent and educator data were stolen and leaked online. In March, a Medusa attack on Minneapolis Public Schools exposed records about child abuse inquiries, student mental health crises and campus physical security details. 

“If we want to safeguard our children’s futures, we must protect their personal data,” she said. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Among the new strategies announced Tuesday is the creation of a Government Coordinating Council that will provide “formal, ongoing collaboration” between all levels of government and school districts to prepare for and respond to data breaches. Officials with the Cybersecurity and Infrastructure Security Agency said the agency would provide individualized assessments and cybersecurity training to 300 K-12 education entities over the next year. 

Tuesday’s cybersecurity event didn’t come with the announcement of any new federal regulations but was instead positioned as the first step in a new-found federal urgency around cybersecurity in schools. The Federal Communications Commission in late July proposed a $200 million pilot program to enhance cybersecurity in schools and libraries that still needs to be approved.

“When schools face cyber attacks, the impacts can be huge,” Education Secretary Miguel Cardona said. “Let’s be clear, we need to be taking these cyber attacks on schools as seriously as we do the physical attacks on critical infrastructure.”

In released by the Education Department and the Cybersecurity and Infrastructure Security Agency, the agencies recommended that school districts implement multi-factor authentication, enforce minimum password strength standards and ensure software is kept up to date. They should also consider moving on-premises information technology services to cloud-based systems. 

“Do not underestimate the ruthlessness of those who wish to do us harm,” Homeland Security Secretary Alejandro Mayorkas said. “They have proven their willingness to steal and leak such private student information as psychiatric hospitalizations, home struggles and suicide attempts. Do not wait until the crisis comes to start preparing.” 

School cybersecurity expert Doug Levin, who attended the summit, said it was a positive development to see the federal government, and the Education Department in particular, focus on the effects of ransomware on schools. The Education Department has been “mostly absent from these conversations” in the past, said the national director of The K12 Security Information eXchange.

Meanwhile, several companies, including education technology vendors, unveiled new commitments to help facilitate digital security in schools. Amazon Web Services announced a new $20 million grant program to bolster K-12 school cybersecurity while Cloudflare committed to providing free cybersecurity tools to small districts with 2,500 or fewer students. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

In the U.S. school district cyber attacks reached a record high of 37 in the month of June alone, , but Tuesday’s event centered largely on a crisis that unfolded in Los Angeles nearly a year ago. 

Last September, a notorious ransomware group carried out an attack on the Los Angeles Unified School District, the nation’s second largest, that resulted in some 500 gigabytes of district data being published to the Russian-speaking group’s dark-web leak site. 

A major theme of the White House summit was the politically connected superintendent’s swift outreach to federal agencies, including the U.S. Department of Education and the Federal Bureau of Investigation. That collaboration, Superintendent Alberto Carvalho and federal education officials said, set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called it “the Harvard Business School case study on how to get this right.” 

Other school districts should respond similarly, said FBI Deputy Director Paul Abbate. When school leaders suspect they’ve been the target of an attack, he said, it’s incumbent that they “please call us immediately.” In L.A.’s case, the FBI was able to have a team of agents on the ground in less than 24 hours, he said, enabling them to freeze vulnerable accounts and secure sensitive information that had been sought out by the threat actors. 

That coordinated response didn’t prevent some 2,000 current and former students’ highly sensitive psychological evaluations from being leaked on the dark web, an investigation by ���˶��� revealed. Carvalho initially denied that such records were exposed in the attack, but the district acknowledged they were after the story was published. The district also initially said the attack began and ended on Sept. 3 — the Saturday of Labor Day weekend — but a follow-up investigation determined that an intrusion began as early as July 31, the .

While Carvalho didn’t comment Tuesday on the leak of sensitive psychological information, he said the number of stolen files “could have been much worse,” adding that the hackers “encrypted and exfiltrated very little thanks to our actions.” Among the actions they didn’t take, the schools chief said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”

First Lady Jill Biden, senior administration officials, school district heads and technology company executives will convene at the White House Monday to kick off a new cybersecurity defense initiative as schools increasingly fall victim to crippling ransomware attacks. 

The Education Department will launch a coordinating council to provide formal collaboration between government officials and district leaders to help schools strengthen their cybersecurity capabilities in the face of attacks that have closed campuses and exposed highly sensitive student and educator information online. The effort was announced by senior Biden administration officials on a press call Sunday evening. 

The council is being billed as the department’s “key first step” in a renewed focus on cybersecurity after multiple districts — including in Los Angeles and Minneapolis — were targeted by cyber gangs. 

At the White House event, federal officials will hear from school district leaders who navigated attacks, including Los Angeles Unified School District Superintendent Alberto Carvalho, who led America’s second-largest school system through a hack last September. That breach, an investigation by ���˶��� revealed, exposed thousands of current and former students’ highly sensitive psychological evaluations on the dark web.

In addition to the first lady, others expected to attend the 4 p.m. White House summit include Education Secretary Miguel Cardona, Homeland Security Secretary Alejandro Mayorkas and Federal Communications Commission Chairwoman Jessica Rosenworcel. 

Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, said the administration seeks to help school districts protect sensitive information about students, parents and educators. In March, a ransomware attack against Minneapolis Public Schools led to a data breach that exposed more than 189,000 files, including records related to sexual misconduct investigations, child abuse reports and district physical security information that’s typically kept private. 

Neuberger called the Minneapolis breach “a particularly vicious example,” citing the disclosure of closely held school security information, which was first revealed in an investigation by ���˶���. 

Teams of federal cybersecurity experts will visit schools and help them create incident response plans, said Neuberger, adding that districts — particularly small ones — often lack the money and resources to adequately prepare for attacks. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

Cindy Marten, the deputy secretary of education, said that government officials and school leaders must make school cybersecurity a priority at the same level as physical infrastructure. She said she experienced firsthand how districts and the federal government can work together to mitigate the harm from attacks. Carvalho reached out to the Education Department after the Los Angeles district was hacked, Marten said, making clear the importance of partnerships.

It can take as long as nine months for districts to recover from cyberattacks, , and can cost them as much as $1 million to respond. 

Several technology companies have also committed to offer schools “free and low-cost resources.” Amazon Web Services pledged to provide $20 million for a K-12 cyber grant program, free security training and incident response help. Meanwhile, will offer free cybersecurity tools to small districts with 2,500 or fewer students. 

Other federal commitments announced Monday include a guide from the Federal Bureau of Investigation and the National Guard Bureau to help schools report cybersecurity incidents and tap into federal cyber defense expertise. 

Last month, the Federal Communications Commission proposed a $200 million grant program to help districts bolster cybersecurity. 

Last year, a startling 80% of schools suffered ransomware attacks, according to and released last month. That’s a surge from 2021, when 56% claimed they were victims. The rate has doubled over two years, making ransomware “arguably the biggest cyber risk facing education providers today,” researchers found.

 The victimization rate against schools was higher than all other surveyed industries, including health care, technology, financial services and manufacturing. 

While the Sophos survey included responses from 400 IT professionals working in education globally, U.S. institutions are “the prime target for many of these gangs,” particularly since Russia invaded Ukraine, said Chester Wisniewski, field chief technology officer of applied research at Sophos. 

Yet even among American institutions, he said two factors have made schools particularly vulnerable to threat actors. Costly cybersecurity safeguards in schools often fail to rival those in place at major businesses like banks and technology companies. And schools aren’t just easy to hack, they’re also easy to exploit for profit, he said. Nearly half of attacks against schools last year — 47% — led to ransom payments, researchers found, and their willingness to shell out cryptocurrencies to retrieve stolen files may have backfired. 

“If a given sector pays more often than another sector, then they get targeted more often and if a given sector is really insecure and it’s super easy to break in, they’ll also get targeted more,” he said. “In the case of education, unfortunately, it’s a double whammy because they do pay very often and they also are really easy to break into.”

The rise in ransomware attacks on schools coincides with the growth in double-extortion schemes, researchers found. In double-extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. If victims don’t pay, the criminals sell the data or publish it to a leak site. 

Files contained in those data breaches routinely contain sensitive and confidential information about students, their parents and educators. After an attack last year against the Los Angeles Unified School District, threat actors published highly sensitive psychological evaluations of some 2,000 current and former students. Following a computer breach this spring at Minneapolis Public Schools, a cyber gang uploaded to the internet a trove of stolen files including ones detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

While both incidents were large-scale attacks, many others likely unfold on a much smaller scale, Wisniewski said. Of the 80% of districts reporting attacks, he said the figure likely includes instances of a single student’s or educator’s computer being compromised. 

“The sophistication is very low, it’s smash-and-grab stuff,” he said. “They literally are just encrypting a laptop and saying, ‘Pay us $500 for the keys,’ and they don’t have the time nor the skills to bother exfiltrating data and stuff like the big groups do.” 

Scott Elder, the superintendent of Albuquerque Public Schools, knows firsthand the challenges that education leaders face when their districts become the targets of cyber criminals. A r last year, forcing the district to cancel classes. Ultimately, the district and law enforcement were able to resolve the attack without paying a ransom. He told ���˶��� he was surprised that schools have become the top ransomware target because “we don’t have any money.” But he’s well aware that districts are vulnerable. 

“The reality is, we have incredibly dedicated people who are working incredibly hard to keep our data safe, but we  just can’t pay as much as the private sector,” Elder said. “I’d imagine there are a lot of districts that are struggling to attract top-tier talent to do this type of work.” 

Last year, stolen data was encrypted in 81% of cases against schools and attacks were stopped in just 18% of cases before district information was locked, according to the Sophos report. Of schools that had their documents locked behind an encryption key, threat actors made their own copies of the information in 27% of cases. 

While schools may be tempted to pay ransoms to retrieve stolen data quickly and minimize harm, the Sophos report offers counterintuitive findings. Recovery costs were higher in districts that shelled out ransoms, even before factoring in the cyber gang’s financial demands. It also took those districts longer to get back up and running, according to the report. While 35% of districts that relied on file backups for their data recovered within a week, the same was true for 32% of those that paid ransoms. The report doesn’t explore the number of school districts which didn’t pay ransom demands and then had their confidential data leaked online. 

The confidential nature of compromised data, and the potential damage of its public release, influence districts’ decisions to pay ransom, Elder said. 

“This is highly confidential information, some of it can be harmful, and we’re educators: We like to take care of people,” Elder said. “But I do think sometimes we have to draw a hard line to manage our property. It’s a hard decision. I doubt there’s any single answer for anyone.”

Insurance appears to be a motivating factor in districts’ decisions to pay ransoms, Wisniewski said. In school systems with standalone cyber insurance, 56% of victims paid the ransom compared to 43% with broad insurance policies that included cybersecurity coverage. Ransom demands are often covered by insurance, Wisniewski said, and companies who have to pay off the claims are likely to have significant influence over which districts come across with the money.

“The only conclusion I can draw from that is the insurance companies think that paying the ransom is going to save them money because in the end the insurance company is on the hook for helping you recover,” he said, despite emerging data to suggest the contrary. “The insurance companies are constantly playing catchup trying to figure out how they can offer this protection because they see dollar signs while everybody wants this protection, but they’re losing their butts on it.”

