The Federal Trade Commission announced this month plans to  over a massive 2021 data breach. The move added to a long list of government actions against the firm since hackers broke into its systems and made off with the sensitive information of more than 10 million students.

Three state attorneys general have also now imposed fines and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach.

The in their efforts to hold Illuminate accountable are parents and students.

Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data 鈥� including grades, special education information and medical records 鈥� didn鈥檛 constitute a concrete harm.

In the news

The latest in President Donald Trump鈥檚 immigration crackdown: In many cities across the country, from New Orleans to Minneapolis, resisting federal immigration enforcement means keeping kids in school. | 

• Trump鈥檚 mass deportation effort has had a particularly damaging effect on the child care industry, which is heavily reliant on immigrant preschool teachers 鈥� most of them working in the U.S. legally 鈥� who have found themselves 鈥渨racked by anxiety over possible encounters with ICE.鈥� | 
  
• 鈥楥ulture of fear鈥�: Immigrant students across the country have increasingly found themselves targets of bullying since the beginning of Trump鈥檚 second term, according to a new survey of high school principals. | 

A Kansas middle school will no longer assign Chromebooks to each student: Computers have had 鈥渁 wonderful place in education,鈥� the school鈥檚 principal said. But schools have 鈥渟imply immersed students too much in technology.鈥� | 

A Florida middle school went into lockdown after an automated threat detection system was triggered by a clarinet. A student was walking in the hallway 鈥渉olding a musical instrument as if it were a weapon.鈥� |

鈥楪ot what he deserved鈥�: A California teacher has filed a federal First Amendment lawsuit against her school after she was suspended for a Facebook post calling right-wing political activist and Turning Point USA founder Charlie Kirk a 鈥減ropaganda-spewing racist misogynist鈥� a day after he was murdered. | 

• In Florida, two teachers have filed separate First Amendment lawsuits after they were punished for social media posts critical of Kirk after his death. | 
  
• Texas Gov. Gregg Abbott announced a partnership with Turning Point USA to create local chapters of the group at every high school campus in the state, vowing “meaningful disciplinary action鈥� against any educators who stand in the way. | 
  
• Kirk鈥檚 wife, Erika Kirk, will field questions from 鈥測oung evangelicals, prominent religious leaders and figures across the political spectrum鈥� during a live town hall Saturday on CBS News moderated by its new editor-in-chief, Bari Weiss. | 
  
• ICYMI: The Trump administration鈥檚 First Amendment crackdown in the wake of the activist鈥檚 violent death has left student free speech on even shakier ground. | 

Following a shakeup in its ranks by vaccine skeptic and Health and Human Services Secretary Robert F. Kennedy Jr., a Centers for Disease Control and Prevention advisory committee voted to overturn a decades-long recommendation that newborn babies be immunized for hepatitis B 鈥� a policy credited with decimating the highly contagious virus in infants. | 

• A measles outbreak in South Carolina schools is accelerating, with some unvaccinated students in a second 21-day quarantine since the beginning of the academic year. |   

A photo that circulated online depicted California high school students lying in the shape of a swastika on the grass of a football field. Chaos ensued. | 

鈥業t feels nasty. It’s gross.鈥�: Controversy has come to a head at a California high school after an adult film producer rented out the campus gym for a raunchy livestream. 鈥淭he first thing I see is a full-grown adult, an adult man wearing a baby costume and being fed milk from a baby bottle,鈥� one student observer noted. | 

Two Texas teenagers allegedly conspired to carry out a school shooting at their high school but the plot was thwarted after classmates reported text messages with their plans to school police. 鈥淒on鈥檛 come to school on Monday,鈥� one of the messages warned. | 

ICYMI @The74

Emotional Support

Three state attorneys general have also now imposed penalties and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach. 

The ones that haven鈥檛 made progress in their efforts to hold Illuminate accountable are parents and students. Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data 鈥� including grades, special education information and medical records 鈥� didn鈥檛 constitute a concrete harm.

The federal appeals court of a proposed class-action lawsuit filed by families whose children鈥檚 information was compromised. The court concluded the plaintiffs lacked standing because they did not demonstrate actual damage from the breach or an 鈥渋mminent and substantial鈥� risk of future identity theft. In the years since the cyberattack was carried out, the court concluded, there was no evidence that the records, which did not include Social Security numbers, had been misused to commit identity theft. 

鈥淚t has been more than three years since the breach,鈥� the court wrote, 鈥渁nd no fraud has occurred, nor is the kind of information at issue the kind that this court normally considers sufficient to find a credible threat of identity theft.鈥� 

Under announced by the FTC this month, Illuminate will be required to create a 鈥渃omprehensive information security program,鈥� delete any student data it is no longer using and notify the commission of any future data breaches. Regulators allege a third-party company hired by Illuminate to assess its cybersecurity safeguards raised red flags but Illuminate failed to heed those warnings a year before it was hacked using the compromised credentials of a former employee.

鈥淚lluminate pledged to secure and protect personal information about children and failed to do so,鈥� Christopher Mufarrige, director of the FTC鈥檚 Bureau of Consumer Protection, said in a media release this month. The FTC action, Mufarrige continued, should serve as a warning to other companies that the commission 鈥渨ill hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children鈥檚 medical diagnoses and other personal data.鈥�

After the data breach, which affected the country鈥檚 two largest school districts in New York City and Los Angeles among others, Illuminate was by another education technology company, in 2022. Since then, a Renaissance spokesperson said in a statement to 社区黑料 this week, Illuminate products have been incorporated into its 鈥渃ybersecurity and data protection program.鈥� 

鈥渞obust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators and families,鈥� the spokesperson said.

The FTC action comes on the heels of last month, when state attorneys general in California, Connecticut and New York secured a combined $5.1 million in penalties from Illuminate, along with cybersecurity requirements that resemble the FTC鈥檚 demands. State investigators similarly alleged sweeping security flaws at the company, including the failure to monitor suspicious activity and deactivate the inactive user accounts of former employees. 

A California Department of Justice that Illuminate made 鈥渇alse and misleading statements鈥� about its cybersecurity safeguards in its privacy policy and 鈥渄eceptively advertised鈥� to school districts that it was a signatory of the nonprofit Future of Privacy Forum鈥檚 now-defunct 鈥淪tudent Privacy Pledge.鈥� 

The voluntary pledge, , sought to hold education technology companies accountable for maintaining 鈥渁 comprehensive security program鈥� to protect students鈥� personal information and to prevent the sale of student records for targeted advertising. 

Illuminate became the first ed tech company to get booted from the pledge after reporting by 社区黑料 called into question its utility in holding tech firms accountable for failing to meet its provisions. 

The multistate Connecticut regulators reached a settlement under its state student data privacy law 鈥� which was enacted nearly a decade ago. 

鈥淭echnology is everywhere in schools today, and Connecticut鈥檚 Student Data Privacy Law requires strict security to protect children鈥檚 information,鈥� Connecticut Attorney General William Tong said in a statement. The settlement 鈥渉olds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.鈥�

It鈥檚 another hot summer Friday and another day with  鈥� this one jeopardizing both student health and campus safety data.

And once again, the development is unfolding in the country鈥檚 second-largest school district.

Kokomo Solutions, which the Los Angeles district contracts with , disclosed a data breach after it discovered an 鈥渦nauthorized third party鈥� on its computer network. The discovery happened in December 2024, but the notice to the California attorney general鈥檚 office wasn鈥檛 made until Aug. 5.  

It鈥檚 the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile 2022 ransomware attack exposing students鈥� sensitive mental health records and last year鈥檚 collapse of a much-lauded $6 million artificial intelligence chatbot project. 

In the news

Students at the center of Trump鈥檚 D.C. police takeover: In an unprecedented federal power grab, the Trump administration鈥檚 seizure of the D.C. police department and National Guard deployment is designed to target several vulnerable groups 鈥� including kids. | 

• The move comes at a time when crime in the nation鈥檚 capital is on the decline. But a deep-dive from June explores how the district鈥檚 failure to prevent student absences has contributed to 鈥渢he biggest youth crime surge in a generation.鈥� |听
  
• Here鈥檚 what young people have to say about Trump鈥檚 D.C. takeover. |听
  
• City police will roll out a youth-specific curfew Friday in the Navy Yard neighborhood. |听

A new Ohio law requires school districts to implement basic cybersecurity measures in response to heightened cyberattacks. What the law doesn鈥檛 do, however, is provide any money to carry out the new mandate. |  

News in Trump鈥檚 immigration crackdown: A federal judge in Minnesota has released from immigration detention a nursing 25-year-old mother, allowing her to return to her children as her case works its way through the court. | 

• The Trump administration has revived one of its most controversial immigration policies from the president鈥檚 first term: Separating families. |听
  
• Federal immigration officials quizzed an Idaho school resource officer about an unaccompanied migrant student, part of a broader national effort to conduct “welfare checks鈥� on immigrant youth who came to the U.S. without their parents. |听
  
• Leading Oklahoma Republican lawmakers have partnered with the Trump administration in a lawsuit challenging a state law allowing undocumented students to receive in-state college tuition. |听
  
• Los Angeles community members have organized to create protective perimeters around the city鈥檚 campuses after immigration agents reportedly drew their guns on a student outside a high school. |听
  • The district announced new bus routes designed to improve student safety while commuting to school听during heightened immigration enforcement. |听

• The nonprofit Southwest Key, which for years has been the federal government鈥檚 largest provider of shelters for unaccompanied migrant children, has laid off thousands in Texas and Arizona after losing federal grants. The Trump administration dropped a lawsuit in March over allegations the nonprofit subjected migrant children to widespread sexual abuse. |听
  
• A Texas court blocked the state attorney general’s request to depose and question a nun who leads Catholic Charities of the Rio Grande Valley, one of the largest migrant aid groups in the region. |听

Microphone-equipped sensors installed in school bathrooms to crack down on student vaping could be hacked, researchers revealed, and turned into secret listening devices. |听

鈥楾hese are innocent children, sir鈥�:听New video of the delayed police response to the 2022 mass school shooting in Uvalde, Texas, shows the campus police chief attempting to negotiate with the gunman for more than 30 minutes. |听

Kansas schools have become the latest target in the Trump administration鈥檚 campaign against districts that permit transgender students to participate in school athletics. | 

• The Loudoun County, Virginia, school board has refused to comply with an Education Department order to end a policy allowing transgender students to use restroom facilities that match their gender identity. |听听
• The Education Department鈥檚 Office for Civil Rights has opened an investigation into allegations the Baltimore school district ignored antisemetic harassment by students and educators. |听

Lots of drills 鈥� little evidence: A congressionally mandated report finds that active shooter drills vary widely across the country 鈥� making it difficult to understand their effect on mental and emotional health. | 

A federal judge has blocked a new Arkansas law requiring that public schools display the Ten Commandments in all classrooms. It鈥檚 the second state Ten Commandments law to be halted this year. |  

ICYMI:听I did a deep-dive into the far-right Christian nationalists behind more than two dozen state Ten Commandments-in-schools bills nationally 鈥斕齟ach of which are inherently identical. |听

Is Texas up next?听Civil rights groups will ask a judge on Friday to prevent a similar law from going into effect. |听

ICYMI @The74

Emotional Support

Don鈥檛 sleep on this听听鈥斕齮he billion-dollar industry for hypoallergenic (and floofy!) designer pups.

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students鈥� sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district鈥檚 police department. In filed with the California attorney general鈥檚 office, the company disclosed that an unspecified number of individuals鈥� personal information was compromised after an 鈥渦nauthorized third party鈥� accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation鈥檚 second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because 鈥渢here鈥檚 no question that [Kokomo is] managing exceptionally sensitive information鈥� about campus safety issues and students鈥� medical information, school cybersecurity expert Doug Levin said. 

鈥淭his is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. 鈥淲e definitely would benefit from knowing more about how they were compromised and how they鈥檙e going to fix it.鈥�

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.鈥檚 back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn鈥檛 heard about the data breach before being contacted by 社区黑料.

鈥淚 have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?鈥� asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. 鈥淎nd how deep was the breach? Obviously that would be of concern to the parents.鈥�

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report 鈥渟uspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues鈥� to the district鈥檚 . 