Shortly after a dozen gunshots erupted from a stolen red SUV on the northside of Minneapolis this month, emergency dispatchers were notified of the drive-by shooting that shattered a window at the school district’s administrative headquarters. 

District officials promptly reported the shooting to the cops, who briefly halted their chase when they encountered a school bus dropping off students. A second police report, this one from a California-based surveillance company, had also alerted authorities to the ear-piercing pops. 

The incident resulted in the arrest of three teenagers, who were ultimately chased down by cops on foot and a state police helicopter in the air. Shootings and car thefts have surged in Minneapolis over the last several years and, in , Minneapolis Police Chief Brian O’Hara said that out-of-control youth had become “a danger to themselves and to anyone who happens to be around them.” 

Yet in some ways, the teenage arrests were an anomaly: The controversial ShotSpotter surveillance sensors that notified police to the blasts, have found, rarely direct police to the scenes of firearm crimes. Concerns about ShotSpotter false alarms and their disproportionate effects on Black residents didn’t stop the city’s school district from secretly partnering with the company, an investigation by ���˶��� has revealed. 

For nearly a decade, Minneapolis Public Schools has made northside campus buildings available to bolster a massive surveillance network that peppers neighborhoods with microphones designed to detect, analyze and geolocate gunfire. 

Since at least 2014, the school district has agreed to host nondescript ShotSpotter sensors on the rooftops of campus buildings, according to contracts that were leaked as part of a massive cyber attack on Minneapolis Public Schools earlier this year. Six agreements, signed in 2014 and 2019, authorize the sensors to be mounted atop school buildings “in an ‘out of sight’ fashion. The city maintains the primary contract to station ShotSpotter sensors throughout Minneapolis; the school district simply agreed to host the devices on their property. Last year, the city’s latest contract for the sensors totaled $168,000, according to GovSpend, a database that tracks government procurement. 

Subjected to a relentless stream of mass school shootings, school districts nationwide spend billions of dollars each year on campus security, including on gun-detection hardware. Yet ShotSpotter’s footprint in education remains largely unknown. The locations of the gun-detection sensors in Minneapolis and urban communities nationwide have for years been intentionally hidden.

In the leaked contracts, Minneapolis school officials agreed to withhold from the public information about its participation in the surveillance program. Details about the sensor locations, officials agreed, “cannot be disclosed under any circumstances.”

In Minneapolis, campus ShotSpotter locations were uncovered during ���˶���’s investigation into the fallout from the February cyber attack. Highly sensitive information about students and educators, as well as confidential campus security information, were published online in March after the district failed to pay the Medusa cyber gang’s $1 million ransom demand. 

ShotSpotter’s efforts to thwart bloodshed from gun violence is commendable, said Teresa Nelson, the legal director of the American Civil Liberties Union of Minnesota. But, she said, privacy and racial disparities in ShotSpotter locations, as well as reports calling into question the sensors’ effectiveness, outweigh their potential benefits. And efforts to withhold the school district’s ShotSpotter agreement from the public, stifle resident’s ability to engage in conversations about how to keep their communities safe, Nelson said.

Ultimately, “it adds a layer to the idea of policing in our schools” that could be problematic, she said. ShotSpotter coverage of schools, she worried, could send police who are “ready for an extremely dangerous confrontation” to campuses “for no reason” due to false alarms from fireworks, backfiring cars and other loud noises. 

“That changes the tenor of policing in that area,” she said. “Police have tremendous power and so the community is entitled to know how they’re using that power and how they’re using new technologies that allow them to effectively conduct general mass surveillance.”

The Minneapolis school district didn’t respond to multiple requests for comment. The district has been criticized for not sharing more information with the public about the nature and extent of the breach — on its website is from April 11. It declined interview requests from ���˶��� for a May 15 investigation about the breach of closely guarded campus security information and didn’t respond to questions for a May 5 article on the leak of highly sensitive information about students and staff.

In an email, Minneapolis Police Department spokesperson Garrett Parten declined to disclose the number of ShotSpotter sensors deployed across Minneapolis, adding that the company selects installation locations. The technology, he said, “has been an excellent tool in aiding the quick location of shooting victims” so they can receive medical attention “when seconds count.”

“In general, ShotSpotter pinpoints the location of gunfire,” Parten said. “This allows officers to respond directly to a location rather than doing a grid search looking for evidence. As such, officers are able to quickly locate and secure evidence that might otherwise be removed, compromised, or missed altogether.”

Thomas Chittum, the senior vice president of analytics and forensic services at ShotSpotter owner SoundThinking, said the data breach in Minneapolis is a rare occurrence but the publicly traded company is taking the incident seriously. Though the sensors are regularly placed on municipal buildings like police departments and schools, he declined to specify how many are stationed on campuses in Minneapolis or nationwide. Sensor locations are confidential, he said, to prevent vandalism, retaliation against businesses and agencies that agree to host the devices, and efforts by gunmen to get around the system. 

“Now that these things are known publicly, we have to assess whether or not we think it poses a risk to the efficacy of the system,” said Chittum, who retired last year as acting deputy director of the federal Bureau of Alcohol, Tobacco and Firearms. “The sensors are not hard to relocate but we’ll have to assess whether or not that’s feasible and necessary.”

Few arrests, little evidence of gun-related crimes 

Researchers and civil rights groups have warned for years that the technology, which is disproportionately deployed in communities of color, could do more harm than good by routinely sending militarized police into high alert over false alarms. SoundThinking maintains that its ShotSpotter sensors are 97% accurate.

The on ShotSpotter’s efficacy, published in 2021 in the peer-reviewed Journal of Urban Health, reported dismal findings. The analysis of ShotSpotter in 68 metropolitan counties from 1999 to 2016 found the sensors had no significant impact on firearm-related homicide rates or arrest outcomes. 

ShotSpotter deployments have been especially contentious in Chicago, where the sensors are disproportionately installed in neighborhoods with large percentages of Black residents. In , ShotSpotter alerts send Chicago police to locations where they failed to find evidence of gun crimes, according to research by the MacArthur Justice Center at Northwestern University’s law school. Between April 2021 and April 2022, , 90% of ShotSpotter dispatches failed to find evidence of guns. In a 2022 lawsuit, the group that enables discriminatory policing without a clear public safety benefit. 

from the city’s Office of Inspector General, published in 2021, reached similar results, concluding that the alerts rarely produced evidence of gun-related crimes, investigatory stops or recovered firearms. Yet the sensors led police to make more aggressive stops in certain neighborhoods, the office found, offering fodder for advocates who argue the devices  lead to the over-policing of Black residents. 

In a, researchers called the MacArthur analysis “misleading” and concluded that, “based on client reports,” ShotSpotter sensors were 97% effective in detecting gunfire. 

Chittum said the sensor locations are selected based on historical crime data and rejected advocates’ concerns over racial disparities. 

“The people that balk at the idea that you would deploy public safety infrastructure in the place where it could do the greatest good boggles my mind,” he said. “Of course you’re going to deploy it in the place where it’s most likely to help the people that have had the greatest impact from gun violence. I just don’t understand why you wouldn’t want law enforcement to know about shootings that occur in those neighborhoods.”

While the City of Chicago has long been a key ShotSpotter customer and former Democratic mayor Lori Lightfoot called the tool “a lifesaver,” . New progressive Mayor Brandon Johnson campaigned on a promise to end the city’s $33 million ShotSpotter contract, vowing to instead “invest in new resources that go after illegal guns without physically stopping and frisking Chicagoans on the street.” After Johnson’s election, the more than 25%.

After weighing the costs against their benefits, officials in several cities — including , and — have ended their ShotSpotter subscriptions. In San Antonio, officials spent more than $500,000 for the sensors, an expenditure that led to four arrests and seven weapons seizures . 

Similarly in Minneapolis, ShotSpotter alerts have rarely led to arrests or evidence of gun-related crimes, . An analysis found that Minneapolis police responded to about 8,500 ShotSpotter activations from January 2020 to September 2021. About 80% of the time, police didn’t locate evidence of a gun-related crime and only 32 activations — less than 1% of the total — led to an arrest.

On one occasion, in 2012, the city on New Year’s Eve because the system became overwhelmed by alerts from the blasts of fireworks. 

‘Still losing our young people’

The six Minneapolis campus ShotSpotter locations disclosed in the breach are clustered in the city’s northside. Districtwide, about a third of Minneapolis students are Black. At the campuses where ShotSpotter sensors were disclosed, nearly two-thirds of students are Black. 

The roughly 33,000-student district operates just shy of 100 schools. It’s unclear whether the devices were placed at a limited number of district locations or whether information about other campuses that serve as ShotSpotter hosts were spared in the data leak. Though police said ShotSpotter alerted them to the recent drive-by shooting — along with calls from educators — the leaked contracts don’t outline a sensor location at the district’s administrative offices. 

While the specific locations of ShotSpotter sensors citywide haven’t been publicly disclosed, residents are well aware of their presence in certain neighborhoods, said Marika Pfefferkorn, a Twin Cities-based student privacy advocate and executive director of the Midwest Center for School Transformation. Yet the devices, she said, haven’t done enough to keep people safe. 

“It’s not preventing the shots (from being) fired,” Pfefferkorn said. “We’re still losing our young people.”

In Minneapolis, homicides have surged by 166% since 2019 and the number of gunshot victims has more than doubled, . More than four-fifths of shooting victims in the city are Black, according to the data, as are 89% of suspects. 

Outside Minneapolis, three school districts — one in Texas and two in Massachusetts — have purchased ShotSpotter services, according to GovSpend.

In 2021, the Newark, New Jersey, school district agreed to install the sensors on 30 school buildings in predominantly Black neighborhoods, . Information about the agreement was removed from the school system’s website after the school board received an email inquiry from the education news outlet. 

In a 2022 email also exposed in the Minneapolis data breach, a ShotSpotter employee declined to disclose to a school district facilities official the on-campus locations of its censors, arguing that could allow the information to “fall into the wrong hands.” 

“If the location of all sensors became known to the public,” the employee wrote, “criminals would have the capability to disable the gunshot location and detection functionality of the system, or otherwise seriously compromise the law enforcement utility of the system.”

As communities nationwide debate efforts to bolster security in school buildings, parents are demanding a seat at the table, said Kenneth Trump, president of the Cleveland-based National School Safety and Security Services. 

“Parents expect authentic, transparent communication from school officials,” he said. When schools and cities equip communities with emerging security technology, officials “had better be transparent about expectations and limitations, and I’m not sure that’s occurring.” 

Ultimately, it’s up to the City of Minneapolis to assess whether the sensors work as intended, said Nelson of the ACLU’s Minnesota chapter. 

“Without strict limitations and auditing, we can never really be certain that it’s not being abused,” she said. “There needs to be more transparency and more assurances that it’s not going to be abused.”