That same year, L.A. schools  鈥� along with the Children鈥檚 Hospital Los Angeles and Hazel Health 鈥� to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district鈥檚 website, while Kokomo24/7鈥檚 services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students 鈥渢o access healthcare when not feeling well during school hours鈥� with the supervision of a school nurse 鈥渨hile remaining in school and focusing on learning.鈥� 

Kokomo founder and CEO Daniel Lee lauding the company鈥檚 ability to 鈥渢ransform鈥� L.A. Unified鈥檚 COVID-tracking and health data system in a year after the school system鈥檚 previous tool became 鈥渃lunky, difficult to customize and expensive to maintain.鈥� The post notes the company鈥檚 role in creating the anonymous reporting application and the district鈥檚 Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students鈥� mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students鈥� psychological evaluations had been exposed but then had to acknowledge that they were after 社区黑料鈥檚 investigation revealed the records鈥� existence on the dark web.

Meanwhile, the district鈥檚 rollout last year of a highly touted AI chatbot named 鈥淓d鈥� was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company鈥檚 founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told 社区黑料 AllHere鈥檚 student data security practices violated both industry standards and the district鈥檚 own policies. 

The L.A. district for the chatbot bid 鈥� including Kokomo24/7 鈥� before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told 社区黑料 that Ed 鈥渞emains on hold.鈥� 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars 鈥� the company was the 鈥渉ealth and safety software provider鈥� 鈥� United Airlines鈥� subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students鈥� temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company鈥檚 website.

Kokomo24/7鈥檚 connections to the L.A. district were widely featured on the company鈥檚 website until this week. In fact, listed four foundational events, including the 2023 launch of the 鈥渁nonymous reporting app for students and an emergency alert system for staff鈥� for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department鈥檚 logo. Press releases announcing Kokomo鈥檚 work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called 鈥渃ritically important.鈥� Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people鈥檚 ability to 鈥渞elay in an anonymous way 鈥� or not 鈥� potential threats鈥� to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn鈥檛 been universally praised, and last year filed by anti-surveillance activists who alleged the tool created 鈥渁 culture of mass suspicion鈥� and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members 鈥渢o surveil each other鈥� on behalf of school police and to file reports that don鈥檛 require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate 鈥渟uspicious activity.鈥� 

鈥淭he app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,鈥� the activist .

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by 社区黑料 confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs 鈥� or roughly 64,000 files 鈥� were exposed.

Company spokesperson Michele Steinmetz told 社区黑料 Diligent began notifying all BoardDocs customers 鈥� including those who were not directly affected  鈥� on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by 社区黑料 and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with 社区黑料, one customer called the glitch 鈥渁n improper misconfiguration of the vendor’s products.鈥� An option to store records in 鈥渁 private folder鈥� within the district鈥檚 broader public library 鈥渃ould be misleading and people could think, and rightfully so, 鈥楢nything I put in there is not publicly available,鈥� when, in fact, it could be accessed by an unauthenticated user.鈥�

The official, who spoke on the condition of anonymity because they weren鈥檛 authorized to discuss the BoardDocs situation or draw attention to their district鈥檚 cybersecurity practices, said their school system was not 鈥渘otified proactively鈥� about the fallibility that came to light in Lower Merion.

鈥淚t was something that should not have been in place,鈥� the official said. 鈥淭he vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.鈥�

Nithya Das, Diligent鈥檚 chief legal and chief administrative officer, acknowledged the problem to 社区黑料, saying, 鈥淒ocuments that were supposed to be set to private access were made accessible.鈥�  She declined to elaborate on the misconfiguration but said the company took 鈥渋mmediate action to resolve the issue鈥� once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only 鈥渇or a matter of a few months鈥� and existed only on that platform, meaning that someone could not have 鈥済one onto [their] web browser and pulled up Google or Yahoo or something like that鈥� to find them. 

 鈥淚 don鈥檛 mean to downplay the situation, but I do think it鈥檚 important to just keep in mind that it was extremely limited in terms of scope, impact and duration,鈥� Das said. 鈥淚n order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.鈥�

鈥楬ow am I reading this?鈥�

It鈥檚 likely that some of the documents that may have been exposed would be those dealt with during school boards鈥� executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district鈥檚 lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt 鈥渨eird;鈥�  鈥淚 was like, 鈥榃ait, how am I reading this?鈥欌��

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was 鈥渁 great concern鈥� because school boards regularly discuss sensitive issues concerning these children. It鈥檚 unclear whether BoardDoc files related to special education services were compromised.

鈥淲e know of instances where families have been retaliated against because of information that鈥檚 been shared and made public through one means or another from board meetings,鈥� she said. 鈥淚t鈥檚 important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.鈥� 

The vulnerability at BoardDocs is the latest example of how school districts鈥� reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn鈥檛 respond to requests for comment from 社区黑料. On , the trade group gave a 鈥渟pecial shout out to BoardDocs鈥� for their 鈥済enerous support鈥� of the nonprofit鈥檚 85th anniversary celebration.

BoardDocs doesn鈥檛 list its fees on its website. The New York State School Boards Association that the tool is available 鈥渇or as little as $3,000 per year and a one-time $1,000 start-up fee.鈥� 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

鈥淎ny reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,鈥� Levin said. 鈥淚 certainly don’t fault anyone for taking a private setting at face value.鈥�

Not trying 鈥榯o hide the issue here鈥�

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by 社区黑料 that the district鈥檚 private records 鈥渃ould have been returned as part of a public search result if specific search terms were used.鈥�

鈥淥ur investigation determined that your organization鈥檚 BoardDocs site had documents鈥� in the accessible private folder, MarKeith Allen, Diligent鈥檚 chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to 社区黑料 on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent鈥檚 chief legal and chief administrative officer, said that for 鈥渃ustomers we believed could have been impacted,鈥�  the company 鈥渟ent them a different communication, obviously letting them know of that situation.鈥� Das declined to provide copies of those communications to 社区黑料 and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

鈥淲e did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,鈥� said Das, who noted the company does not plan to release a public statement about the breach. 鈥淭he goal was not to try to hide the issue here.鈥�

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent 鈥渁dmitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.鈥� Still, Buckman said the district put Diligent on notice that it 鈥渨ould hold BoardDocs responsible for any damages resulting from the breach.鈥�

This isn鈥檛 Diligent鈥檚 first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told 社区黑料 they hadn鈥檛 received notices about the incident. 

鈥淎t this point in time we have no information on this topic,鈥� Barth Paine, the spokesperson for California鈥檚 Fremont Unified School District, wrote to 社区黑料. 鈥淧lease email us back if you have more details about our specific District. We are now investigating this issue.鈥�

The hackers鈥� new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth鈥檚 decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students鈥� and 9.5 million educators鈥� personal information.

It appears the cybercriminals 鈥� perhaps predictably 鈥� didn鈥檛 keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers鈥� demands to local educators will be shared with the state attorney general鈥檚 office, which is investigating the fallout from the December attack. 

鈥淎t the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,鈥� Green said. 鈥淯nfortunately, that, at least at this point, is proving to be incorrect.鈥� 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors鈥� direct outreach to schools 鈥渋n an attempt to extort them using data鈥� stolen during the December breach. Samples of data supplied to school leaders 鈥渕atch the data previously stolen in December,鈥� the company said. 

It referred to a 鈥渄ifficult decision,鈥� one its leadership team 鈥渄id not make lightly,鈥� to pay the ransom demand in the days after the attack, believing it was the best option to protect students鈥� records. Social Security numbers, special education records and detailed medical information.

鈥淎s is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,鈥� the company said in a statement on Wednesday. 鈥淲e sincerely regret these developments 鈥� it pains us that our customers are being threatened and re-victimized by bad actors.鈥�

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted 鈥渢hrough various emails,鈥� including to both their work and personal email addresses, seemingly based on the hackers鈥� ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were 鈥渕ade aware that the data was not destroyed鈥� when the threat actor contacted them directly. 

鈥淲e could not find any type of trend in who they picked to email. We tend to think it鈥檚 emails that they could publicly find and contacted that person,鈥� Wrenn said. 鈥淭his exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.鈥� 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool鈥檚 student information system. 

That鈥檚 about to change. Green said the state鈥檚 contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus 鈥� in part because of its promise of better cybersecurity practices. 

鈥淚t is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,鈥� Green said. 鈥渨e are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.鈥�

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working 鈥渃losely with our customers to support them.鈥�

Three union members filed suit in March, just days after the union announced a data breach had occurred on July 6, 2024.

A union investigation into the incident, completed Feb. 18, found that an 鈥渦nauthorized actor鈥� gained access to records like Social Security numbers, bank account numbers, birthdates and taxpayer identification information.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out the cyberattack.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the said 517,487 people were affected.

The suits allege the union failed 鈥渢o properly secure and safeguard private information that was entrusted to them鈥� and that those affected 鈥� including the relatives of members 鈥� will suffer financial losses and lost time detecting and preventing identity theft. 

Educators must provide personal information to the union to receive its benefits, according to the lawsuits. 

The plaintiffs also allege that the union waited too long to announce the data breach. were sent out on March 17, a month after the union鈥檚 investigation was finished.

鈥淲e took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,鈥� the union said in the notification letter.

The attack occurred on computer systems that needed security upgrades, the lawsuits allege. Two of the plaintiffs have reportedly experienced increased numbers of spam calls and emails.

鈥淸The union] failed to properly monitor the computer network and systems that housed the private information,鈥� one lawsuit says. 鈥淗ad [the union] properly monitored its computer network and systems, it would have discovered the massive intrusion sooner rather than allowing cybercriminals almost a month of unimpeded access.鈥�

The union, which represents 178,000 members, said in a previous statement that it isn鈥檛 aware of identity theft connected to the breach. It did not respond to a request for comment from 社区黑料 about the lawsuits.

The plaintiffs are seeking compensatory damages and want the court to order the union to pay for at least 10 years of credit monitoring services for those affected. Motions were filed in a Pennsylvania district court Tuesday to consolidate the lawsuits into one class-action case.

Six individuals joined the suit, filed by the nation鈥檚 second-largest teacher’s union, alongside a coalition of labor unions representing over 2 million workers. Those impacted include teachers, who relied on federal student loans to pay for their college tuition, and high school students, who recently filed their federal financial aid forms with the department.

鈥淲hen I filled out the FAFSA, I gave my Social Security number and my parent鈥檚 income information as well as their investment information,鈥� Maryland high school student Sara Porcari said at an AFT Wednesday. 鈥淚 thought that information would be private and secure. Now I’m not sure what’s happening.鈥�

鈥淚’m only 17 years old,鈥� she continued, 鈥渁nd I don’t know who has access to my personal information or how this data breach will affect my future in college and in general.鈥�

AFT President Randi Weingarten questioned why Musk, a billionaire given free rein by the president to remake the federal government, and DOGE want access to that information, expressing doubts about their stated purpose of improving government efficiency. 

 An AFT press release Tuesday called for 鈥淓lon Musk and his minions to be immediately evicted from the U.S. Department of Education,鈥� alleging they were feeding the data from millions of people鈥檚 private student loan accounts 鈥渋nto artificial intelligence in one of the biggest data hacks in U.S. history.鈥�

Ernesh Stewart, a Washington, D.C., school counselor and mom, echoed those concerns Wednesday, 鈥淲hy do you need to access my daughter’s scholarship information? Why do you even need my home address? I can’t help but wonder if there is a hidden agenda. If one of the country’s wealthiest men, who also happens to be deeply invested in AI, has access to all this information, whatever it is, I feel like it’s a gross violation of privacy.鈥�

The Education Department, which oversees the private information of 43 million student borrowers who hold $1.6 trillion in student debt, did not immediately respond to a request for comment. A DOGE representative did not immediately respond to an email requesting comment.

Weingarten and other panelists at the conference expressed their hope that President Donald Trump鈥檚 nominee for education secretary, Linda McMahon, would join them in condemning this 鈥渄ata breach,鈥� during her Thursday confirmation hearing.

鈥淚 would hope that what she would do is protect students and protect families from this kind of financial intrusion and invasion and 鈥� say to the millions of people that have been affected the steps she’s taking to stop it,鈥� Weingarten said.

While the lawsuit contends government agencies have valid purposes for maintaining these record systems, the makes clear they can only provide access to them in very specific situations. Here, though, the filing argues, DOGE representatives have accessed the data to shut down payments 鈥渁nd in the case of the Education Department, the agency itself.鈥�

After gaining access to the systems last week, Musk, who is not an elected official, turned to X, the social media platform he owns, to boast that the Department of Education no longer exists. 

What is this 鈥淒epartment of Education鈥� you keep talking about?

I just checked and it doesn鈥檛 exist.

鈥� Elon Musk (@elonmusk)

In another DOGE-led effort, the Trump administration moved Monday to gut the Institute of Education Sciences, temporarily disabling an essential source of data on a host of basic information, ranging from high school graduation rates to school safety. 

DOGE was created by a Trump executive order in January. Supporters argue Musk is working to cut federal bloat and streamline systems. But critics say Musk, whose companies, including SpaceX, receive billions in government contracts, lacks transparency and has immense conflicts of interest.  

The suit, filed Monday in U.S. District Court in Maryland, also alleges that the U.S. Department of Education, along with the Office of Personnel Management and the Department of Treasury, has exposed millions of Americans to 鈥渢he risk of identity theft, harassment, intimidation, and embarrassment鈥� by improperly disclosing their sensitive records to DOGE employees who lack appropriate security clearances. The staff includes a 19-year-old who has previously leaked proprietary information, according to the suit.

WIRED magazine broke the story earlier this month that at the center of DOGE’s effort to take over various federal departments and agencies are six male engineers, with ties to Musk.

In particular, plaintiffs claim that the Department of Education and its acting head, Denise Carter, have released data from the National Student Loan Data System, a financial aid-related database housed within the Education Department that contains information on almost 34 million borrowers and their families. It includes a plethora of sensitive information, including Social Security numbers, bank records, home addresses and immigration status. 

About 20 people with DOGE have begun working inside the education department, looking to cut According to reporting from some of these representatives have fed sensitive and personally identifiable data from across the department into artificial intelligence software to look into the agency鈥檚 programs and spending.

Plaintiffs are asking the court to end the data disclosure immediately by restoring Privacy Act protections and are demanding that any data currently in DOGE鈥檚 possession be deleted and destroyed. The act, put in place in the wake of the Watergate scandal, regulates the circumstances in which agency records about individuals can be shared; disclosing anything beyond this is illegal.听

On Tuesday, a federal judge in a against the Education Department blocked Musk’s team from accessing several systems that store sensitive data including student loans, but only temporarily. In a hearing for that case, Musk said he did not see how DOGE鈥檚 access to student loan data caused harm.

While it has previously been reported that DOGE representatives are political appointees, it now appears that some have received official government credentials, including email addresses, at multiple agencies, including at the Department of Education, leading to confusion about who actually employs them.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by 社区黑料 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer 鈥減rivileged investigations鈥�, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months 鈥� and in some cases more than a year 鈥� later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools鈥� messaging is no coincidence. 

That鈥檚 because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools鈥� exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms 鈥�&苍产蝉辫;诲耻产产别诲  by one law professor for their massive caseloads 鈥� hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools鈥� behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online 鈥� from their financial and medical information to traumatic events in young people鈥檚 lives 鈥� are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs鈥� ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers鈥� willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are 鈥渁ll but guaranteed.鈥� 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 鈥�  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers 鈥� often called breach coaches 鈥� arrive on the scene. 

鈥淭here鈥檚 a fine line between misleading and, you know, technically accurate,鈥� Schwarcz told 社区黑料. 鈥淲hat breach coaches try to do is push right up to that line 鈥� and sometimes they cross it.鈥�

When breaches go unspoken

社区黑料鈥檚 investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs鈥� leak sites. 

Some of students鈥� most sensitive information lives indefinitely on the dark web, a hidden part of the internet that鈥檚 often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search 鈥� even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

社区黑料 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials鈥� false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students鈥� detailed psychological records. 

In many instances, 社区黑料 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, 社区黑料 could find no information at all about alleged school cyberattacks uncovered by its reporting 鈥� suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to 社区黑料鈥檚 investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond 鈥渢o potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.鈥� Those at Florida鈥檚 River City Science Academy said the school 鈥渁cted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.鈥� 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation鈥檚 seventh-largest district said they notified student breach victims 鈥渂y email, mail and a telephone call鈥� and 鈥渟et up a special hotline for affected families to answer questions.鈥�

Hackers have exploited officials鈥� public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

鈥淏ut those negotiations do not go on forever,鈥� said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'鈥� the ransom.

鈥淎ll right, well, negotiation is over,鈥� Levin said. 鈥淵ou need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students 鈥�

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them.

The extent to which this involves keeping critical information out of the public鈥檚 hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico鈥檚 Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll鈥檚 findings from public view. 

鈥淲ithout privacy counsel in place, public records would be accessible in the event of an information leak,鈥� she wrote in an email to school leaders that was obtained by 社区黑料 through a public records request. School districts routinely denied 社区黑料鈥檚 requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by 社区黑料 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California鈥檚 Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an 鈥渋nformation technology system outage鈥� 鈥� and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn鈥檛 stop the leak of data for more than 22,000 people, nor did the district鈥檚 initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

鈥淲hat brainiac recommended this?鈥� asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who 鈥渞ecommended the deceitful description.鈥�

It wasn鈥檛 until June 2023 鈥� four months after the attack 鈥� that Sweetwater their records were compromised. But the district鈥檚 breach notice never says what specific records had been taken, refers to files that 鈥渕ay have been taken鈥� and tells those receiving the notice that their 鈥減ersonal information was included in the potentially taken files.鈥�

鈥淲ell, was my information taken or not?鈥� April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked 社区黑料. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks 鈥渢o avoid exacerbating their liability, quite frankly,鈥� in a way that prevents families from being able to 鈥渁ssert their rights more competently.鈥� 

顿颈蝉迟谤颈肠迟蝉鈥� vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

鈥淭he wording in notices is disheartening,鈥� Strauss told 社区黑料. 鈥淚t鈥檚 almost like revictimization.鈥�

Who鈥檚 in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they鈥檝e been hacked. Cyberattacks were called an  鈥渆ncryption event鈥� in Minneapolis; a 鈥渘etwork security incident鈥� in Blaine County, Idaho; 鈥渢emporary network disruptions鈥� in Chambersburg, Pennsylvania, and 鈥渁nomalous activity鈥� in Camden, New Jersey. 

In several cases, consultants advised educators against using words like 鈥渂reach鈥� and 鈥渃yberattack鈥� in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district鈥檚 computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

鈥� 鈥楥yberattack鈥� is severe language that we prefer to avoid when possible,鈥� the firm鈥檚 representative wrote .

The district called it 鈥渋rregular activity鈥� instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe鈥檚 most notorious cybergangs 鈥� many with known ties to Russia 鈥� officials have claimed in arresting and indicting some of the masterminds. Yet 社区黑料 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only 鈥渋n conjunction with qualified counsel.鈥� 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized 鈥減ayment of ransoms that fuel cyber crime ecosystems.鈥� 

鈥淭his is a troubling practice that must end,鈥� she wrote.

Records obtained by 社区黑料 show that in Somerset, Massachusetts, Beazley, the school district鈥檚 cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district鈥檚 incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district鈥檚 course of action, they didn鈥檛 express it. In fact, William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

But he was quick to defer to the district and its lawyers.

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote. 鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.鈥�

While ransom payments are 鈥渆thically wrong because you鈥檙e funding criminal organizations,鈥� insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

鈥淭he insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,鈥� he told 社区黑料. 鈥淭hey see dollar signs 鈥� that everybody wants this protection 鈥� but they鈥檙e losing their butts on it.鈥� 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told 社区黑料 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by 社区黑料 鈥� one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its 鈥渢hird-party forensic investigation firm鈥� communicating with the gang 鈥渞egarding the ransom.鈥�

Mullen Coughlin then told the FBI that it was leading 鈥渁 privileged investigation鈥� into the attack and, at the school district鈥檚 request, 鈥渁ll questions, communication and requests in connection with this notification should be directed鈥� to the law firm. Mullen Coughlin didn鈥檛 respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants鈥� discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn鈥檛 the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials鈥� knowledge. Taken by surprise, Camden schools were not 鈥渁ble to preemptively advise each of you about the notice and what it meant.鈥�

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

鈥淚n terms of how law enforcement can help you out, there鈥檚 really not a whole lot that can be done to be honest with you,鈥� said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn鈥檛 respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but 鈥渢he problem is there鈥檚 not enough funding and personnel for them to be able to be responsive to incidents.鈥� 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn鈥檛 know where to go to vet if they were any good or not.鈥�

He said it had been a community member 鈥� not a paid consultant 鈥� who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes 鈥� or over 1,000 gigabytes 鈥� of stolen data.

鈥淲e were literally taking that right to the cyber companies and going, 鈥楬ey, they鈥檙e finding this, can you confirm this so that we can get a message out?鈥� 鈥� he told 社区黑料. 鈥淭hat is what I probably would tell you is the most frustrating part is that you鈥檙e relying on them and you鈥檙e at the mercy of that a little bit.鈥�

The breach coach

Breach notices and other incident response records obtained by 社区黑料 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a 鈥渜uarterback.鈥� 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district鈥檚 cyber insurance policy 鈥�  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector 鈥� which, Paluzzi noted, isn鈥檛 鈥渁lways the best when it comes to the latest protections."

When asked why districts鈥� initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

鈥淚t鈥檚 not a time to make assumptions, to say, 鈥榃e think this data has been compromised,鈥� until we know that,鈥� Paluzzi said. 鈥淚f we start making assumptions and that starts our clock [on legally mandated disclosure notices], we鈥檙e going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.鈥� 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

鈥淲hile it often looks a bit canned and formulaic, it鈥檚 often because we just don鈥檛 know and we鈥檙e doing so many things,鈥� Paluzzi said. 鈥淲e鈥檙e trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.鈥�

A data breach is confirmed, he said, only after 鈥渁 full forensic review.鈥� Paluzzi said that process can take up to a year, and often only after it鈥檚 completed are breaches disclosed and victims notified. 

鈥淲e run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,鈥� he said. 鈥淲e try, in most cases, to get to that level of specificity, and our letters are very specific.鈥�

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase 鈥渢he likelihood of a data breach class action [lawsuit] in the process.鈥� Companies that under-notify 鈥渕ay reduce the likelihood of a data breach class action,鈥� but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches鈥� chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to 鈥渞etain their primacy鈥� in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers鈥� emphasis on reducing payouts to parents who sue overstates schools鈥� actual exposure and is another way to promote themselves as 鈥減roviding a tremendous amount of value by limiting the risk of liability by providing you with a shield.鈥�

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine 鈥渢he long-term cybersecurity of their clients and society more broadly.鈥�

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by 社区黑料 show school cyberattacks carry particularly devastating consequences for the nation鈥檚 most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district 鈥渟how choir鈥� event. The accusations were investigated by local police and no charges were filed.

鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,鈥� the hacker alleges in records obtained by 社区黑料. 鈥淭his is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

The exposure of intimate records presents a situation where 鈥渧ulnerable kids are being disadvantaged again by weak data security,鈥� said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

鈥淚t鈥檚 not just that you have a leak of the information,鈥� Citron told 社区黑料. 鈥淏ut the leak then leads to online abuse and torment.鈥�

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students鈥� personal information, a parent reported being contacted by the hackers who placed a 鈥渟trange call demanding money for ransoming their child.鈥�

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are 鈥渦nfunded mandates鈥� and 鈥渢here鈥檚 been no enforcement that we know of,鈥� according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It鈥檚 a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls 鈥渢he multiverse of madness.鈥� 

鈥淚t's like you're living in different privacy realities based on the state that you live in,鈥� Hendricks said. He said federal cybersecurity rules could provide a 鈥渓evel playing field鈥� for data breach victims who have fewer protections 鈥渂ecause they live in a certain state.鈥� 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn鈥檛 require disclosure when outside forces cause those records to be exposed. Schools that have 鈥渁 policy or practice鈥� of routinely releasing students鈥� records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they鈥檝e grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told 社区黑料 he got the district鈥檚 September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are 鈥渕ostly worthless.鈥� 

It may be enforcement against districts鈥� misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to 鈥渃ommunicate very carefully and very deliberately and very accurately鈥� the known facts of cyberattacks and data breaches. 

鈥淐ommunities smell blood in the water,鈥� she said, 鈥渂ecause we鈥檝e got these mixed messages.鈥�

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for 社区黑料.

This story was supported by a grant from the Fund for Investigative Journalism.

Aleeza Siddique, 15, was in a Spanish class earlier this year in her Northern California high school when a lesson about newscasts got derailed by her school鈥檚 internet filter. Her teacher told the class to open up their school-issued Chromebooks and explore a list of links he had curated from the Spanish language broadcast news giant Telemundo. The students tried, but every single link turned up the same page: a picture of a padlock. 