The specific locations of the campus surveillance cameras, and other sensitive details about the school’s physical security infrastructure, are attainable without ever stepping foot inside. That’s because they’re now readily available online, an investigation by ���˶��� has found. Security experts said the startling revelation puts students and staff citywide at risk of physical danger at a moment when mass school shootings have , including a March attack in Nashville where police say the shooter relied on a hand-drawn map. 

“Folks are already on edge with what’s been going on in schools and the fact that they got all of the security information and then think about who has it,” said Marika Pfefferkorn, a Minnesota-based student privacy activist and executive director of the Midwest Center for School Transformation. The information, she noted, is already in the hands of known threat actors. “At any moment, we’re just vulnerable.” 

The school security records, including blueprints of campuses citywide, were uncovered in an analysis by ���˶��� of confidential files purportedly stolen from the Minneapolis school district by the ransomware gang Medusa. The records were published online in March after the district refused the cyber criminals’ demand for $1 million to keep the highly sensitive information from becoming public. The data encompasses more than 189,000 individual files totaling 143 gigabytes. The records, which outline specific, technical details about security systems in Minneapolis schools, can be downloaded with little more than a Google search. 

States nationwide have ramped up efforts to digitize their campus security layouts, and since the mass school shooting in Uvalde, Texas, last year, several have rolled out multi-million dollar in hopes they help improve police response times.

Along with insight into campus layouts and surveillance camera placements, the leaked Minneapolis records pinpoint the locations of fire alarms, security keypads, gas meters and water shutoff valves. Videos and PowerPoint presentations offer instructions on how to arm and disarm a campus alarm system. Maps document the routes that children are instructed to take should an emergency force them to evacuate their buildings.

In an email, district spokesperson Crystina Lugo-Beach declined interview requests from ���˶���. She said a third-party company is “meticulously reviewing all the documents released by the threat actor” and that the district has “not yet been provided with the results of that review.” 

“This has been, as you know, an incredibly difficult situation for our community,” she continued. ”With accurate, comprehensive information, we will certainly make any necessary updates to our safety protocols.” 

Given the sensitive nature of the campus security records, they’re generally inaccessible to the public. Under , government records related to “security information” are explicitly exempt from public disclosure. This shields documents, including those maintained by public schools, that are “likely to substantially jeopardize the security of information, possessions, individuals or property.” Government entities typically apply a broad interpretation of the exemption to withhold records, said Don Gemberling, a Minnesota Coalition on Government Information board member who spent three decades in state government helping public agencies comply with the Data Practices Act. 

“The kind of things you’re talking about, if you went and asked for it they’d tell you that you couldn’t have it,” he said. 

Gemberling, who lives in Saint Paul, said the school district must move quickly to reconfigure its security systems. 

“I’d be changing the location of cameras, I’d be making sure that every door that indicates some kind of vulnerability is fixed,” he said. “I’d sure be looking at where my security software failed because it appears to have failed miserably.” 

The Minneapolis schools breach also exposed confidential and highly sensitive records about individual students and teachers, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. Some of the sensitive files are from earlier this year, though many of the campus security records are undated and it is unclear which details remain accurate. 

For individual students and educators whose sensitive information was published, the data breach could have serious, long-term ramifications, said school cybersecurity expert Doug Levin. Yet even taking into account that disturbing consequence of the breach, the release of campus security records presents a serious escalation. 

“You’re talking about the possibility of catastrophic outcomes for a whole school community,” said Levin, the national director of the K12 Security Information eXchange. “If there was somebody who was aggrieved and wanted to go onto the campus and create an issue, knowing that these files are out there, it certainly represents a heightened risk.”

Despite the significant volume, recency and sensitivity of the exposed files, community members said the district has failed to be transparent and forthcoming about key details. For a , local television station WCCO News obtained district emails that exposed a nearly two-week delay between the time officials learned about the cyber attack and when they alerted families to what they euphemistically called an “encryption event,” warning them their personal data could be compromised. 

‘I’m going to kill some kids’

Amid the , campus safety has become a top concern for parents, with nearly 70% saying they are at least somewhat worried about a shooting unfolding at their child’s school, according to a Pew Research Center poll. 

Mass school shooters often conduct significant research and planning prior to their attacks, . Previous shooters have surveilled the campus police officer “in order to learn his route, noting security camera locations and trying to arrange meetings with a targeted teacher,” the report notes. Some rely on maps. 

Prior to the attack on a Nashville Christian elementary school in March, police said the of the school and drew a map that outlined their attack plan, which left three children and three adults dead. Just last month, a 20-year-old St. Olaf College student was on the campus roughly 40 miles south of Minneapolis. Police say the student had a gun magazine, plans to buy guns, a list of security radio frequencies and a map of the school’s recreation center with an exit route. 

Breaking from a common procedure for data leaks, the stolen Minneapolis records weren’t published to the dark web. Instead, as ���˶��� first revealed, download links were published on a faux technology news site that’s indexed by standard search engines. They’re also available on Telegram, the encrypted instant messaging service that’s been and . 

A single Telegram account was identified in a as a primary source in a nationwide wave of so-called swatting calls. The swat-for-hire account holder has reportedly called in dozens of false mass shooting reports nationwide that have sent police scrambling to respond. Perpetrators tend to make the phony threats sound as credible as possible and access to school floor plans — perhaps on the same platform they already use — could be seen as extremely valuable. In recent posts on the app, the Telegram user identified by Vice announced that an online marketplace to sell their swatting services was set to drop in late May or early June, possibly leading to an escalation in the hoax attacks that are already bedeviling law enforcement. 

The Minneapolis cyber attack isn’t the first time that hackers have breached a school’s physical security safeguards and exploited parents’ fears of mass shootings. In 2017, hackers with the notorious ransomware gang TheDarkOverlord infiltrated district computer networks and used school data to send parents threatening the 2012 Sandy Hook Elementary School shooting. “I’m going to kill some kids at your son’s high school,” texts to Iowa parents read. In Montana, the hackers reportedly , allowing them to watch what was being recorded.  

‘Complete damage control’

School safety experts told ���˶��� that Minneapolis officials must take immediate steps to mitigate risks after the hack. But the path forward, they said, won’t be easy. 

Following a 2020 ransomware attack in Baltimore, the county school district in recovery costs.  

“The district, at this point, has to be in complete damage control mode,” school security consultant Kenneth Trump told ���˶���, adding that school leaders must adopt heightened situational awareness of potential threats moving forward and shore up their cybersecurity procedures to prevent additional leakage. “You can’t put the genie back in the bottle, it’s already out there. The first step is to take a look at your systems and what steps that you can take to prevent it from happening again.”

Yet the district should steer clear of reconfiguring its breached physical security systems “just for the sake of ‘haha, now you don’t know where they are,’” said Trump, president of the Cleveland-based National School Safety and Security Services. Such a move, he said, could simply make the campuses more vulnerable. 

“If they were where they were supposed to be in the first place, they were there to serve a specific purpose,” he said. “It makes no sense: ‘OK, you know one (camera) is in the back hallway. We’ll show you — we’ll take it out.’” 

Because camera systems and other physical security infrastructure is “essentially immutable,” the hack presents an ongoing concern, Levin noted, and could be exploited by threat actors well into the future. 

State to “establish appropriate security safeguards for all records containing data on individuals.” To Gemberling, of the Minnesota Coalition on Government Information, it’s clear that didn’t happen. 

“Somewhere along the way, somebody is going to sue about this because we live in a pretty litigious society,” said Gemberling, who regularly fields questions about the viability of lawsuits after data breaches. “I’m a retired attorney, I’ve written law review articles about this stuff. If somebody were to call me about this particular one I’d say, ‘Go for it.’”

While the breached sensitive information about individuals could open the district to litigation, he said the physical security records present an even greater risk should someone use the information to carry out an act of violence.

“Now you’ve got serious problems, especially if people could prove that, but for the failure to keep the data secure, that (attack) would never have happened,” he said. “That’s what security is all about, is keeping people from getting hurt.” 

It took two years of middle school girls accusing their Minneapolis English teacher of eyeballing their bodies in a “weird creepy way,” for district investigators to substantiate their complaints.

Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public Schools investigative records that are now readily available online — just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

The files, purportedly stolen from the Minneapolis school district, first appeared online in March, just days after a ransomware gang named Medusa announced the school system failed to pay $1 million to keep its information from getting posted to the web. 

In a leaked 2018 email, a district official seems to make light of the frequency of civil rights complaints after several girls accused their high school Arabic teacher of inappropriate touching. 

“When it rains, it pours, I guess!” the district official wrote. In other documents, an educator was accused of buying a colleague a lap dance during an afterwork outing to a strip club and, in a separate incident, a district technology specialist was accused of hacking into a girl’s social media to stalk her on a date. The veracity of the files hasn’t been confirmed by Minneapolis schools but by all appearances, they expose a shocking degree of information about current students and staff. 

The information is so searingly personal that attorney and student privacy consultant Amelia Vance said she would have a hard time strategizing a mitigation response. 

“I’m an expert in this and I have no idea,” Vance, president of the Public Interest Privacy Center, told ���˶���. 

The records were uncovered in an analysis by ���˶��� of a cache of files reportedly stolen from Minneapolis schools and uploaded to the internet after the district fell victim to what it euphemistically described as an “encryption event.” The Medusa gang, a that adopts a clumsy, perhaps youthful online persona, ultimately took credit for the February breach that led to . 

The vast records — more than 189,000 individual files totaling 143 gigabytes — also offer a remarkable level of raw insight into the district’s civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack’s severity and the extent to which students’ and employees’ sensitive information is vulnerable to abuse. 

Minnesota-based student privacy advocate Marika Pfefferkorn said she’s already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns. 

“One of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,” Pfefferkorn said. “It’s like it was an afterthought.” 

She’s also struggled to give meaningful advice to anxious parents who need help. 

“The conversation that we’re having is like, ‘Your information is going to be out there forever, and the impression of you is also going to be out there forever,’” she said. “I don’t know the advice that I need to be giving them other than, ‘You need to be aware of what’s happening and communicate with the district what your expectations are.” 

‘A rock over their head’

While the oldest breached records span back to at least 2018, the most recent files, including several related to confidential civil rights cases, are from earlier this year. Some of the files — which were previewed in a 50-minute video — can be read with little more than a Google search. 

The way the files were uploaded is “part of what makes this incident so heartbreaking and extraordinary,” Vance said. 

Breaking from standard procedure for data leaks, the stolen Minneapolis records weren’t published to the dark web. Instead, as ���˶��� first revealed, download links were published to Telegram, the encrypted instant messaging service, and a faux technology news blog that appears to have direct ties to the ransomware attackers. Unlike breaches posted to the dark web, which require special tools and some know-how to access, Vance said “this information is easier to access and potentially easier for people to have follow them around for the rest of their lives.”

The files include district financial records, educators’ Social Security numbers and other documents that have long been targets for cyber criminals looking to facilitate identity theft. Yet Vance said the real harm — and a distinguishing feature — of the Minneapolis breach is the sheer volume of compromising information about students and staff that has been exposed. 