鈥淣one of it was available to us,鈥� Aleeza said. 鈥淭he site was completely blocked.鈥� 

She said her teacher scrambled to pivot and fill the 90-minute class with other activities. From what she recalls, they went over vocabulary lists and independently clicked through online quizzes from Quizlet 鈥� a decidedly less dynamic use of time. 

 by the D.C.-based Center for Democracy & Technology shows just how often some of that blocking happens nationwide. The nonprofit digital rights advocacy organization conducted its fifth annual survey of middle and high school teachers and parents as well as high school students about a range of tech issues. About 70% of both teachers and students this year said web filters get in the way of students鈥� ability to complete their assignments. 

Virtually all schools use some type of web filter to comply with the Children鈥檚 Internet Protection Act, which requires districts taking advantage of the federal E-rate program for discounted internet and telecommunications equipment to keep kids from seeing graphic and obscene images online. A , which is now a part of CalMatters, discovered far more expansive blocking by school districts than federal law requires, some of it political, mirroring culture war battles over what students have access to in school libraries. That investigation found school districts blocking access to sex education and LGBTQ+ resources, including suicide prevention. It also found routine blocking of websites students seek out for academic research. And because school districts tend to set different restrictions for students and staff, teachers can be  because of how they complicate lesson planning.

Web filtering is  鈥榮ubjective and unchecked鈥�

Elizabeth Laird, director of equity in civic technology for the center and lead author of the report, said The Markup鈥檚 reporting helped inspire additional survey questions to better understand how schools are using filters as a 鈥渟ubjective and unchecked鈥� method of restricting students鈥� access to information. 

鈥淭he scope of what is blocked is more pervasive and value-laden than I think we initially even knew to ask last year,鈥� Laird said. 

While past surveys have revealed how often students and teachers report disproportionate filtering of content related to reproductive health, LGBTQ+ issues and content about people of color, the center asked respondents this year if they thought content associated with or about immigrants was more likely to be blocked. About one-third of students said yes. 

Aleeza would have said yes, after her experience with Telemundo. The California teen said how often she runs into blocks depends on how much research she鈥檚 trying to do and how much of it she has to do on her school computer. When she was taking a debate class, she ran into the blocks regularly while researching controversial topics. An article in Slate magazine about LGBTQ+ rights gave her a block screen, for example, because the entire news website is blocked. She said she avoids her school Chromebook as much as possible, doing homework on her personal laptop away from school Wi-Fi whenever she can. 

Nearly one-third of teachers surveyed by the Center for Democracy & Technology said their schools block content related to the LGBTQ+ community. About half said information about sexual orientation and reproductive health is blocked. And Black and Latino students were more likely to say content related to people of color is disproportionately blocked on their school devices.

For students like Aleeza, the blocking is frustrating in practice as well as principle. 

鈥淭he amount that they鈥檙e policing is actively interfering with our ability to have an education,鈥� she said. Often, she has no idea why a website triggers the block page. Aleeza said it feels arbitrary and thinks her school should be more transparent about what it鈥檚 blocking and why. 

鈥淲e should have a right to know what we鈥檙e being protected from,鈥� she said.

Audrey Baime, Olivia Brandeis, and Samantha Yee, all members of the CalMatters Youth Journalism Initiative, contributed reporting for this story.

This was originally published on .

Medusa鈥檚 back at it. 

The cybergang, which has become notorious for devastating ransomware attacks on K-12 school systems, has claimed the Providence, Rhode Island, district as its latest victim, leaking tens of thousands of sensitive student records on its Telegram channel. 

Yet the district remains unaware 鈥� or is perhaps unwilling to admit 鈥� that students鈥� private affairs have entered the public domain. Sexual misconduct reports. Special education records. Medical records. Vaccine histories. All are available with a Google search and a few mouse clicks. 

So why won鈥檛 the district acknowledge to parents and students that their information was stolen? It鈥檚 a refusal I鈥檝e seen repeated again and again while reporting on school cyberattacks over the last few years. 

Earlier this month, the Providence district spokesman told reporters that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥� Yet when 社区黑料 presented the district this week with evidence to the contrary, he doubled down. Third-party consultants are conducting 鈥渁 comprehensive review鈥� to determine what files were stolen, he told 社区黑料 without uttering the word 鈥渟tudent.鈥� 

The files have been available for download for nearly a month. The state education department spokesperson told me 鈥� in an unsolicited phone call this week after catching wind of my latest investigation 鈥� that nobody (except me, apparently) was previously able to access the breached records. 

鈥淣o one had actually gone in to see the files,鈥� he said. 

Click here to read my latest story on the K-12 ransomware beat. And thank you to our partners at The Boston Globe our story Friday.

In the news

As Eric Adams, the mayor of New York City and a former police officer, faces not one but four (!) criminal investigations, federal agents searched the offices of the city police department鈥檚 school safety division. The raid was part of an inquiry into a possible bribery scheme involving a company that sells panic buttons to districts nationwide. |

鈥楤lack girls were always the ones who got disciplined鈥�: Black girls face harsher and more frequent disciplinary actions than their white female classmates 鈥� in the same schools and for similar behaviors 鈥� according to a new Government Accountability Office report on racial disparities in student suspensions. | 社区黑料

Kids who are removed from their homes for abuse or neglect routinely find themselves sleeping in the offices of child protective services. Here鈥檚 how often it happens in Indiana. |

鈥業鈥檝e got to finish up my school shooter outfit, just kidding鈥�: Prosecutors say the father of a teenager accused of unleashing a deadly mass shooting at his Georgia high school knew the boy was obsessed with previous gunmen 鈥� and had a shrine above his bed to the school shooter in Parkland, Florida. |

Specialized schools in Michigan that serve students with complex behavioral issues routinely call the cops for backup. The frequent calls, critics argue, offer evidence the schools are failing the kids they鈥檙e designed to help. |

How DACA helps everyone: Deferred Action for Childhood Arrivals 鈥� the Obama-era policy that provides deportation relief to undocumented immigrants who entered the country as young children 鈥� is a boon for U.S.-born kids, a new study suggests. The program 鈥渋mproves test scores and educational attainment not only for those directly eligible, but also for their peers.鈥� |

How a 15-word statement led to the arrest of a 10-year-old boy with autism at his Texas elementary school. |

The Massachusetts attorney general鈥檚 office has sued TikTok, alleging the social media company knew its service was addictive to teens and was associated with sleep disruption, depression and anxiety. |

Nov. 5 is approaching 鈥� And schools worry about the safety of their students when their campuses are used as polling locations. |

Utah lawmakers earmarked $100 million for schools to meet new security requirements, including panic buttons, locks and armed guards. The actual price tag? $800 million. |

ICYMI @The74

1st Federal Survey of Trans Students: 72% Feel 鈥楬opeless,鈥� 1 in 4 Tried Suicide

L.A. Housing Crisis Hits LAUSD as Number of Homeless Students Continues to Grow

NYC Schools Launch Anti-Hate Hotline as Antisemitism and Islamophobia Reports Rise

Banned Books Find Shelter in Maryland 鈥楽anctuary Library鈥�

Emotional Support

Leo, who lives with my colleague Jo Napolitano, came prepared for school photo day.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by 社区黑料 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain 鈥� and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students鈥� sensitive records and, district spokesperson Jay W茅gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥�

An analysis by 社区黑料 of the stolen files 鈥� posted by the threat actors to the messaging platform Telegram  鈥� indicates otherwise. Included in the 217 gigabyte data leak are students鈥� specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter鈥檚 underwear. After one incident, a boy uttered a threat: 鈥淒on鈥檛 tell nobody.鈥� 

In a statement to 社区黑料 on Wednesday, W茅gimont said the district has 鈥渂een able to confirm that some files鈥� stored on the district鈥檚 internal servers were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

W茅gimont鈥檚 statement doesn鈥檛 acknowledge that students鈥� records had been compromised. 

The district鈥檚 failure to acknowledge the breach affected students and parents 鈥� even after being informed otherwise 鈥� is 鈥渁 massive violation of trust with communities,鈥� student privacy expert Amelia Vance told 社区黑料.

鈥淧eople should be aware 鈥� especially when particularly sensitive information is being released in ways that could make it findable and searchable later,鈥� said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence 鈥渁re likely to have a substantial impact on people鈥檚 future lives, whether it be their opportunities, their ability to get a job or their relationships with others.鈥� 

The school district acknowledged in an Oct. 4 letter to the state attorney general鈥檚 office 鈥� and in letters to the individuals themselves 鈥� that the sensitive information of 12,000 current and former employees was 鈥減otentially impacted鈥� in the attack. A spokesperson for the AG鈥檚 office shared the letter that Providence Superintendent Javier Monta帽ez submitted 鈥渁s required by statute,鈥� but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days 鈥� but the breach 鈥減oses a significant risk of identity theft.鈥� Covered records include individuals鈥� names, Social Security numbers, driver鈥檚 license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It鈥檚 unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department鈥檚 spokesperson, said in a phone call on Wednesday. 

鈥淣o one had actually gone in to see the files,鈥� he told 社区黑料, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are 鈥渨orking closely with the district鈥� on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents鈥� names. Another includes information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents revealed a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web 鈥渘ame and shame blog,鈥� it then previews the victim鈥檚 stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa鈥檚 many tentacles 

The Medusa attack and Providence鈥檚 response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district 鈥� what officials there vaguely called an 鈥渆ncryption event鈥� 鈥� the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack 鈥� and only after a joint investigation by 社区黑料 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General鈥檚 Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records 鈥� like those pertaining to student civil rights investigations, security plans and financial records 鈥� a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher鈥檚 German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what 鈥渋rregular activity鈥� on its computer network but on whether they鈥檇 been the target of ransomware. In 鈥� and the same day that Medusa鈥檚 ransom deadline expired 鈥� Superintendent Monta帽ez acknowledged that 鈥渁n unverified, anonymous group鈥� had gained 鈥渦nauthorized access鈥� to its computer network and claimed to have stolen sensitive records. 

鈥淲hile we cannot confirm the authenticity of these files and verify their claims,鈥� Monta帽ez wrote, 鈥渢here could be concerns that these alleged documents could contain personal information.鈥�

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Providence public school officials last Friday were about to finalize a credit monitoring agreement to provide protection for district teachers and staff after a recent ransomware attack on the district鈥檚 network.

Then over the weekend, a video preview of selected data allegedly stolen from the Providence Public School Department (PPSD) showed up on a regular website. The site is accessible via any internet browser 鈥� what鈥檚 sometimes called the 鈥渃learnet鈥� 鈥� unlike the dark web ransom page where cybercriminal group Medusa first alleged to .

While a forensic analysis of the breach continues, the credit monitoring agreement with an unspecified vendor was finalized as of Thursday and the district was drafting a letter to go out to the staff 鈥渧ery soon鈥� with information on how to access those services, spokesperson Jay G. W茅gimont said in an email.

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

鈥淔irst and foremost, the safety and security of our staff members is of utmost importance, and the District continues to make decisions with that in mind,鈥� W茅gimont said.

鈥淲e will also continue to explore any additional services we can offer to protect the security of our staff members and students.鈥�

Meanwhile, the data breach has yet to be formally reported to the Rhode Island Attorney General鈥檚 office, said spokesperson Brian Hodge. requires any municipal or government agency to inform the AG鈥檚 office, credit reporting agencies, and people affected by a breach within 30 days of the breach鈥檚 confirmation.

PPSD first used the wording 鈥渦nauthorized access鈥� to describe the breach in a Sept. 25 letter from Superintendent Javier Monta帽ez, although the Providence School Board had used the term 鈥渂reach鈥� in a public statement on Sept. 18.

Providence Mayor Brett Smiley was 鈥渆ncouraged鈥� the district was advising potentially affected staff and finalizing the credit monitoring agreement, spokesperson Anthony Vega said in a statement emailed Tuesday to Rhode Island Current.

The Providence City Council declined to comment, said spokesperson Roxie Richner in an email. Gov. Dan Mckee鈥檚 office did not respond to a request for comment.

鈥楻obert鈥� makes a video

Ransomware group Medusa first took public credit for the pirated PPSD data on Sept. 16, when it demanded a $1 million ransom to be paid by the morning of Sept. 25.

Rhode Island Current previously reported that the alleged ransom landing page did not provide access to files, but did show file and folder names, as well as partially obscured screenshots of the allegedly stolen data.

The clearnet-hosted leak includes a 24-minute screen recording in which someone clicks through an assortment of the allegedly leaked files and folders on an otherwise empty Windows desktop. The post sports a disclaimer that its author is 鈥渘ot engaged in illegal activities鈥� and showcases leaks only for 鈥減ossible information security problems.鈥�

The author signs off: 鈥淭raditional thanks to The Providence Public School Department for the provided data. Do not skimp on information security. Always yours. Robert.鈥�

While the uploader does not explicitly brand themself as affiliated with Medusa, the 鈥淩obert鈥� source appears to share all the same leaks Medusa does, and both sources use the same encrypted messaging address, according to threat researchers at Bitdefender.