The district didn’t respond to a list of questions from ���˶���. In its , from April 11, interim Superintendent Rochelle Cox said it has completed a review of data “posted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.” While a small subset of the data was previewed in a video in early March, a download link for the complete archive of stolen district records didn’t become available until late March. Cox said the district is working with “external specialists and law enforcement” to review data posted after March 7, but does “not have the results of that investigation.” 

Because the harm from ransomware attacks have long been framed through the lens of identity theft and fraud, robust protections are now in place to help the victims of financial crimes, Vance noted. Parents can freeze their children’s credit. People can also cancel any credit cards that get caught up in a breach, and districts regularly provide identity theft protection to data breach victims. 

After the release of highly sensitive information, she said there are no clear remedies for something that could be potentially life altering for victims.

“This becomes a rock over their head for their entire life: ‘When is someone going to find out about the worst thing that ever happened to me?’” Vance said. “If I were a parent dealing with this, what on earth do you do next?” 

‘Potentially catastrophic’ 

Federal law enforcement officials have long advised school districts and other cybercrime victims against paying ransom demands, but the sheer volume and sensitive nature of the breached Minneapolis files has left some experts questioning whether the district made the right call by refusing to pay up. 

“There are circumstances where — if you’re looking at it from a question of, ‘How do you reduce potential harm and risk and danger to your school community,’ — then doing the unsavory is perhaps the correct choice,” said Doug Levin, the national director of the K12 Security Information Exchange.

Officials generally warn against paying ransoms for several reasons: Negotiating with known criminals may not produce the desired outcome, and offering payments helps finance future crimes. But in this case, Levin said the Minneapolis district was presented with a difficult choice. Even before the records were posted online, the group took extraordinary steps — including uploading a video to Vimeo — to publicize sensitive records in what appeared to be a particularly aggressive bid to coerce payment. 

Given how current and diverse the stolen records are, Levin and other experts suspect Medusa infiltrated multiple live computer systems. The freshness of the files, Levin said, means their content may still be accurate and, for bad actors, actionable. 

Calling the Minneapolis breach a “worst-case scenario,” he said, “The amount of information that was taken and the recency and the scope of it is certainly deeply troubling.”

Minneapolis may be a cautionary tale for districts nationwide who have fallen prey to money-hungry ransomware gangs leveraging “double-extortion” attacks against schools, hospitals and businesses. In such incidents, which present an alarming evolution from previous strategies, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if the money doesn’t materialize, they sell the data or publish it to a leak site. 

Ransomware attacks on U.S. schools have become a primary concern for federal law enforcement officials this year. In January, the federal Cybersecurity and Infrastructure Security Agency in attacks with “potentially catastrophic impacts on students, their families, teachers and administrators.” Since the pandemic forced students into remote learning, district cyber attacks have been particularly acute. The number of publicly disclosed cybersecurity incidents affecting schools grew from 400 in 2018 to more than 1,300 in 2021, according to that relies on data from Levin’s group. 

Federal law enforcement officials have had several recent victories in tracking down cybercriminals. BreachForums, a popular dark web marketplace where people could buy stolen data, was shuttered after Federal Bureau of Investigation agents in March. The capture of the 20-year-old, who authorities allege operated the forum from his parents’ Peekskill, New York, house, sent shock waves through the cybersecurity community and disrupted the global cybercrime ecosystem. In January, federal authorities took control of a prolific ransomware gang’s leak site and against seven men connected to a Russian-based ransomware group known to target schools. 

In Washington, pending introduced last month seeks to better track cyber incidents in schools and would provide $20 million over two years to help affected systems recover. 

Last year, the school district in Los Angeles, the country’s second largest, suffered a massive ransomware attack that exposed a trove of compromising information about educators, students and district contractors. In response to investigative reporting by ���˶���, the Los Angeles district acknowledged the breach included the sensitive mental health records of at least 2,000 current and former students after publicly denying those records were exposed. Last month, data from the Rochester, Minnesota school district was breached after it that forced leaders to cancel classes. shuttered Des Moines, Iowa, schools in January. 

Swift action needed

Taken together, the leaked Minneapolis records offer a startling quantity of compromising information about students and teachers. They also include detailed records about campus security systems that school officials said could place children and educators at a heightened risk of physical danger. 

A single spreadsheet details 699 disciplinary incidents from the 2015-16 school year, listing students’ names and a brief description of incidents. One entry claimed a student was “threatening other students’ mothers,” and another claimed a student put his hands together in the shape of a gun and said “I’m bringing a gun to school tomorrow and shoot.” 

Each of the spreadsheet entries contain pinpoint demographic information about individual students, including their race, gender, whether they’re in special education, if they’re homeless or are learning English as a second language. 

One group of files include letters informing disciplined students they could face trespassing charges if they show up on campus, while another includes reports of student maltreatment, including allegations a bus driver hit a student and that a teacher used excessive force. 

Such records could be valuable for blackmail — and for the police. In 2020, for example, a Florida county sheriff’s office used sensitive student records to predict which ones were likely to “fall into a life of crime.” In other cases, police agencies have leaked in data breaches to conduct investigations. 

A separate group of Minneapolis records, purportedly from 2015 to earlier this year, outline nearly 300 individual district equity and civil rights investigations. 

In one case, district investigators found that over the course of several years, a boy coerced a classmate into sexual encounters in exchange for $5 and, in another case, a high school girl reported getting raped in a campus bathroom. In a detailed 2018 complaint, a high school girl accused a male classmate of raping her in a car after a home football game. Yet a district investigator ultimately dropped the complaint because the girl declined an interview and the official was “unable to ascertain her credibility based only on her written statement,” according to breached files. 

In multiple complaints, educators were accused of being racist. Just last year, an English as a second language teacher at a Minneapolis high school was accused of racial harassment when she reportedly used the name of a Somali student and a cartoon of a woman wearing a hijab in a class presentation. The slide defined the idiom “to have a bone to pick” and the teacher reportedly asked the student to read to the class a description of the term with her name attached: “(redacted) never comes to class on time; she leaves class without permission, is affecting her peers, her grades and is disrespectful to her peers.” 

In January, a complaint accused a high school coach of making a transphobic joke and openly discussed his genitals. While he was stretching in front of a group of female athletes, the complaint alleges, he warned them that he was wearing “very short shorts” and instructed them to “let me know if my junk falls out.” 

In a case from January, the middle school English teacher accused of gazing at students’ bodies and touching them inappropriately was placed on paid administrative leave while district investigators conducted their inquiry. Investigators determined the complaint was substantiated, but the middle school’s website still lists the teacher in its staff directory. A district spokesperson did not respond to questions about whether the teacher faced disciplinary action or his current status.

Given the many ramifications, Levin said the breach demands swift action to ensure the safety of the school community and to prevent something like this from happening again. He said the Minneapolis school board — or even state authorities — need to launch a prompt investigation. 

“States do intervene in school systems when they’re being financially irresponsible or even academically irresponsible,” Levin said. “It may be that Minneapolis is not equipped to deal with the fallout from an incident like this.” 

A download link was published Tuesday night on a website designed to resemble a technology news blog — an apparent front — and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that’s been and . ���˶��� is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes — there are 1,000 gigabytes in one terabyte — the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group’s dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

“Today, the hacker group ‘Medusa’ gave me data for publication that will become a hit,” notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

“Someone will tell me that this cannot be published. I will answer this simply — the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don’t focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.” 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

“If I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and “at the very least, being extra vigilant and looking more closely at your transactions than you normally would.” 

It’s also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

“Once that genie is out of the bottle, it is very difficult to get it back in,” Levin said. “I don’t know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.” 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an “encryption event,” that the ransomware group had released the stolen records on the dark web, “a part of the internet accessible only with special software that allows users to remain untraceable.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa’s dark web blog Friday, the files weren’t readily available for download. Instead, a “Download data now!” button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn’t respond to requests for comment from ���˶��� Wednesday. Attempts by ���˶��� to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang’s possession. 

In posting the download link to the “clearnet” — a publicly accessible website that’s indexed by search engines — Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file’s size may serve as a barrier to access to cyber criminals interested in exploiting the information — and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn’t necessarily mean the data was downloaded.

“Hey, how can I see the mps stuff,” one Telegram user asked in the ransomware group’s channel. “I”m hoping I’m not on there. I attend school and work at this district.” 

The Telegram user, who identified themselves to ���˶��� as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so “plays into the cybercriminals’ hands by drawing attention to the information and increasing our community’s fear and panic.” 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that “will take some time.” 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

“I would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,” Callow said. “If my personal information may have been compromised, I would want to know straight away.”

Early Friday morning, after the Medusa gang’s countdown clock on the ransom deadline struck zero, the files weren’t readily available for download on its dark web leak site. Instead, a “Download data now!” button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by ���˶��� to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog — a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that’s been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it “is aware that the threat actor has released certain MPS data on the dark web today.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district continued. “This will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.” 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it’s unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

“Yikes, that’s a lot,” said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. “It’s a very significant exfiltration.” 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files — including thousands of current and former students’ sensitive mental health records — were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to “entire IT systems,” said Levin, who was especially concerned about the breach of district backup files. “You’re probably looking at some of the more sensitive data that the district maintains — sensitive enough that they are backing it up and maintaining those files.” 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an “encryption event.” That euphemistic characterization left the public in the dark about the incident’s severity, cybersecurity analysts and community members said.

Such experts said Medusa’s pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa’s decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa’s extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  “unusually uncommunicative,” since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn’t receive a response. 

People who don’t work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites “would concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It’s much easier for people to access.”

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks — but he offered a caution. 

“Just because they published a file tree doesn’t mean they necessarily obtained all of the data it shows in that tree,” he said, noting that organizations like school districts can shut hackers out of their systems if they’re caught in the act. 

In a March 9 statement, the district said it had “taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.” 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district’s computer network “was infected with an encryption virus that was first discovered” Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district’s technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks — if not months. 

“Exfiltrating this amount of data without detection certainly is concerning,” Levin said. “This sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.”

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands “by drawing attention to the information and increasing our community’s fear and panic.” 

The will air after a countdown clock on the Medusa cyber gang’s dark web leak site strikes zero at about 4 a.m. ET Friday. The leak site suggests the Minneapolis school district’s window to meet a $1 million ransom demand will then close and a trove of district data, which appears to include a significant volume of sensitive student and educator records, will become available online.

���˶���’s earlier reporting documented that Medusa’s tactics, which included posting a since-removed video previewing what appeared to be the stolen documents in its possession, were more aggressive and more marketing-savvy than those generally seen in other school district cyber attacks. 

A preliminary review of the gang’s dark web leak site by ���˶��� suggest the compromised files include a sizable volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.

The Minneapolis Public Schools, which came under fire for referring to the February breach as an “encryption event,” has not released any additional information since a March 9 statement posted on its web site. In it, school leaders indicate they don’t intend to deal with Medusa to get their now-encrypted data back.

“We have taken a stance against these criminals and are restoring our systems without the need to cooperate with them. As our response continues, we continue to work with and align with the best practices provided by federal law enforcement.”

Medusa is apparently a popular name among threat actors. The group that struck Minneapolis schools, according to , Bleeping Computer,  got its start in June 2021, but upped its profile this year by increasing its ransomware activity and launching its ‘Medusa Blog’ leak site to publish victims’ data.

A ransomware gang called Vice Society attempted to extort the Los Angeles Unified School District last year after it broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials sought to downplay the attack’s effects on students. But an investigation by ���˶��� found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack — or what Minneapolis school leaders euphemistically called an “encryption event” — that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang’s leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang’s possession. 

“The video is more unusual and I don’t recall that having been done before,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang’s dark web leak site by ���˶��� suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to ���˶��� that it was , which prohibits users from uploading content that “infringes any third party’s” privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics “to improve conversion rates.”

“This is likely just an experiment, and if they find this works they will do it more frequently,” Callow said. “These groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don’t.” 

Here’s a snippet of the video’s introduction (with all sensitive records omitted):

The Minneapolis school district hasn’t acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed “technical difficulties” with its computer systems to the referenced “encryption event,” a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident’s severity. 

The district “has not paid a ransom” and an investigation into the incident “has not found any evidence that any data accessed has been used to commit fraud,” school officials said in the March 1 statement.  

In a statement to ���˶��� Tuesday, the district said it “is aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.” 

“This action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,” the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

“First and foremost, they owe an apology to the community by not being explicit right away about what was happening,” said Pfefferkorn, executive director of the Midwest Center for School Transformation. “Because they haven’t communicated about it, they haven’t shared a plan about, ‘How will you address this? How will you respond?’ Not knowing how they are going to respond makes me really nervous.”

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term “encryption event,” but available information suggests the school system was the victim of “classic double extortion,” an exploitation technique that’s become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent “a little more time and energy” than other ransomware groups in presenting the stolen data in a compelling package, “but the tactics seem to be the same,” Levin said. “Now that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it’s actively extorting them, that’s all I would need to know to classify this as ransomware.”

In double extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation’s second-largest school system. Last year, the ransomware gang Vice Society broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack’s effects on students. But an investigation by ���˶��� found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang’s leak site and earlier this month officials with ties to a Russian-based ransomware group that’s known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft’s Callow said. 

“There absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,” he said. “But calling something a ransomware incident as opposed to an encryption event really isn’t problematic. Nor is telling people their personal information may have been compromised.”

Pfefferkorn, the Minneapolis student privacy advocate, said she’s concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools’ since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There’s little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

“It’s already out there and that cannot be repaired,” she said. “There’s information out there that’s going to impact them for the rest of their lives.”

Its admission on Wednesday, which included the news that 60 current students’ records had been compromised, comes five months after the nation’s second-largest school district was the victim of a ransomware attack and four months after schools Superintendent Alberto Carvalho categorically denied that students’ psychological records were part of that breach.

“As the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed,” Jack Kelanic, the district’s senior administrator of IT infrastructure, said in a statement. “Approximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as Driver’s License numbers and Social Security numbers.”

���˶��� published an extensive investigation by reporter Mark Keierleber Wednesday revealing that the records — among the most sensitive information school districts maintain on students — could be uploaded from a dark web leak site of the Russian-speaking ransomware gang Vice Society. The cyber criminal gang infiltrated LAUSD’s computer system last year and then released the records when the school district refused to pay an undisclosed ransom demand.

When presented with the results of ���˶���’s investigation Tuesday, district officials did not retract or correct Carvalho’s earlier statements, which a district spokesperson said “were based on the information that had been developed at that time.” The comments were made in early October, about a month after the cyber attack was first reported, and at a point where school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web, according to the schools chief.

The district is now saying that notification to individuals whose information was posted has been slowed by the painstaking nature of the process and the fact that some of the records date back nearly 30 years. To comply with state privacy rules, the district posted to the California state attorney general’s office website in January disclosing that district contractors’ certified payroll records and their names, addresses and Social Security numbers were leaked.

School officials have not said anything publicly about notifying current or former students or district employees that their information has been compromised, but said Wednesday their investigation is ongoing and they “will continue notifying individuals as they are determined.” A day earlier, a district spokesperson told ���˶��� that no current or former students had been informed that their psychological records were posted online.

The records identified by ���˶��� were at least a decade old and involve special education students. They include a comprehensive background on the student’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

“It could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,” a cyber security expert told the Los Angeles Daily News it published on the district’s response to ���˶���’s investigation. 

Hundreds — and likely thousands — of sensitive files were leaked online

People are likely unaware their health records were stolen

Because the district hasn’t disclosed the trove of records exists

And federal privacy laws don’t require schools to go public

Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web.

Detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last year, an investigation by ���˶��� has revealed. 

The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records. 

But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked. 

Cybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools — even when the files themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students’ personal information, including medical records, is exposed. 

But keeping the extent of data breaches under wraps runs counter to schools’ mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. 

“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed,” Levin told ���˶���. “For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.” 

In , the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs “with potentially catastrophic impacts on students, their families, teachers and administrators.” Threats became particularly acute during the pandemic as schools grew more reliant on technology.  The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency. 

When L.A. schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. An early news report said the leaked files contained some students’ psychological assessments, citing “a law enforcement source familiar with the investigation.” Carvalho called that revelation “absolutely incorrect.” 

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system and had exposed a limited collection of students’ records, including their names and addresses. 

The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults’ Social Security cards, passports, financial records and other personnel files. 

The systemic release of students’ psychological assessments stolen from the Los Angeles district and published to the dark web hasn’t been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing ���˶��� to isolate them from other types of district records that appear on the ransomware gang’s leak site, including those related to district contractors and files that are benign and do not contain confidential information. ���˶��� has independently verified that 500 students’ sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that would require health care providers to publicly disclose such a data breach if it involved patient health records. 

More than 2,200 PDFs — and a large swath of other document types — follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. The records are at least a decade old and while they don’t appear to contain information about current students, they do contain highly personal information about former LAUSD students who are now in their 20s and 30s. 

In early October, Carvalho said that if their information got exposed in the data breach, assuring them, “No news is good news.” By that point, Carvalho said, school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web. 

Now, more than four months after the schools chief denied that psychological evaluations were exposed, the nation’s second-largest school district has not changed its position publicly. A district spokesperson said that Carvalho’s statements in October “were based on the information that had been developed at that time” and that the review was still ongoing.

“Los Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,” the district told ���˶��� in a statement. “Once Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update,” to affected individuals and the public.  

‘Huge emotional strain for the family’

The particular files posted online — students’ psycho-educational case studies — are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in special education disputes with their children’s school district.

The evaluations are how a student’s disabilities and other factors affect their learning. They include a comprehensive background on the child’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

One of the reports notes that a student was placed in foster care “due to domestic violence in the home.” The student struggled with “a limited attention span” and often refused to complete his work, the report notes, and “is easily angered when he does not get his way.” Another states a student’s desire to “become a police officer so that he can ‘arrest people because they do drugs.’” A student’s father “works in a plant that makes airplane parts and speaks no English,” one report notes. “His mother is a librarian assistant and speaks a ‘little English.’” 

In general, Catron said, such reports can include details about a family’s immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has “been hitting other children or adults in a school environment.” Yet it’s often difficult for families to get sensitive information removed from the files, he said, even if it isn’t accurate. Now, with breached student records of this nature in the public domain, “who knows what is going to happen.”

“The sheer scope of information, like you’ve seen, it’s darn broad and pretty hurtful for people,” Catron said. “If those records include those types of notes, whether correct or not, it can just cause a huge emotional strain for the family.” 

The files themselves note that the assessment reports “may contain sensitive information subject to misinterpretation by untrained individuals” and that the “nonconsensual re-disclosure by unauthorized individuals is prohibited” by state law. 

Available files appear to be limited to former Los Angeles students born primarily in the late 1980s and 1990s. The age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert, said. Students’ sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards.  

The timeline could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.

“Sometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,” Levin said. “For a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that’s a daunting task and clearly is very likely to be imperfect.”

The disclosure gap

Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services “without unreasonable delay and in no case later than 60 days following a breach.” 

The Broward County, Florida, school district recently got caught in after the country’s sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on maintained by the Department of Health and Human Services. The breach portal  — often referred to as the “Wall of Shame” — includes all data breaches affecting 500 or more people that were reported to the federal agency in the last 24 months. 

District officials in Florida ultimately — three months longer than federal rules allow — to disclose the breach’s full extent on its website, according to the South Florida Sun-Sentinel. In a statement, a district spokesperson told ���˶��� the school system “worked diligently to investigate the incident.” Once officials realized that records related to the district’s self-insured health plan were breached, notifications to affected personnel and the federal health administration “required the gathering and sorting of significant amounts of data in order to determine the individuals to be notified.” 

“That process was complex and took substantial hours,” the spokesperson said. “Under the circumstances, notification was made in an expeditious manner.” 

The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools under the health privacy law. And even when they are, students’ education records —  — are exempt. by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but, unlike HIPAA, schools to disclose when such breaches occur.

“The same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,” said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools “live in separate universes. If it’s maintained by the school, it’s FERPA. If it’s maintained by your doctor, the same information is HIPAA protected.” 

A are covered by HIPAA, the LAUSD district spokesperson said, but the psychological assessments are not. A data breach involving student’s records — like the one in Los Angeles — , according to the U.S. Department of Education. 

“FERPA requires the school to maintain direct control over the records,” Siegl said. “There is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.” 

Yet, consequences for violating FERPA are next to nonexistent. Districts if they have “a policy or practice” of releasing students’ records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it’s from a district that broke the rules. 

‘A psychological torment’

To , the Los Angeles district has been about the systemic breach of sensitive records about distinct construction contractors. In posted to the California state attorney general’s office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social Security numbers of district contractors. 

The data breach notice also made clear that cyber criminals had infiltrated the district’s computer network than initially disclosed. Carvalho said in October that district cybersecurity officials were quick to detect the unauthorized access and, “in a very, very unique way, we stopped the attack midstream.” 

The district spokesperson said LAUSD is working to determine whether any of the breached files are considered “medical information” under state law and whether a notification is required. Any data breach alert to the state attorney general’s office would coincide with notifications to affected individuals, the spokesperson said. 

Asked about the school district’s notification obligations for the trove of leaked student psychological records and whether it’s investigating the matter, an AG’s office spokesperson said in an email “we can’t comment on, even to confirm or deny, a potential or ongoing investigation,” and didn’t offer any other information. Reached for comment about the data breaches in Los Angeles and Broward County, a federal Department of Health and Human Services spokesperson said its civil rights division “does not typically comment on open or potential investigations,” and declined to say anything further. 

The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached to provide compensatory services to children with disabilities after an investigation by the U.S. Education Department’s civil rights office found it had failed to provide them during the pandemic. Parents and advocates said last month many children are still waiting for those services.

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried the data breach could further divert funds from those much-needed special education services. 