Ransomware attacks, and Medusa鈥檚 methodology as well, have long been associated with social engineering 鈥� like getting people to click phishing links in emails. But it鈥檚 becoming more common that outdated hardware or software are to blame, said Bill Garneau, vice president of operations at CMIT Solutions in Cranston.

鈥淲hat we鈥檝e started to see in terms of ransomware is, it鈥檚 not only business email compromise,鈥� Garneau said. 鈥淭hreat actors out there are really pursuing systems that are out of compliance.鈥�

That could mean equipment at the end of its manufacturer-supported lifespan, or software that needs to be patched. Garneau鈥檚 company uses a crafted by the National Institute of Standards and Technology. One of its standards is to patch devices within 30 days of the patch release, before threat actors can exploit the vulnerabilities patches are meant to fix.

鈥淚f there鈥檚 a patch available, it鈥檚 because there鈥檚 a bad guy out there that knows that there鈥檚 a vulnerability, and there鈥檚 somebody that鈥檚 knocking on doors trying to find it,鈥� Garneau said.

To insure or not to insure?

Cyber insurance policies can cover some costs incurred by attacks. But they can鈥檛 prevent future threats or suddenly make insecure networks better, Garneau noted.

鈥淚nsurance is great, right? But that鈥檚 not going to solve any problem,鈥� Garneau said.

PPSD has not responded to requests about whether the district has cyber insurance. According to Lauren Greene, a spokesperson for the Rhode Island League of Cities and Towns, no public entity would disclose that information anyway. 鈥淎s you can understand, it poses a security risk for municipalities to disclose if and what type of cybersecurity insurance that they have,鈥� Greene said in an email.

鈥淢unicipalities continue to prioritize training for their staff in order to mitigate risk and draw awareness to the constantly evolving threats,鈥� Greene added, and noted that a community鈥檚 IT staff may work across multiple areas or departments like public safety and schools.

A released Monday, however, showed that states-level IT officials and security officers are not feeling confident about the budgets for their states鈥� IT infrastructure.

鈥淭he attack surface is expanding as state leaders鈥� reliance on information becomes increasingly central to the operation of government itself,鈥� Srini Subramanian, principal of Deloitte & Touche LLP, said in an with States Newsroom. 鈥淎nd CISOs (chief information security officers) have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.鈥�

Those challenges were reflected in the survey numbers, which found almost half of respondents did not know their state鈥檚 budget for cybersecurity. Roughly 40% of state IT officers said they did not have enough funds to comply with regulations or other legal requirements.

That finding echoes a , which scores and analyzes municipal bonds. 鈥淲hile robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,鈥� wrote Gregory Sobel, a Moody鈥檚 analyst and assistant vice president, in the report.

Moody鈥檚 also noted that one survey showed 92% of local governments had cyber insurance, a twofold increase over five years. But that popularity came with higher rates: One county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022. Those higher costs are also in addition to stricter stipulations on risk management practices before a policy will pay out, like better firewalls, consistent data backups and multi-factor authentication.

Douglas W. Hubbard, the CEO of consulting firm Hubbard Decision Research and coauthor of 鈥淗ow to Measure Anything in Cybersecurity Risk,鈥� told Rhode Island Current in an email that schools should exhaust the low-cost, shared or free resources available to help them manage cyber risk. Examples include (CISA) or a by the Federal Communications Commission for K-12 schools.

鈥淔or specific cybersecurity recommendations鈥here are a few things that are so fundamental that administrators don鈥檛 really even need a risk analysis to get started,鈥� Hubbard said. They include training staff and students on best practices including strong passwords or avoiding mysterious links. Multi-factor authentication is 鈥減robably the single most effective technology a school could implement,鈥� even if it involves an upfront cost, Hubbard said.

鈥淭he fundamental responsibilities of the schools should include at least using the resources which have been made available to them through the programs I mentioned,鈥� Hubbard said. 鈥淚f they aren鈥檛 doing at least that, there is room for blame.鈥�

This article was corrected to show that Rhode Island state law requires municipal agencies to notify affected parties and the state Attorney General within 30 days of a data breach. The article originally stated 45 days, which is the timeframe required for individuals to report a breach. 

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com. Follow Rhode Island Current on and .

The Providence School Board typically broadcasts its meetings to .

But Wednesday evening鈥檚 board meeting would not be televised.

Less than five minutes before the scheduled start time, school board President Erlin Rogel to express his regret that a weeklong internet outage at Providence schools would also affect the board鈥檚 regularly scheduled programming. But the portion of the meeting most germane to the network issues wouldn鈥檛 have been broadcast anyway, since it met in executive session.

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

In a statement issued Thursday, Rogel described the executive session as 鈥渞egarding the recent breach of the district鈥檚 network.鈥� It included a presentation from the Rhode Island Department of Education (RIDE) and the Providence Public School Department (PPSD).

鈥淲hile I cannot disclose the specific contents of our discussion, I can state that the district is awaiting an analysis of this breach to learn more about its severity and the degree to which any information was exposed,鈥� Rogel wrote. 鈥淲hile we await the results of that analysis, PPSD continues to mobilize every resource available to ensure that learning proceeds with as little disruption as possible.鈥�

Rogel did not respond to multiple requests for comment from Rhode Island Current.

The school board president鈥檚 use of the term 鈥渂reach鈥� differs from the district鈥檚 official language, which has tiptoed around the problem鈥檚 exact nature. A to the PPSD community described 鈥渋rregular activity鈥� on the district network, which ultimately led IT staff to shut down internet access across district offices and schools. Internet remains largely absent in Providence schools, aside from a fleet of enlisted to provide connectivity in the main network鈥檚 absence.

A sent from PPSD to community members said a forensic analysis was still ongoing and that 鈥渢here is no evidence that PPSD data has been affected.鈥�

But on Monday, for the 鈥渋rregular activity鈥� with a post to its publicly accessible ransom blog that purported to include 41 watermarked, sometimes partially obscured, screenshots that preview the contents of the 201 gigabytes of data the hackers claim to have stolen, with identifying information 鈥� like alleged serial numbers for employee cell phones and parents鈥� contact information 鈥� included.

After penetrating a system, Medusa ransomware and amasses exploitable data. Once the bounty is big enough, it will encrypt files and make them inaccessible to users. A ransom note is then delivered to victims, with files held hostage unless a ransom is paid. Medusa hackers also employ a 鈥溾�� method, meaning they not only steal files, but will sell or release the data publicly if payment is not received.

The ransom page suggests PPSD can recover or delete its data by paying $1 million. A $100,000 payment would extend the timer by one day. The deadline is the morning of Sept. 25, according to the hackers鈥� countdown timer.

Specifics about district kept secure

Jay G. W茅gimont, PPSD spokesperson, did not respond to numerous requests for clarification or comment on Friday.

Forensic analyses , meaning those answers won鈥檛 be available immediately. But it鈥檚 still unknown whether the school department has a cyber insurance policy, or the possible costs associated with the usage of hotspots that are currently substituting for a dedicated network. Also up in the air is whether the district successfully awarded a 2024 contract that would for copies of security software Cortex XDR Pro, a product from Palo Alto Networks that promises with proper installation.

W茅gimont did not provide information as to the status of the district鈥檚 senior director of information technology, for which a has been online since May. The role is also vacant according to a Jan. 2024 . The contains 13 full-time information services roles for PPSD, down three from the previous year.

鈥淲e also want to note that our student and staff information systems are also separate from our network,鈥� Superintendent Javier Monta帽ez wrote in a Sept. 16 letter to the PPSD community.

W茅gimont did not clarify what this means. Typically, large networks called domains offer varying levels of access for different types of users across IT services for big organizations like school districts.

Back-to-school for threat actors, too

Perennially underfunded school districts nationwide are a favorite among ransomware actors. A report published in Oct. 2022 cited research that over 647,000 K-12 students were potential victims of ransomware attacks as of 2021. Resulting learning loss ranged from days to weeks, while it took districts鈥� infrastructure anywhere from two to nine months to recover.

Providence officials have not confirmed ransomware as the source of their network woes. The alleged hack comes at an inopportune time for PPSD, which has been under state control since 2019 and will remain so for , state education officials announced last month.

If Medusa leaks the PPSD data it claims to have, and it contains private student information, the leakage could be in, a federal law meant to shield confidential student data. Best practices determine that affected school districts contact authorities once a breach is suspected. (Schools do not, however, have to contact the U.S. Department of Education about ransomware, although it is so they can receive federal resources.)

鈥淎s is standard operating procedure, the District and their professional third-party IT agency contacted RI State Police, Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) last Wednesday,鈥� W茅gimont said in a Sept. 18 email.

Kristen Setera, a spokesperson for the FBI Boston Division, declined to comment.

鈥淕enerally speaking, we do not comment on specific incidents because victims should feel confident that, when reporting a crime to the FBI, their status as 鈥榲ictim鈥� is paramount to the investigation and that their identity will not be disclosed,鈥� Setera said in a Thursday morning email to Rhode Island Current. 鈥淚f a victim wants to disclose our involvement, we leave it up to them to do so.鈥�

In the meantime, Providence schools have made do with older technologies. Maribeth Calabro, president of the Providence Teachers Union, did not acknowledge requests for comment from Rhode Island Current, but did previously speak with multiple news outlets about the effects on the district鈥檚 teachers. Some are confused about which devices they can or can鈥檛 use, Calabro told the , and have opted to teach the old-school way instead, without computers.

A Tuesday on a social media post about the potential Providence hack seems to voice one student鈥檚 concern: 鈥淏ro.. I just want the school wifi back.鈥�

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com. Follow Rhode Island Current on and .

New York City鈥檚 free online therapy platform for teens may violate state and federal laws protecting student data privacy, lawyers from the New York Civil Liberties Union and advocates charged in a letter Tuesday to the city鈥檚 Education and Health Departments.

, a $26 million partnership between the city Health Department and teletherapy giant Talkspace launched in late 2023, connects city residents between ages 13 and 17 with free therapists by text, phone, or video chat.

In less than a year, roughly 16,000 students have signed up, Health Department officials said. Sign-ups disproportionately came from youth who identified as Black, Latino, Asian American and female and live in some of the city鈥檚 lowest-income neighborhoods, .

Get stories like this delivered straight to your inbox. Sign up for 社区黑料 Newsletter

Information shared with a therapist is subject to stringent protections under the federal Health Insurance Portability and Accountability Act, or HIPAA. But before connecting with a therapist through Teenspace, teens go through a registration process that asks for personal information like their name, school, mental health history, and gender identity. Advocates are concerned such information is being improperly collected and could be misused.

For one, teens enter the registration information before securing parental consent 鈥� a possible violation of federal student privacy laws, the letter contends.

And families don鈥檛 get a chance to review the privacy policy 鈥� which discloses that registration information can be used to 鈥渢ailor advertising鈥� and for marketing purposes 鈥� before entering the registration information, advocates allege. There鈥檚 an option for teens to request that their data be deleted from the company鈥檚 platform, but it鈥檚 hard to find, according to advocates.

鈥淚t鈥檚 all very invasive,鈥� said Shannon Edwards, a parent and founder of AI For Families, an organization that seeks to help families navigate artificial intelligence, who co-authored the letter along with NYCLU and the Parent Coalition for Student Privacy. 鈥淚t鈥檚 also very unclear that parents understand what they鈥檙e getting themselves into.鈥�

Advocates also pointed to the risk of a potential data breach 鈥� something the city has in recent years.

Advocates say similar about have been circulating for years and questioned whether city officials did sufficient due diligence or built in enough additional privacy safeguards before inking the contract.

鈥淚t鈥檚 the opacity of the relationship here, and the failure to make manifest what the city is doing to ensure there isn鈥檛 this data accumulation and sharing for inappropriate purposes,鈥� said Beth Haroules, a senior attorney at the NYCLU who co-authored the letter.

Health Department spokesperson Rachel Vick said the agency has 鈥渢aken additional steps to protect the data of Teenspace users and ensure information is not collected for personal gain, including stipulations that require all client data to remain confidential during and after the completion of the city鈥檚 contract and barring use of data for any purpose other than providing the services included in the contract.鈥�

Client data is destroyed after 30 days if a teen doesn鈥檛 connect with a therapist, officials said.

A spokesperson for Talkspace referred questions to the Health Department.