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, who serves as vice chair of the district’s Community Advisory Committee for Special Education. But she acknowledged it “would be very disturbing” if her own child’s psychological evaluations were leaked online. 

“Our middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,” she said. “That would be very devastating to him.”

During in 2014, Pesicka was one of thousands of Sony Pictures employees that had their private information exposed in the midst of aggressive attacks by a North Korean hacker group.

Now, as a mom, Pesicka worries about protecting her son Jackson, a 1st grade Playa Vista Elementary School student, so history doesn’t repeat itself.

“When you’re a kid, you won’t ever see a credit report and find out that there’s something on there until you go off to college,” Pesicka said in an interview. “By that time, somebody has had 15 years to rack up a bunch of different credit cards or properties or whatever else on your kid’s account…so that’s very concerning.”

Like Pesicka, LAUSD parents have raised concerns about the district’s response to the cyberattack, ranging from long term data protection to how well a hotline — created to answer parents and staff questions — is working. 

The public release of about 500 gigabytes of stolen district data was posted on the dark web Saturday by Vice Society, a Russian-speaking ransomware gang known to target school districts.

After the district and law enforcement analysts reviewed about two-thirds of the data, LAUSD Superintendent Alberto Carvalho assured students, parents and employees that there is no reason for widespread concern.

“The release was actually more limited than what we had originally anticipated,” Carvalho said in a Monday downplaying the damage done.

Carvalho said any exposed student data – including names, academic information and personal addresses – was between 2013 and 2016, insisting most middle and high school students during that period already graduated.

For now, Carvalho confirmed students who did have their data breached will be contacted and offered credit monitoring services.

But many parents were not convinced the superintendent’s response was enough to ease their concerns about the cyberattack.

When Pesicka’s private information was exposed, Sony offered her one year of credit monitoring. But she found out years later she had a stolen identity and social security number.

“I had three people working under my social security number and I had my identity compromised,” Pesicka said in an interview. “Anybody who’s been through identity theft knows how difficult it is and how there’s not really a streamlined process or way to scrub your information.”

Teresa Gaines, the mom of 2nd and 3rd grade students at Grand View Boulevard Elementary School, was troubled by Carvalho’s response because it didn’t provide the urgency she was hoping for.

“Some people don’t realize how serious this can be because what if five or ten years from now our kids go to college and all of a sudden they get denied entrance because of something that is not their fault…or somebody uses that data to cause issues that prevent them from getting into certain programs or denied work,” Gaines said in an interview.

Gaines also said LAUSD should provide more targeted outreach to families through “town halls” and “informational webinars” so parents could ask questions about the cyberattack.

She is particularly concerned by the release of psychological assessments, which Carvalho insisted did not happen during his press conference. However, the Los Angeles Times did find .

For Jenna Schwartz, the mom of a 7th grade student in North Hollywood, Carvalho’s response left her cautiously optimistic.

“If I find out I was impacted…but it was just my child’s school photograph from 2013 and his attendance record, I don’t care as much,” Schwartz said in an interview. “If it was my social security number and bank information, those are two very different scenarios.”

Carvalho pointed parents to the district’s hotline, available Monday through Friday and this weekend for additional questions or support on the cyberattack.

But parents reported long wait times, and limited hours and information when the hotline began earlier this week.  

“Unless you ask a question that fits into their script, they don’t really have a response,” Pesicka said in an interview. “And even if you do, you’re getting a very robotic response.”

In addition, Schwartz noted that she’s “not sure what good the hotline is at this point other than sort of just to make people feel better.”

After a request for comment, a spokesperson from LAUSD referred back to Carvalho’s statement on the cyberattack: 

The hotline hours have been updated to weekdays from 8 a.m. to 8 p.m. and this weekend from 6 a.m. to 3:30 p.m.

According to the initial , hackers used ransomware to freeze and disable some LAUSD systems. The Vice Society ransomware gang then reportedly published a trove of sensitive district records this past weekend, though LAUSD superintendent Alberto Carvalho sought to downplay the damage done at a Monday press conference, particularly as it relates to records about individual students. 

Authorities have said there’s no evidence confidential student information — such as social security numbers or health insurance — has been breached. Last month the district confirmed a ransom demand by the hackers, but Carvalho said there had been no response. 

“School districts are often vulnerable targets to these kinds of attacks because they are large, have many employees, and many other users including students and parents who have access to at least some parts of the system,” said Clifford Nueman, an expert on computer security and professor at USC’s Viterbi School of Engineering in an email to LA School Report. 

“What makes LAUSD an attractive target to criminals deploying ransomware is the number of individuals that are affected when LAUSD systems become unavailable,” Neuman added. 

Dr. Joseph Greenfield, Associate Professor of Practice at USC and an expert on digital forensics, offered three tips on how LAUSD families — as well as parents at any school district across the country — can keep their private data protected:  

1. LAUSD devices should be used exclusively for LAUSD services: 

In order to prevent personal information from even reaching school’s data networks, parents should ensure students are using their LAUSD devices strictly for school purposes. While students may often play online games or indulge in social media content… with their LAUSD devices, these interactions are threatening due to sensitive student content reaching the school’s information history. 

2. Download a Password Manager: 

A password manager is an application tied to a subscription based service, most commonly seen through websites offering to generate customized passwords for their user. Popular examples include Apple Keychain and Dashlane. 

Essentially these programs are targeted towards not repeating passwords across the wide array of sites student’s use on a daily basis. If each application has an individual separate lock, then a compromise of one account does not lead to a compromise of all accounts.

3. Use a Multifactor Authentication Process: 

Multi Factor authentication is a process which can be implemented… in any and all accounts. With the installation of this software, everytime there is a login attempt the user must present two or more forms of evidence to verify their identity. The credentials that students would need to provide may translate to them receiving a confirmation text or needing to approve login through authentication apps such as DUO. Each and every time students log in, they should be required to undergo this process of identity confirmation. 

This article is part of a collaboration between ���˶��� and the USC Annenberg School for Communication and Journalism.

Sara Balanta is an undergraduate student at the USC Annenberg School for Communication and Journalism pursuing a Bachelor’s degree in Journalism. She is a 2022 Dragon Kim Foundation Fellow where she hosts a project called “Teacher’s Aide +”, which conducts free renovations in schools to help brighten campus environments. Aside from writing her passions include youth activism, media culture and music.

As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar. 

Vice Society, an “intrusion, exfiltration and extortion” group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. to prevent hackers from publishing private records on dark-web outposts.  

So what’s a ransomware attack without a demand for money?

“We have not received a ransom demand, nor have we sought a direct communication with the entity,” Superintendent Alberto Carvalho said at a Friday news conference, nearly a week after the breach was detected.

On Tuesday, the L.A. school board an emergency declaration allowing Carvalho, who took the helm at the nation’s second-largest school district in February, to expedite contracts for cybersecurity for a year without competitive bidding.

The new superintendent’s statements are “not consistent” with Vice Society’s extortion playbook, said Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security, a computer security firm that warned the district in 2021 about a cyber vulnerability. 

Holden said he fears “a missing link” between the district and the threat actors, who are “definitely known to send out a ransom note because that’s how they get paid.” Vice Society has made clear that money is the primary motive for the cyber attack on L.A. schools, which the group says it carried out but has not provided evidence to substantiate its claims.

Holden is not the only one trying to read between the lines.

“One big question everybody has is, ‘Did they pay, are they going to pay the extortion demand?’” said Doug Levin, national director of The K12 Security Information eXchange.

Levin and other cybersecurity experts have a few theories. 

For one, it could be the case of carefully worded messaging. While Carvalho noted that the district has not “sought a direct communication with the entity,” the superintendent’s comments don’t “seem to rule out that someone on their behalf may be in touch with Vice Society,” Levin said, adding that “nothing in their response or in what Vice Society has said or done rules out paying extortion and much is consistent with it.”

In previous attacks, districts have declined to recognize ransom demands unless they come through official channels, he added, and it’s possible that “a pop-up on a computer screen is not a valid way of communication to a district and therefore it does not count as being received.” 

It’s possible, Holden said, that a ransom note failed to reach an audience. When organizations learn they’ve been compromised, they sometimes react by defending themselves overzealously and the ransom note winds up getting blocked, he said. 

“The organizations typically tend to lose these notes, block them or don’t report them,” he said. If someone reports a phishing attempt to IT, email administrators tend to purge the message and future communications. “So they basically didn’t block the phishing email, but potentially they blocked the ransomware note.”

But there could be another explanation for the missing ransom — one of success. When district officials moved quickly to take their computer systems offline after detecting the breach, they could have effectively eliminated the threat before the demand was made. 

“If there’s enough notoriety about it and they didn’t get far enough to actually encrypt enough or exfiltrate enough data, I’ve seen the threat actors abandon it,” cyber crime expert James Turgal told ���˶���. “When law enforcement gets involved, that’s when those guys start getting really nervous.”

In his press conference, Superintendent Carvalho never called out the hacking group by name but noted that federal law enforcement officials working on the criminal investigation have “intimate knowledge” of the bad actors. 

While some cyber criminals steer clear of attacks on schools and hospitals, Vice Society — whose dark web “leak site” is styled after the video game — has no such code, Holden said.

“These guys don’t have this stop and that’s extremely disturbing because this may indicate that they won’t stop for anything,” he said.  

Reporters have received brief responses from an email address that federal law enforcement officials say is controlled by the cyber gang. In their replies, the group and of files from compromised district servers. In an email to The Associated Press, the group offered a simple explanation: “We are not political organization, so everything is just for money and pleasure =).” 

���˶��� contacted Vice Society to request information about its ransom demand and the records it stole. In a brief response, the group said it would provide “all answers after they appear on our website,” suggesting that the L.A. data would be leaked if negotiations fail. 

Even without a ransom, recovering from the attack will likely cost the districts millions of dollars, experts said. As such attacks on schools have become more frequent, districts face steep cyber liability insurance of as much as 300 percent. In 2021, a total of 67 ransomware attacks against U.S. schools and colleges cost an in downtime and recovery costs. In May, Lincoln College in Illinois announced it would after becoming the target of a cyber attack. 

‘Surveillance and grooming of our own systems’

Los Angeles Unified School District, which serves more than 500,000 students, joins the ranks of districts nationwide on the receiving end of ransomware attacks in recent years, falling victim on the Saturday night of the four-day holiday weekend. The LAUSD breach appears to be part of a growing trend of back-to-school hacks, which take advantage of a chaotic moment when district cybersecurity officials are particularly busy. 

“If you were looking to extort a school district and increase the leverage on them to meet an extortion demand or a ransom demand, this time of the school year would be among the best to do it,” Levin said. “We have seen, over the last several years, that ransomware actors have taken advantage of that fact at the beginning of the school year to extort districts out of millions of dollars of money in demands.”

As hackers were carrying out the attack, district technology officials detected “unusual live data movement,” and made the unprecedented decision to shut down the district’s computer system — a move “that itself caused a number of challenges,” Carvalho said, but prevented “other more essential elements.” 

While a district facilities system was a primary target in the hack, Carvalho acknowledged that hackers had “touched” the online student management system. The facilities system includes information on contracts and non-sensitive records, he said, and it remains unclear whether the threat actors were able to acquire sensitive student information. 

“It is quite possible, even likely, that for a period of time in advance of the actual attack, there was a degree of surveillance and grooming of our own systems,” Carvalho said, suggesting threat actors rummaged through district data prior to launching the ransomware scheme. L.A. Unified was currently in the process of rolling out passwords with multi-factor authentication, but Carvalho acknowledged the security measure had not been finalized before the breach. 

The criminal investigation into the attack involves officials from the Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In , federal officials warned that Vice Society actors were “disproportionately targeting the education sector with ransomware attacks” that have led to “delayed exams, canceled school days and unauthorized access to and theft of personal information.” Schools may be “particularly lucrative targets,” the advisory said, because they retain a large amount of sensitive student information. 

Turgal, the vice president of cyber risk and strategy at Optiv Security, offered a harsh critique of L.A. Unified’s response, noting that officials had been previously warned about vulnerabilities.

“They’re doing the right things,” but a speedy response to eliminate threats from servers is critical, said Turgal, a former executive assistant director for the FBI Information and Technology Branch. “Their response was very measured, but it was very slow.”

The district declined to comment.

While schools reopened after the Labor Day weekend as scheduled, the breach came with substantial disruptions and confusion for the 540,000 students and 70,000 district employees who were required to reset their passwords and were unable to access online platforms. 

“From my students, I could tell they were frustrated,” said Nancy Soni, an 11th grade English teacher in East Los Angeles. “A lot of them didn’t really understand what it meant to be hacked.”

‘A wake-up call’

Outside Los Angeles, ransomware attacks have delivered a serious blow to districts nationwide, crippling their finances with extortion demands and recovery costs. 

In Baltimore, saddled the county school district with some $10 million in recovery costs. Costs are similar in Buffalo, New York, where the district was last year but declined to pay the ransom. When education leaders in Broward County, Florida, declined to pay a $40 million ransom demand after district accounting and financial records were stolen, hackers posted some 26,000 files on the dark web. 

In fact, this isn’t Carvalho’s first experience dealing with a data breach. In 2020, while he was superintendent in Miami, Florida, the to a cyber attack on the first day of virtual classes. A 16-year-old district student who took credit for the attack to a year of probation. 

Back in L.A., district leaders were warned on multiple occasions in the last several years that their cybersecurity safeguards weren’t up to snuff and that data had been compromised. 

In January, 2021, the district inspector general of an information security audit that identified lapses that required an “immediate remedy” including “significant risks around passwords and credentials” and the lack of incident response planning and preparation. 

Having been presented with “a laundry list of things that should have been done,” it’s critical to understand how the district responded to the audit, said Turgal of Optiv Security. 

Carvalho also expressed concern about how the report’s recommendations were handled, saying his “first order of business” is to “actually understand that report and ask the tough questions about why were a number, if not the majority of these measures, not acted upon.” 

A month later, in February, 2021, cybersecurity experts with Hold Security used an intermediary to inform L.A. district leaders of more bad news. The computer for a school psychologist who was working from home had become compromised, Holden said, likely after she was duped by a phishing email. 

District officials worked quickly to patch the hole and there’s no evidence to suggest it contributed to the recent ransomware attack, but Holden said it should have served as “a wakeup call’ and suggests that LAUSD probably hadn’t “put enough safeguards in place to prevent something like this.” 

The incident also highlights the reality that cybersecurity attacks on school districts can net highly sensitive data about children, Holden said. 

“Imagine what kind of sensitive information, especially about minors, this person might have within her computer or within her access,” he said. Compromised data from a school psychologist is “the worst-case scenario of what the bad guys could steal, something that would be directly harmful to kids.” 

Soni, the English teacher, said that hackers’ potential access to sensitive information is concerning. As an educator in the district, she said she has access to a significant amount of information about students, including their addresses, phone numbers and whether they’re in special education.

“There’s a lot on there, and to have everybody’s personal history be jeopardized, that is scary,” she said. “One of my concerns is having the wrong people have access to information about me, and information about my students.” 

LA School Report freelancer Destiny Torres contributed to this report

Now it appears that district technology leaders have applied that logic to computer hacks. That’s according to Doug Levin, the national director of The , who has spent years chronicling computer hacks on school districts and education technology vendors. Data breaches are a significant and growing threat to schools, he said, yet many district IT officials are hesitant to discuss them. 

“Quietly they might confess that this is an issue they lose a lot of sleep over, but they never talk about it publicly, often for fear of looking bad,” said Levin, whose nonprofit group provides threat intelligence to school districts to protect them from emerging cybersecurity risks. 

Now, an increasing number of school districts have been forced to notify students and parents that they’ve been duped. In March, New York City Public Schools, the country’s largest district, disclosed that the had been exposed online. The data breach, the largest such incident against a single school district in U.S. history, has since reached far beyond the five boroughs. Other school districts — California, Colorado, Connecticut, Oklahoma and New York — have since acknowledged being victims. 

At the center of the debacle is that helps more than 5,200 school districts track student attendance and grades, among other metrics. Students’ personal information, some of it sensitive, was exposed when hackers breached Illuminate’s servers in January. students’ names, birth dates, class schedules, behavioral records and whether they qualify for special education or free or reduced-price lunches. 

Yet months later, many key details — including the number of districts affected — remain unknown. The company did not respond to requests for comment from ���˶���. 

In New York, state education officials into Illuminate, which city officials accused of misrepresenting its security safeguards. 

To gain a better understanding of the hack, ���˶��� caught up with Levin to discuss how the high-profile data breach occurred, why many critical pieces of information remain elusive and strategies that parents and students can use to protect themselves online. 

The interview, which has been edited for length and clarity, was conducted prior to the latest development on the school cybersecurity beat: Friday that the personal information of more than half a million students and staff was compromised in a ransomware attack on education technology vendor Battelle for Kids. The data breach was carried out on December 1 and Battelle notified Chicago officials about the attack about a month ago, on April 26. 

���˶���: The Illuminate Education data breach is the largest known hack of K-12 student records in history? 

Doug Levin: The Illuminate Education security incident — we actually don’t know much about what happened — was the single-largest data breach incident affecting a single school district. We still have to see what the numbers bear out for Illuminate Education, and it could still grow significantly in size.  

But a couple of years ago of their AIMSweb product. They never disclosed the total number of districts that were affected, but they said that 13,000 of their customers were affected. In fact, the Securities and Exchange Commission about the scope of the incident. A number of years ago, the education company Edmodo also endured a massive breach. 

So there are some large incidents that have happened but the more we learn about the Illuminate Education breach, the worse it does appear to be.

What sets this hack apart from previous incidents? 

Some education vendors don’t know a whole lot about the students they’re serving. They may have a student ID, they may know their grades or academic performance in one subject, but not a lot else about that student or their context. The Illuminate Education breach did involve a pretty large swath of sensitive information about students that could be used by criminals to commit identity theft and credit fraud against students. 

So that sets it apart. 

Unfortunately, it’s the latest and the most high-profile student data breach that is occurring not directly by school districts but by their vendors and partners. A lot of times the security conversation has been focused on the practices of schools themselves and attacks that have targeted schools. There have been a number of high-profile ransomware attacks that have brought school districts to a halt, , and . Those are very eye-opening incidents and they draw a lot of attention, but they are localized in their impact. They are very significant for those communities, but they only affect those communities. 

When a vendor experiences an incident, the impact and the scope of that breach can be massive. If you think about the vendors and suppliers that school districts work with, whether they’re for-profit, nonprofit, or even the state education agencies themselves, if they experience an incident, the scope and magnitude of that incident is likely to be significantly larger. 

There’s sort of this idiosyncratic issue in K-12 education where we have been laser focused on issues of student data privacy and a majority of states have now passed new student data privacy regulations in the last five to 10 years largely because the federal law, the Family Educational Rights and Privacy Act, has not been updated since 1974.

But if we only look at this issue through the lens of student data privacy, it is like we have horse blinders on, we are not seeing the full picture. And while ensuring student data privacy is critically important, these are not security laws and they do not adequately address the various ways that unauthorized users can gain access to student data. 

In fact, vendors and partners are the most frequent cause of school district data breaches. 

This is an era where we need to broaden our lens from student data privacy exclusively to also include security. School districts themselves need to do more due diligence with respect to vendors’ security practices and in making sure they have contractual requirements in place that require the prompt notification and remediation of issues. 

With Illuminate Education, it has taken several months for individuals who were affected to find that out. The gap between when the company first learned about the incident and when parents are informed of the incident so they can take steps to protect their children is really too long. We really need to work on tightening that timeframe to protect students from the risks that we are introducing to them. 

We don’t know a lot about the scope of the Illuminate Education data breach. How would you describe the company’s overall response? Why does so much remain unclear? 

Frankly, it comes down to the state of policy and regulations. In the vast majority of cases, when an incident is experienced by an organization, whether it be by a school district or a partner, one of the first things they will do is look to see what they’re obligated to report under the law. 

So setting aside the ethical or moral desire and need to help individuals take steps to protect themselves when you have been at fault in causing an incident, many will look to what they are strictly required to do. And the fact of the matter is that there are many, many loopholes in existing notification laws. 

Organizations do not want to share bad news with their customers and stakeholders, and so there are reasons that people don’t like to disclose these things. But there’s also a compelling number of reasons why stakeholders deserve and need to know.

If hacks are not publicly disclosed, policymakers won’t understand the scope of the issue and they can’t take steps to provide more resources to protect against these sorts of threats. That’s exactly the sort of issue we’ve had in K-12. For years, no one talked about the incidents that schools were experiencing, so people thought that schools really weren’t experiencing incidents. That was simply not the case. 

Secondly, threat actors that attack schools and their vendors repeat their tactics in predictable ways. If they’re successful at attacking one school district, they will use those exact same tools and techniques against other school districts. So it’s important that organizations share with them a heads-up so that they can take the steps to protect themselves from being compromised in the same ways. 

With hacks, there is the potential for people to experience real harms. They can have their identity stolen, tax fraud, credit fraud, they could be embarrassed. They could have things disclosed about them — whether it’s their health status, their legal status, their immigration status — that were never supposed to be public and that may lead to very serious repercussions. 

There really is a moral obligation for people to disclose these incidents. 

You’ve observed a recent uptick in ransomware attacks. How do districts generally respond to these incidents? 

How school districts respond really depends on how proactive they have been in defending against cybersecurity risks. In the best cases, school districts have segmented their networks and made it difficult for that ransomware to spread throughout the district. In those cases, school districts are often able to restore their systems from backups, avoid paying extortion demands, investigate how the ransomware got into their system and plug those holes. 