The extent to which Teenspace is subject to state and federal laws governing student privacy in educational settings is somewhat murky, given that the contract is with the city鈥檚 Health Department, not its Education Department.

But NYCLU attorneys contend 鈥渢he City cannot absolve itself of its responsibility to provide the protections inherent in federal and state laws鈥imply because the contract sits with DOHMH instead of DOE. The service is promoted on public school websites, and it is DOE鈥檚 responsibility to ensure that student data is protected, regardless of which City agency signs the contract.鈥�

Parents may be more inclined to trust the platform because it has a 鈥渟tamp of approval鈥� from the school system, Edwards added.

A Health Department spokesperson didn鈥檛 specify whether the program is subject to education privacy laws, but said it鈥檚 鈥渘ot a school based service.鈥�

Teenspace has been the city鈥檚 highest-profile effort to address the ongoing youth mental health crisis.

鈥淲e are meeting people where they are with a front door to the mental health system that for too long has been too hard to find,鈥� said Ashwin Vasan, the city鈥檚 health commissioner, in May.

Some teens have praised the program, noting it鈥檚 a way to bring mental health care to young people who may not otherwise have access.

But some mental health providers have argued it can鈥檛 replace the kind of intensive care a clinician provides, especially for kids with severe mental health challenges.

Company officials shared in May that they had helped 36 teens navigate serious incidents including reports of suicide attempts and abuse 鈥� cases they referred to child protective services, in-person therapists, or hospitals.

Talkspace CEO Jon Cohen previously told Chalkbeat the company uses an artificial intelligence algorithm to scan transcripts of therapy sessions to help identify teens at risk of suicide.

Even advocates critical of Teenspace鈥檚 privacy protections acknowledge the severe shortage of mental health providers and say teletherapy can play a role in filling the gap.

鈥淲e know you cannot find providers 鈥� there is such a need,鈥� said Haroules. But advocates said the city can do more to ensure its vendors are meeting strict standards for data privacy, especially with such sensitive information.

鈥淓veryone thinks, well, mental health is important for kids, these kids of services are required 鈥� when on the other side is: 鈥楬ow are they getting to it?鈥欌�� said Edwards. 鈥淚t doesn鈥檛 matter what the app is, there has to be a standard.鈥�

This was originally published by Chalkbeat. Chalkbeat is a nonprofit news site covering educational change in public schools. Sign up for their newsletters at .

A Los Angeles Unified School District spokesperson confirmed they鈥檙e investigating a listing on a notorious dark web marketplace, posted Thursday by a user named 鈥淭he Satanic Cloud,鈥� which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they鈥檝e become a growing scourge for districts of all sizes.

鈥淪chool districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,鈥� Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation鈥檚 schools and libraries are real and growing.鈥�

鈥淪o today, we鈥檙e going to do something about it,鈥� she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to 鈥減rovide funding to as many schools and school districts as possible,鈥� it . While the funding 鈥渨ill not, by itself, be sufficient to fund all of the school鈥檚 cybersecurity needs,鈥� the fact sheet notes, the commission seeks to ensure that 鈥渆ach participating school will receive funding to prioritize implementation of solutions within one major technological category.鈥�

The Satanic Cloud, which posted the most recent batch of LAUSD data, told 社区黑料 it鈥檚 entirely separate from what was stolen in the September 2022 ransomware attack on the nation鈥檚 second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor鈥檚 claims, a spokesperson told 社区黑料 in an email Thursday, and 鈥渋s investigating the claim and engaging with law enforcement to investigate and respond to the incident.鈥�

鈥業t鈥檚 definitely sensitive data鈥�

In an investigation last year, 社区黑料 found that thousands of L.A. students鈥� psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had.听

Just last month, a joint investigation by 社区黑料 and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district鈥檚 assertion otherwise, and that St. Landry had likely violated the state鈥檚 breath notification law. Within hours of the first story publishing, the Louisiana Attorney General鈥檚 Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told 社区黑料 鈥渢here is no connections鈥� to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they鈥檝e sought to sell stolen data. Cyble鈥檚 research team, he told 社区黑料, sees 鈥渁 high likelihood鈥� that the data was sourced from files exposed in the earlier ransomware attack. 

鈥淗istorically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,鈥� Medhe said. Either way, Medhe said it鈥檚 incumbent on district officials to take urgent action. The files, he said, could be useful for 鈥渟ome kind of profiling or some kind of targeted phishing activity.

鈥淚t鈥檚 definitely sensitive data, for sure,鈥� he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. 鈥淭hey would need to do a thorough incident response and investigation to rule out the possibility of a new breach.鈥� 

鈥楢n important step forward鈥�

During Thursday鈥檚 FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is 鈥渆ssential for education in the 21st century.鈥�

鈥淭echnology and high-speed internet access opens doors and unbounded opportunity for those who have it,鈥� Gomez said. 鈥淯nfortunately, our increasingly digital world also creates opportunities for malicious actors.鈥� 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It鈥檚 a move that more than 1,100 school districts endorsed in a joint 2022 letter 鈥� but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate 鈥渢o ensure gains in enhanced cybersecurity do not undermine E-rate鈥檚 success in connecting schools and libraries and promoting digital equity.鈥� The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support.听

鈥淭he FCC鈥檚 decision today to create a cybersecurity pilot is an important step forward for our nation鈥檚 libraries and library workers, too many of whom face escalating costs to secure their institution鈥檚 systems and data,鈥� President Emily Drabinski said in a statement. 鈥淲e remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.鈥�

Among the pilot program鈥檚 critics is school cybersecurity expert Doug Levin, who told 社区黑料 that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be 鈥渁 good fit for school systems with scarce capacity.鈥�

鈥淭here鈥檚 no argument that schools need support,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC鈥檚 鈥渢echno-solutions point of view to the problem,鈥� he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that 鈥渕ay end up convincing some [schools] to buy solutions that, frankly, they don鈥檛 need.鈥� 

Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months 鈥� long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General鈥檚 Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general鈥檚 office was on the phone to the school district. The attorney, focused on consumer protection, questioned them 鈥渄irectly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and 社区黑料, contradicted school district assertions that no sensitive student, employee or business owners鈥� information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general鈥檚 office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry鈥檚 data breach response obligations under state law 鈥� rules that school officials had failed to follow. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It鈥檚 unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board鈥檚 attorney Courtney Joiner wrote in a response email to Styron a day later that he was 鈥渨orking with the School Board to address the notice issue without further delay.鈥� 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� according to the records. Officials didn鈥檛 send a formal notice to the attorney general鈥檚 office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail 鈥渨ell after the fact鈥� that she had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she said. 鈥淭his should have happened much earlier.鈥�

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they 鈥渕ay have been impacted by the incident鈥� and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general鈥檚 office didn鈥檛 respond to interview requests. 

St. Landry鈥檚 response resembles that of school districts across the country, investigative reporting by 社区黑料 has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat鈥檚 impact on students and teachers, education leaders nationwide have sought to downplay the attacks鈥� severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based said the delay by St. Landry officials is 鈥渞eflective of a problem we have鈥� nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

鈥淚n many instances, it鈥檚 because the decision to issue a notice resides 100% with the organization that loses control of the information,鈥� Lee said. 鈥淗ighlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they鈥檙e at risk.鈥� 

鈥楩or reasons that are unknown鈥�

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn鈥檛 contain any sensitive employee or student information.

But 社区黑料鈥檚 data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG鈥檚 office, the district stated that the stolen files had been 鈥渞ecovered.鈥� However, a check by 社区黑料 last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don鈥檛 pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district鈥檚 computer network had been encrypted by 鈥渁 malicious person or group鈥� in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled 鈥淟OOK!!!!,鈥� which includes a link to Medusa鈥檚 dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa鈥檚 Telegram channel and to a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that 鈥渁n unknown number of files containing sensitive information鈥� had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site 鈥渨ere recovered by the Cyber Crime Unit鈥� with the state police, Batiste鈥檚 letter continues, 鈥渂ut, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6鈥� 鈥� two days after the newspaper investigation published. 

鈥楬ow do you recover it?鈥�

The cybercriminals behind the St. Landry breach employed 鈥渄ouble extortion,鈥� a growing ransomware strategy where hackers break into a victim鈥檚 computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn鈥檛 lead to a breach of sensitive information 鈥� despite overwhelming evidence that it had 鈥� district officials acknowledged they hadn鈥檛 taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district鈥檚 computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools 鈥� even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district鈥檚 supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

鈥淲e never received reports of the actual information that was obtained,鈥� Fontenot said. 鈥淎ll of that is under investigation. We have not received anything in regard to that investigation.鈥�

Fontenot鈥檚 statement contradicts Batiste鈥檚 timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by 鈥渁n unknown malicious鈥� threat actor but isn鈥檛 explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets鈥� investigation 鈥� including teachers, staff, students and sales tax filers from across the country 鈥� received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because 鈥渢he process of obtaining and then reviewing the acquired files took several months.鈥�

鈥淲e are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,鈥� the letter states, acknowledging that stolen information contains individuals鈥� names, addresses, birth dates, Social Security numbers and driver鈥檚 licenses. 

Louisiana鈥檚 data breach notification law doesn鈥檛 apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn鈥檛 exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

鈥淚n fact, I don鈥檛 think I鈥檝e ever heard of that kind of arrangement,鈥� he said. 鈥淢ost organizations do hire their own cybersecurity experts whether it鈥檚 a school district or it鈥檚 a nonprofit or a commercial entity.鈥� 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring 鈥� a common practice after entities suffer data breaches 鈥� Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

鈥淗ow do you recover it once it鈥檚 out there?鈥� she said. 鈥淒o you tell the people who got it illegally that you have to take it down and hope they do?鈥�

This story was supported by a grant from the Fund for Investigative Journalism

In response to an inquiry by 社区黑料, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥� status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data. 

鈥淲e are reviewing the details of Raptor Technologies鈥� leak to determine if the company has violated its Pledge commitments,鈥� David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥� 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥� government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥� that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥� withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥� has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥� he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler鈥檚 audit. 

鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥� like an active shooting, Fowler said in an interview with 社区黑料. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌��

David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥� 

鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥� Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥� 

鈥楳aybe this is a pattern鈥�

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students鈥� personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥� of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥� 

Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥� The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥� including encryption 鈥渂oth at rest and in-transit,鈥� meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥� measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥� 

Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor鈥檚 claims that data were encrypted, Fowler told 社区黑料 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥� adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥� 鈥渆xcept maybe it wasn鈥檛.鈥� 

A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥�

鈥淗ow can educators know if a company is taking security seriously?鈥� Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥� 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥� and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 社区黑料 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥� Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥� 

鈥楽weep it under the rug鈥�

The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum鈥檚 decision to remove Illuminate followed an article in 社区黑料, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥� and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥� It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥� in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 社区黑料 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥� that protects students鈥� sensitive information鈥� and to 鈥渃omply with applicable laws,鈥� including New York鈥檚  鈥渆xplicit data encryption requirement.鈥� 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar. 

Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 社区黑料 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥� that can be quickly brushed aside. 

鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥� he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥� a little bit of bad press and you just sweep it under the rug and move on.鈥� 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has 鈥渁 great deal of admiration鈥� for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥� when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥� he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌��  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.

It took two years of middle school girls accusing their Minneapolis English teacher of eyeballing their bodies in a 鈥渨eird creepy way,鈥� for district investigators to substantiate their complaints.

Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public Schools investigative records that are now readily available online 鈥� just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

The files, purportedly stolen from the Minneapolis school district, first appeared online in March, just days after a ransomware gang named Medusa announced the school system failed to pay $1 million to keep its information from getting posted to the web. 

In a leaked 2018 email, a district official seems to make light of the frequency of civil rights complaints after several girls accused their high school Arabic teacher of inappropriate touching. 

鈥淲hen it rains, it pours, I guess!鈥� the district official wrote. In other documents, an educator was accused of buying a colleague a lap dance during an afterwork outing to a strip club and, in a separate incident, a district technology specialist was accused of hacking into a girl鈥檚 social media to stalk her on a date. The veracity of the files hasn鈥檛 been confirmed by Minneapolis schools but by all appearances, they expose a shocking degree of information about current students and staff. 

The information is so searingly personal that attorney and student privacy consultant Amelia Vance said she would have a hard time strategizing a mitigation response. 

鈥淚鈥檓 an expert in this and I have no idea,鈥� Vance, president of the Public Interest Privacy Center, told 社区黑料. 

The records were uncovered in an analysis by 社区黑料 of a cache of files reportedly stolen from Minneapolis schools and uploaded to the internet after the district fell victim to what it euphemistically described as an 鈥渆ncryption event.鈥� The Medusa gang, a that adopts a clumsy, perhaps youthful online persona, ultimately took credit for the February breach that led to . 

The vast records 鈥� more than 189,000 individual files totaling 143 gigabytes 鈥� also offer a remarkable level of raw insight into the district鈥檚 civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack鈥檚 severity and the extent to which students鈥� and employees鈥� sensitive information is vulnerable to abuse. 

Minnesota-based student privacy advocate Marika Pfefferkorn said she鈥檚 already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns. 

鈥淥ne of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,鈥� Pfefferkorn said. 鈥淚t鈥檚 like it was an afterthought.鈥� 

She鈥檚 also struggled to give meaningful advice to anxious parents who need help. 

鈥淭he conversation that we鈥檙e having is like, 鈥榊our information is going to be out there forever, and the impression of you is also going to be out there forever,鈥欌�� she said. 鈥淚 don鈥檛 know the advice that I need to be giving them other than, 鈥榊ou need to be aware of what鈥檚 happening and communicate with the district what your expectations are.鈥� 

鈥楢 rock over their head鈥�

While the oldest breached records span back to at least 2018, the most recent files, including several related to confidential civil rights cases, are from earlier this year. Some of the files 鈥� which were previewed in a 50-minute video 鈥� can be read with little more than a Google search. 

The way the files were uploaded is 鈥減art of what makes this incident so heartbreaking and extraordinary,鈥� Vance said. 

Breaking from standard procedure for data leaks, the stolen Minneapolis records weren鈥檛 published to the dark web. Instead, as 社区黑料 first revealed, download links were published to Telegram, the encrypted instant messaging service, and a faux technology news blog that appears to have direct ties to the ransomware attackers. Unlike breaches posted to the dark web, which require special tools and some know-how to access, Vance said 鈥渢his information is easier to access and potentially easier for people to have follow them around for the rest of their lives.鈥�

The files include district financial records, educators鈥� Social Security numbers and other documents that have long been targets for cyber criminals looking to facilitate identity theft. Yet Vance said the real harm 鈥� and a distinguishing feature 鈥� of the Minneapolis breach is the sheer volume of compromising information about students and staff that has been exposed. 

The district didn鈥檛 respond to a list of questions from 社区黑料. In its , from April 11, interim Superintendent Rochelle Cox said it has completed a review of data 鈥減osted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.鈥� While a small subset of the data was previewed in a video in early March, a download link for the complete archive of stolen district records didn鈥檛 become available until late March. Cox said the district is working with 鈥渆xternal specialists and law enforcement鈥� to review data posted after March 7, but does 鈥渘ot have the results of that investigation.鈥� 

Because the harm from ransomware attacks have long been framed through the lens of identity theft and fraud, robust protections are now in place to help the victims of financial crimes, Vance noted. Parents can freeze their children鈥檚 credit. People can also cancel any credit cards that get caught up in a breach, and districts regularly provide identity theft protection to data breach victims. 

After the release of highly sensitive information, she said there are no clear remedies for something that could be potentially life altering for victims.

鈥淭his becomes a rock over their head for their entire life: 鈥榃hen is someone going to find out about the worst thing that ever happened to me?鈥欌�� Vance said. 鈥淚f I were a parent dealing with this, what on earth do you do next?鈥� 

鈥楶otentially catastrophic鈥� 

Federal law enforcement officials have long advised school districts and other cybercrime victims against paying ransom demands, but the sheer volume and sensitive nature of the breached Minneapolis files has left some experts questioning whether the district made the right call by refusing to pay up. 

鈥淭here are circumstances where 鈥� if you鈥檙e looking at it from a question of, 鈥楬ow do you reduce potential harm and risk and danger to your school community,鈥� 鈥� then doing the unsavory is perhaps the correct choice,鈥� said Doug Levin, the national director of the K12 Security Information Exchange.

Officials generally warn against paying ransoms for several reasons: Negotiating with known criminals may not produce the desired outcome, and offering payments helps finance future crimes. But in this case, Levin said the Minneapolis district was presented with a difficult choice. Even before the records were posted online, the group took extraordinary steps 鈥� including uploading a video to Vimeo 鈥� to publicize sensitive records in what appeared to be a particularly aggressive bid to coerce payment. 

Given how current and diverse the stolen records are, Levin and other experts suspect Medusa infiltrated multiple live computer systems. The freshness of the files, Levin said, means their content may still be accurate and, for bad actors, actionable. 

Calling the Minneapolis breach a 鈥渨orst-case scenario,鈥� he said, 鈥淭he amount of information that was taken and the recency and the scope of it is certainly deeply troubling.鈥�

Minneapolis may be a cautionary tale for districts nationwide who have fallen prey to money-hungry ransomware gangs leveraging 鈥渄ouble-extortion鈥� attacks against schools, hospitals and businesses. In such incidents, which present an alarming evolution from previous strategies, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if the money doesn鈥檛 materialize, they sell the data or publish it to a leak site. 

Ransomware attacks on U.S. schools have become a primary concern for federal law enforcement officials this year. In January, the federal Cybersecurity and Infrastructure Security Agency in attacks with 鈥減otentially catastrophic impacts on students, their families, teachers and administrators.鈥� Since the pandemic forced students into remote learning, district cyber attacks have been particularly acute. The number of publicly disclosed cybersecurity incidents affecting schools grew from 400 in 2018 to more than 1,300 in 2021, according to that relies on data from Levin’s group. 

Federal law enforcement officials have had several recent victories in tracking down cybercriminals. BreachForums, a popular dark web marketplace where people could buy stolen data, was shuttered after Federal Bureau of Investigation agents in March. The capture of the 20-year-old, who authorities allege operated the forum from his parents鈥� Peekskill, New York, house, sent shock waves through the cybersecurity community and disrupted the global cybercrime ecosystem. In January, federal authorities took control of a prolific ransomware gang鈥檚 leak site and against seven men connected to a Russian-based ransomware group known to target schools. 

In Washington, pending introduced last month seeks to better track cyber incidents in schools and would provide $20 million over two years to help affected systems recover. 

Last year, the school district in Los Angeles, the country鈥檚 second largest, suffered a massive ransomware attack that exposed a trove of compromising information about educators, students and district contractors. In response to investigative reporting by 社区黑料, the Los Angeles district acknowledged the breach included the sensitive mental health records of at least 2,000 current and former students after publicly denying those records were exposed. Last month, data from the Rochester, Minnesota school district was breached after it that forced leaders to cancel classes. shuttered Des Moines, Iowa, schools in January. 

Swift action needed

Taken together, the leaked Minneapolis records offer a startling quantity of compromising information about students and teachers. They also include detailed records about campus security systems that school officials said could place children and educators at a heightened risk of physical danger. 

A single spreadsheet details 699 disciplinary incidents from the 2015-16 school year, listing students鈥� names and a brief description of incidents. One entry claimed a student was 鈥渢hreatening other students鈥� mothers,鈥� and another claimed a student put his hands together in the shape of a gun and said 鈥淚鈥檓 bringing a gun to school tomorrow and shoot.鈥� 

Each of the spreadsheet entries contain pinpoint demographic information about individual students, including their race, gender, whether they鈥檙e in special education, if they鈥檙e homeless or are learning English as a second language. 

One group of files include letters informing disciplined students they could face trespassing charges if they show up on campus, while another includes reports of student maltreatment, including allegations a bus driver hit a student and that a teacher used excessive force. 

Such records could be valuable for blackmail 鈥� and for the police. In 2020, for example, a Florida county sheriff鈥檚 office used sensitive student records to predict which ones were likely to 鈥渇all into a life of crime.鈥� In other cases, police agencies have leaked in data breaches to conduct investigations. 

A separate group of Minneapolis records, purportedly from 2015 to earlier this year, outline nearly 300 individual district equity and civil rights investigations. 

In one case, district investigators found that over the course of several years, a boy coerced a classmate into sexual encounters in exchange for $5 and, in another case, a high school girl reported getting raped in a campus bathroom. In a detailed 2018 complaint, a high school girl accused a male classmate of raping her in a car after a home football game. Yet a district investigator ultimately dropped the complaint because the girl declined an interview and the official was 鈥渦nable to ascertain her credibility based only on her written statement,鈥� according to breached files. 

In multiple complaints, educators were accused of being racist. Just last year, an English as a second language teacher at a Minneapolis high school was accused of racial harassment when she reportedly used the name of a Somali student and a cartoon of a woman wearing a hijab in a class presentation. The slide defined the idiom 鈥渢o have a bone to pick鈥� and the teacher reportedly asked the student to read to the class a description of the term with her name attached: 鈥�(redacted) never comes to class on time; she leaves class without permission, is affecting her peers, her grades and is disrespectful to her peers.鈥� 

In January, a complaint accused a high school coach of making a transphobic joke and openly discussed his genitals. While he was stretching in front of a group of female athletes, the complaint alleges, he warned them that he was wearing 鈥渧ery short shorts鈥� and instructed them to 鈥渓et me know if my junk falls out.鈥� 

In a case from January, the middle school English teacher accused of gazing at students鈥� bodies and touching them inappropriately was placed on paid administrative leave while district investigators conducted their inquiry. Investigators determined the complaint was substantiated, but the middle school鈥檚 website still lists the teacher in its staff directory. A district spokesperson did not respond to questions about whether the teacher faced disciplinary action or his current status.

Given the many ramifications, Levin said the breach demands swift action to ensure the safety of the school community and to prevent something like this from happening again. He said the Minneapolis school board 鈥� or even state authorities 鈥� need to launch a prompt investigation. 

鈥淪tates do intervene in school systems when they鈥檙e being financially irresponsible or even academically irresponsible,鈥� Levin said. 鈥淚t may be that Minneapolis is not equipped to deal with the fallout from an incident like this.鈥� 

A download link was published Tuesday night on a website designed to resemble a technology news blog 鈥� an apparent front 鈥� and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that鈥檚 been and . 社区黑料 is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes 鈥� there are 1,000 gigabytes in one terabyte 鈥� the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group鈥檚 dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

鈥淭oday, the hacker group 鈥楳edusa鈥� gave me data for publication that will become a hit,鈥� notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

鈥淪omeone will tell me that this cannot be published. I will answer this simply 鈥� the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don鈥檛 focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.鈥� 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

鈥淚f I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and 鈥渁t the very least, being extra vigilant and looking more closely at your transactions than you normally would.鈥� 

It鈥檚 also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

鈥淥nce that genie is out of the bottle, it is very difficult to get it back in,鈥� Levin said. 鈥淚 don鈥檛 know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.鈥� 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an 鈥渆ncryption event,鈥� that the ransomware group had released the stolen records on the dark web, 鈥渁 part of the internet accessible only with special software that allows users to remain untraceable.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa鈥檚 dark web blog Friday, the files weren鈥檛 readily available for download. Instead, a 鈥淒ownload data now!鈥� button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn鈥檛 respond to requests for comment from 社区黑料 Wednesday. Attempts by 社区黑料 to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang鈥檚 possession. 

In posting the download link to the 鈥渃learnet鈥� 鈥� a publicly accessible website that鈥檚 indexed by search engines 鈥� Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file鈥檚 size may serve as a barrier to access to cyber criminals interested in exploiting the information 鈥� and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn鈥檛 necessarily mean the data was downloaded.

鈥淗ey, how can I see the mps stuff,鈥� one Telegram user asked in the ransomware group鈥檚 channel. 鈥淚鈥漨 hoping I鈥檓 not on there. I attend school and work at this district.鈥� 

The Telegram user, who identified themselves to 社区黑料 as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so 鈥減lays into the cybercriminals鈥� hands by drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that 鈥渨ill take some time.鈥� 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

鈥淚 would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,鈥� Callow said. 鈥淚f my personal information may have been compromised, I would want to know straight away.鈥�

Early Friday morning, after the Medusa gang鈥檚 countdown clock on the ransom deadline struck zero, the files weren鈥檛 readily available for download on its dark web leak site. Instead, a 鈥淒ownload data now!鈥� button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by 社区黑料 to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog 鈥� a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that鈥檚 been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it 鈥渋s aware that the threat actor has released certain MPS data on the dark web today.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district continued. 鈥淭his will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.鈥� 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it鈥檚 unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

鈥淵ikes, that鈥檚 a lot,鈥� said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. 鈥淚t鈥檚 a very significant exfiltration.鈥� 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files 鈥� including thousands of current and former students鈥� sensitive mental health records 鈥� were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to 鈥渆ntire IT systems,鈥� said Levin, who was especially concerned about the breach of district backup files. 鈥淵ou鈥檙e probably looking at some of the more sensitive data that the district maintains 鈥� sensitive enough that they are backing it up and maintaining those files.鈥� 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an 鈥渆ncryption event.” That euphemistic characterization left the public in the dark about the incident鈥檚 severity, cybersecurity analysts and community members said.