In recent years, ransomware actors have also exfiltrated large amounts of student and staff data before they encrypt and lock those school district computers and demand a ransom. And I should note those ransom demands have been increasing dramatically for K-12 schools. In 2015 or 2016, you might have seen a ransomware demand of $5,000 to $10,000, payable in a cryptocurrency, of course. Today, it wouldn’t be surprising to see a ransomware demand of a million dollars or more being made to a school district.

When school districts are in that place, they’re really between a rock and a hard place at that point. If ransomware spreads across their system, those are the sorts of incidents that close schools for days and kids are sent home. 

In those cases, they rely on experts to come in and assess how to rebuild their systems., how to evict ransomware actors from their networks, how to handle the fact that ransomware actors have exfiltrated data already, and to reduce instances where schools have to pay those extortion demands. 

Law enforcement will never encourage a victim to pay that extortion demand. Every time a school district does so, they are really just encouraging future threat actors to target school districts with the same sort of techniques. 

Even school districts that don’t pay extortion demand face remediation and recovery costs. In Baltimore County, the recovery and remediation costs have been estimated in the millions of dollars, so you’re paying for the cost of ransomware incidents whether you pay that extortion demand or not. 

School districts are not exactly flush with cash. Why are schools a good target for hackers? Why are they particularly vulnerable?

I have often heard schools be very surprised when they’re attacked. They’re morally outraged because they’re an institution that is just trying to help kids and they’re being targeted by these criminals. 

But you made the statement that schools don’t have a lot of money and I actually want to push back on that. School districts actually manage quite a bit of money every year. They maintain facilities, transportation and food services. They may be the largest employer in many communities. 

It is correct, of course, that school districts don’t have enough money to do all the things they would like to do and need to do for kids. I’m not arguing that they are sufficiently funded. But it is not unusual for a school district of medium or large size to have an annual budget in the hundred of millions, and some of the largest districts in the country have annual budgets in the billions. That’s plenty of money to attract the attention of threat actors. 

Other than money, school districts and other government agencies have been disproportionately attacked largely because they tend to run IT systems that are older and they also tend to be under-resourced with respect to cybersecurity. They just don’t have the money and the capacity to hire experts in the way that we would hope and certainly not in the way that some private sector organizations do. 

And given that public sector organizations like school districts provide essential services and people get very upset if they’re disrupted, they may be susceptible to extortion tactics like ransomware. They also hold a lot of valuable information about those stakeholders that can be repurposed for criminal purposes. It really is a perfect storm here of school districts being, unfortunately, low-hanging fruit for criminals at a time where, as a policy issue, cybersecurity really has not been a priority. 

I think this is changing. There are conversations underway in both state legislatures and in Congress looking to provide more resources to school districts for cybersecurity. But this is a marathon not a sprint and, you know, that help has not yet arrived. 

What needs to happen legislatively in regards to school district hacks? 

There is a need for mandatory reporting. It is very difficult for anyone to get a handle on this issue and how to help schools protect themselves if we don’t know the scope of the issues that schools are facing. 

We certainly can’t bring those parties who are responsible to bear unless we get details about those sorts of incidents. 

Secondly, there is no floor, there is no minimum cybersecurity risk management practice in a school district. Parents, employees and taxpayers have reasonable assumptions about how school districts protect themselves from ransomware, data breaches and targeted phishing attacks. Yet I think they may be surprised that their expectations are not being met. Setting a minimum cybersecurity expectation on school districts is a common sense step that we can take, and those protections should also be extended to vendors. 

You built a map to track every K-12 data breach since 2016. What key trends and takeaways have you observed? 

The majority of those incidents involve student data but a significant minority involve school employee data, including teachers.

A variety of actors are responsible for these incidents. About a quarter are carried out by online criminals targeting school districts, but many are actually the result of the actions of insiders to the schools themselves. Like any large organization, employees make mistakes. School districts may email sensitive data to the wrong people, and very occasionally, school districts have disgruntled employees who do things on their way out the door. 

The last group of insiders are the students themselves. An IT leader joked with me once that every school district serving middle and high school students is getting free penetration testing whether they like it or not. The fact of the matter is that a proportion of students are very tech savvy and they do get bored. Kids being kids, they turn their attention to school districts themselves and, in fact, there have been some very large and significant data breaches because students themselves have compromised school district IT systems. 

What do students typically do when they compromise school technology? 

It depends on the incident. In some cases, they’re seeking to change their grades or their attendance records in a very similar vein to the . Some kids have even been enterprising and charged their fellow students for the privilege of changing their grades. 

But in other cases, they’re simply curious or are interested in making some kind of a statement and are interested in defacing a school website, a school social media account, blasting out emails that they think are funny. 

We don’t have any evidence that kids are monetizing their attacks on school districts on the dark web in the way that online criminals do. But having said that, there are a number of cases where students have crossed the line and have gotten entangled with law enforcement because the attacks they’ve carried out against school districts have been so disruptive. 

What do we know about the online criminals who target school districts? Who are they, in what cases have they been caught and in what cases have they faced any repercussions? 

Cybersecurity attacks have a unique characteristic to them because they can be carried out by individuals anywhere in the world at any time. By and large, the online criminals that are targeting school districts are based overseas and they are based in countries that make it difficult for U.S. law enforcement to reach. As a result, many of these actors are not brought to justice. 

A minority of these incidents occur from within the country and in those cases the ability of law enforcement, the FBI in particular, in bringing judgments against those folks is actually pretty good. There was a Texas school district a couple of years ago that was scammed out of several million dollars by a sophisticated phishing attack. It turned out that it was carried out by an individual in Florida who was caught and prosecuted. That person bought Rolexes and sports cars with the money that he stole from that district. But I suspect he is sitting in a jail right now or certainly awaiting the sentencing for that crime.

What lessons does the Illuminate Education breach hold for school districts and education technology vendors?

The story is still being told here, but this is going to be a very cautionary tale both for school districts and for vendors. This is going to evolve depending on the outcome of the investigations in New York. The state of New York has a fairly strict student data privacy regulation and it appears that Illuminate Education was in violation of the rules despite assurances that they were in compliance. So the state of New York has an opportunity to set an example here. Many ed tech companies will be watching very closely. 

We’re watching very closely as well. What may happen to renewals from school districts that use products from Illuminate Education? How many customers might they lose? 

It would be wise for vendors and suppliers to understand that it is only a matter of time before new regulations require more cybersecurity protections on the data that they hold about school children and school employees. 

From a school district perspective, it just underscores the importance of due diligence when they are selecting vendors and the need to consider the security practices of their vendors. This is not a one-time evaluation. Threats and vulnerabilities evolve so we need a continuous evaluation process. 

What lessons does this hack hold for parents and students, and what should they do to protect their information online?  

It should highlight for parents and students that there are risks in sharing information with schools and their partners. That risk can be managed, but I think it is beholden on parents to ask good questions of their school district about their cybersecurity risk management practices. These don’t have to be very technical questions, but I do think they deserve assurances from the school board and the superintendent that this is an issue that they’re taking seriously and a school district should be able to explain the steps that they’re taking and how they are continuously managing these risks. 

If you’re worried about being a potential victim — and I think it is always worth worrying about being a potential victim — there’s a couple of steps that I would encourage both parents and students to take. I would advise parents to freeze their children’s credit record. This is available for free at all of the major credit reporting agencies and it will prohibit an online criminal from stealing the identity of their children and opening credit accounts in their names. 

I would also underscore that good password management practices are always useful. I’m talking about not reusing the same username and password that you use for your school accounts for any of your personal accounts. to the greatest extent possible, you want to separate your school life from your private life and the best way to do that is to use a password manager. There are many free password manager applications that are available as well as a number of good paid options.

A student monitoring company that thousands of schools used during remote and hybrid learning to ensure students were on task may have inadvertently exposed millions of kids to hackers online, according to a report released Monday by the security software company McAfee Enterprise.

The , conducted by the company’s Advanced Threat Research team, discovered the bug in the software, which is used by some 3 million teachers and students across 9,000 school systems globally, including in the U.S. The software allows teachers to monitor and control how students use school-issued computers in real time, block websites and freeze their computer screens if they’re found to be off task.

Help fund stories like this.

This is the second time in less than a year that McAfee researchers have found vulnerabilities in Netop’s education software — glitches that to gain control over students’ computers, including their webcams and microphones. It’s unclear whether the software had been breached by anyone other than the researchers. In a $4 billion deal over the summer, McAfee Corp. sold off the business-focused McAfee Enterprise to focus on consumer cybersecurity.

“This speaks to the power of responsible disclosure and ‘beating the bad guys to the punch’ in terms of providing vendors insights to the flaws in their products and an appropriate time period to produce fixes,” Doug McKee, McAfee’s principal engineer and senior security researcher, and Steve Povolny, the company’s head of advanced threat research, said in an emailed statement.

“We do believe this bug is highly likely to be exploitable, and a determined attacker may be able to leverage the attack” to breach the system.

Netop, which bills its products as a way to “keep students on task, no matter where class is held,” did not immediately respond to requests for comment.

While the research comes as many U.S. students return to classrooms for in-person learning, cyberattacks targeting K-12 school districts — already an issue before the pandemic — have worsened throughout it. In the last month, educational organizations were , according to Microsoft Security Intelligence. In fact, educational organizations accounted for nearly two-thirds of such attacks globally. Publicly disclosed computer attacks against schools in 2020.

To conduct the research, McAfee relied on a free trial of Netop to analyze the program’s underlying code using an automated testing technique called “fuzzing,” in which they provided the software with malformed data to cause a crash. As a result, they found a bug in the way the program transmits digital images of students’ screens to teachers that could be exploited to attack children with malware, ransomware, collect their personal information or to access the computers’ webcams.

In March, that allowed hackers to “gain full control over students’ computers.” Among the issues, researchers discovered that communications between teachers and students through the service were unencrypted, meaning they weren’t protected by a code that blocks unauthorized access.

In a blog post, McAfee explained how the , noting that while the company’s monitoring software “may seem like a viable option for holding students accountable in the virtual classroom, it could allow a hacker to spy on the contents of the students’ devices.”

“If a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment,” the blog post explained. “The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.”

Multiple education technology companies have experienced hacks and other digital vulnerabilities during the pandemic. In July 2020, for example, , which provides a live proctoring service to help prevent cheating, and published the personal information of more than 444,000 students to an online forum.

Privacy and civil rights groups have raised concerns for years about the risks posed by student surveillance tools, including issues related to cybersecurity and privacy. Perhaps most famously, a suburban Philadelphia school district reached in 2010 after educators used computer webcams to surveil students at home without their knowledge.

Earlier this month, ���˶��� published an in-depth investigation about how another student surveillance company, Gaggle, subjects children to relentless digital surveillance as it monitors students’ online activity — both in classrooms and at home — in search of keywords that could indicate problematicor potentially harmful behaviors. Among other concerns, privacy advocates argue that schools’ broad collection of student information could .

McAfee says it notified Netop of its initial findings in December 2020 and the company rectified “many of the critical vulnerabilities” by February 2021. The security giant alerted Netop to the latest bug in June and the company has worked “towards effective mitigations,” according to McAfee, but has not yet announced a permanent fix.