Such experts said Medusa鈥檚 pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa鈥檚 decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa鈥檚 extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  鈥渦nusually uncommunicative,鈥� since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn鈥檛 receive a response. 

People who don鈥檛 work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites 鈥渨ould concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It鈥檚 much easier for people to access.鈥�

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks 鈥� but he offered a caution. 

鈥淛ust because they published a file tree doesn鈥檛 mean they necessarily obtained all of the data it shows in that tree,鈥� he said, noting that organizations like school districts can shut hackers out of their systems if they鈥檙e caught in the act. 

In a March 9 statement, the district said it had 鈥渢aken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.鈥� 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district鈥檚 computer network 鈥渨as infected with an encryption virus that was first discovered鈥� Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district鈥檚 technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks 鈥� if not months. 

鈥淓xfiltrating this amount of data without detection certainly is concerning,鈥� Levin said. 鈥淭his sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.鈥�

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands 鈥渂y drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

The will air after a countdown clock on the Medusa cyber gang’s dark web leak site strikes zero at about 4 a.m. ET Friday. The leak site suggests the Minneapolis school district’s window to meet a $1 million ransom demand will then close and a trove of district data, which appears to include a significant volume of sensitive student and educator records, will become available online.

社区黑料鈥檚 earlier reporting documented that Medusa鈥檚 tactics, which included posting a since-removed video previewing what appeared to be the stolen documents in its possession, were more aggressive and more marketing-savvy than those generally seen in other school district cyber attacks. 

A preliminary review of the gang鈥檚 dark web leak site by 社区黑料 suggest the compromised files include a sizable volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.

The Minneapolis Public Schools, which came under fire for referring to the February breach as an 鈥渆ncryption event,鈥� has not released any additional information since a March 9 statement posted on its web site. In it, school leaders indicate they don鈥檛 intend to deal with Medusa to get their now-encrypted data back.

鈥淲e have taken a stance against these criminals and are restoring our systems without the need to cooperate with them. As our response continues, we continue to work with and align with the best practices provided by federal law enforcement.鈥�

Medusa is apparently a popular name among threat actors. The group that struck Minneapolis schools, according to , Bleeping Computer,  got its start in June 2021, but upped its profile this year by increasing its ransomware activity and launching its ‘Medusa Blog’ leak site to publish victims鈥� data.

A ransomware gang called Vice Society attempted to extort the Los Angeles Unified School District last year after it broke into the district鈥檚 computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials sought to downplay the attack鈥檚 effects on students. But an investigation by 社区黑料 found thousands of students鈥� comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments 鈥� including those of 60 current students 鈥� had been leaked.

During in 2014, Pesicka was one of thousands of Sony Pictures employees that had their private information exposed in the midst of aggressive attacks by a North Korean hacker group.

Now, as a mom, Pesicka worries about protecting her son Jackson, a 1st grade Playa Vista Elementary School student, so history doesn鈥檛 repeat itself.

鈥淲hen you鈥檙e a kid, you won鈥檛 ever see a credit report and find out that there’s something on there until you go off to college,鈥� Pesicka said in an interview. 鈥淏y that time, somebody has had 15 years to rack up a bunch of different credit cards or properties or whatever else on your kid鈥檚 account鈥o that’s very concerning.鈥�

Like Pesicka, LAUSD parents have raised concerns about the district鈥檚 response to the cyberattack, ranging from long term data protection to how well a hotline 鈥� created to answer parents and staff questions 鈥� is working. 

The public release of about 500 gigabytes of stolen district data was posted on the dark web Saturday by Vice Society, a Russian-speaking ransomware gang known to target school districts.

After the district and law enforcement analysts reviewed about two-thirds of the data, LAUSD Superintendent Alberto Carvalho assured students, parents and employees that there is no reason for widespread concern.

鈥淭he release was actually more limited than what we had originally anticipated,鈥� Carvalho said in a Monday downplaying the damage done.

Carvalho said any exposed student data 鈥� including names, academic information and personal addresses 鈥� was between 2013 and 2016, insisting most middle and high school students during that period already graduated.

For now, Carvalho confirmed students who did have their data breached will be contacted and offered credit monitoring services.

But many parents were not convinced the superintendent鈥檚 response was enough to ease their concerns about the cyberattack.

When Pesicka鈥檚 private information was exposed, Sony offered her one year of credit monitoring. But she found out years later she had a stolen identity and social security number.

鈥淚 had three people working under my social security number and I had my identity compromised,鈥� Pesicka said in an interview. 鈥淎nybody who鈥檚 been through identity theft knows how difficult it is and how there鈥檚 not really a streamlined process or way to scrub your information.鈥�

Teresa Gaines, the mom of 2nd and 3rd grade students at Grand View Boulevard Elementary School, was troubled by Carvalho鈥檚 response because it didn鈥檛 provide the urgency she was hoping for.

鈥淪ome people don鈥檛 realize how serious this can be because what if five or ten years from now our kids go to college and all of a sudden they get denied entrance because of something that is not their fault鈥r somebody uses that data to cause issues that prevent them from getting into certain programs or denied work,鈥� Gaines said in an interview.

Gaines also said LAUSD should provide more targeted outreach to families through 鈥渢own halls鈥� and 鈥渋nformational webinars鈥� so parents could ask questions about the cyberattack.

She is particularly concerned by the release of psychological assessments, which Carvalho insisted did not happen during his press conference. However, the Los Angeles Times did find .

For Jenna Schwartz, the mom of a 7th grade student in North Hollywood, Carvalho鈥檚 response left her cautiously optimistic.

鈥淚f I find out I was impacted鈥ut it was just my child’s school photograph from 2013 and his attendance record, I don’t care as much,鈥� Schwartz said in an interview. 鈥淚f it was my social security number and bank information, those are two very different scenarios.鈥�

Carvalho pointed parents to the district鈥檚 hotline, available Monday through Friday and this weekend for additional questions or support on the cyberattack.

But parents reported long wait times, and limited hours and information when the hotline began earlier this week.  

鈥淯nless you ask a question that fits into their script, they don’t really have a response,鈥� Pesicka said in an interview. 鈥淎nd even if you do, you’re getting a very robotic response.鈥�

In addition, Schwartz noted that she鈥檚 鈥渘ot sure what good the hotline is at this point other than sort of just to make people feel better.鈥�

After a request for comment, a spokesperson from LAUSD referred back to Carvalho鈥檚 statement on the cyberattack: 

The hotline hours have been updated to weekdays from 8 a.m. to 8 p.m. and this weekend from 6 a.m. to 3:30 p.m.

The Vice Society ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang鈥檚 dark-web 鈥渓eak site,鈥� after education leaders refused to pay 鈥� and at first even acknowledge 鈥� a ransom. 

Yet in a press conference Monday, Superintendent Alberto Carvalho sought to downplay the damage done, particularly as it relates to records about children. An said that student psychiatric evaluation records had been published online, citing a confidential law enforcement source. That reporting, Carvalho said, is 鈥渁bsolutely incorrect.鈥�

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system. The 鈥渧ast majority鈥� of exposed student data, including names, academic information and personal addresses, was from a period between 2013 and 2016. 鈥淭hat is the extent of the student information data that we have seen.鈥�

Roughly 500 gigabytes of district data was made public on Sunday by the Russian-speaking ransomware gang, which took credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear, yet after reviewing about two-thirds of the data, Carvalho said that 鈥渟o far, based on what we鈥檝e seen, critical health information or Social Security numbers for students,鈥� is not included.

Carvalho confirmed on Sunday that LAUSD鈥檚 data had been published on the dark web, but did not verify the type of data that was leaked. On Monday, he said that information from private-sector contractors, particularly those in construction, appeared most impacted. Breached records include contracts, financial information and personally identifiable data, Carvalho said.

Cybersecurity experts have warned that the release of district data could come with significant risks for current and former students. Children’s Social Security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.

James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it鈥檚 particularly important for officials to protect the sensitive data of children, who may 鈥渇ind out they own a condo in Bora Bora under their name 15 years from now鈥� because their information was exploited. 

Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision to withhold payment.

鈥淭here鈥檚 no upside to ever paying a ransom,鈥� said Turgal, 鈥淢ore likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information鈥� on their leak site. 

Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America鈥檚 second-largest school district, had initially . 

鈥淲hat I can tell you is that the demand 鈥� any demand 鈥� would be absurd,鈥� Carvalho told the Los Angeles Times. 鈥淏ut this level of demand was, quite frankly, insulting. And we鈥檙e not about to enter into negotiations with that type of entity.鈥� 

In a statement, the district acknowledged that paying a ransom wouldn鈥檛 ensure the recovery of data and asserted that 鈥減ublic dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.鈥� 

The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society鈥檚 demand.

In an email to 社区黑料, Vice Society said they published the district data because 鈥渢hey didn鈥檛 pay,鈥� and acknowledged the 鈥渞ansom demand was big鈥� without providing a specific figure. Asked what makes school districts attractive victims for such attacks, the group offered a brief explanation: 鈥淢aybe news? Don鈥檛 know 鈥� We just attack it =).鈥�

Over the weekend, they that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, 鈥渓et鈥檚 say that it was big =).鈥�

Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has 鈥渨asted our time,鈥� in an email that federal authorities were 鈥渨rong鈥� to advise the district against paying. 

鈥淲e always delete documents and help to restore network [sic], we don鈥檛 talk about companies that paid us,鈥� the group told the news outlet. 鈥淣ow LAUSD has lost 500GB of files.鈥�

社区黑料 has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it鈥檚 impossible to rein it back in.

鈥淵ou have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,鈥� Levin said. 

For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like Social Security numbers to sell on a dark web marketplace, often for identity theft.

Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 million in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.

He said it鈥檚 important that affected educators, parents and students . The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit. 

鈥淭he school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,鈥� Levin said. 鈥淯ltimately, they鈥檙e going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.鈥� 

Now it appears that district technology leaders have applied that logic to computer hacks. That鈥檚 according to Doug Levin, the national director of The , who has spent years chronicling computer hacks on school districts and education technology vendors. Data breaches are a significant and growing threat to schools, he said, yet many district IT officials are hesitant to discuss them. 

鈥淨uietly they might confess that this is an issue they lose a lot of sleep over, but they never talk about it publicly, often for fear of looking bad,鈥� said Levin, whose nonprofit group provides threat intelligence to school districts to protect them from emerging cybersecurity risks. 

Now, an increasing number of school districts have been forced to notify students and parents that they鈥檝e been duped. In March, New York City Public Schools, the country鈥檚 largest district, disclosed that the had been exposed online. The data breach, the largest such incident against a single school district in U.S. history, has since reached far beyond the five boroughs. Other school districts 鈥� California, Colorado, Connecticut, Oklahoma and New York 鈥� have since acknowledged being victims. 

At the center of the debacle is that helps more than 5,200 school districts track student attendance and grades, among other metrics. Students鈥� personal information, some of it sensitive, was exposed when hackers breached Illuminate鈥檚 servers in January. students鈥� names, birth dates, class schedules, behavioral records and whether they qualify for special education or free or reduced-price lunches. 

Yet months later, many key details 鈥� including the number of districts affected 鈥� remain unknown. The company did not respond to requests for comment from 社区黑料. 

In New York, state education officials into Illuminate, which city officials accused of misrepresenting its security safeguards. 

To gain a better understanding of the hack, 社区黑料 caught up with Levin to discuss how the high-profile data breach occurred, why many critical pieces of information remain elusive and strategies that parents and students can use to protect themselves online. 

The interview, which has been edited for length and clarity, was conducted prior to the latest development on the school cybersecurity beat: Friday that the personal information of more than half a million students and staff was compromised in a ransomware attack on education technology vendor Battelle for Kids. The data breach was carried out on December 1 and Battelle notified Chicago officials about the attack about a month ago, on April 26. 

社区黑料: The Illuminate Education data breach is the largest known hack of K-12 student records in history? 

Doug Levin: The Illuminate Education security incident 鈥� we actually don’t know much about what happened 鈥� was the single-largest data breach incident affecting a single school district. We still have to see what the numbers bear out for Illuminate Education, and it could still grow significantly in size.  

But a couple of years ago of their AIMSweb product. They never disclosed the total number of districts that were affected, but they said that 13,000 of their customers were affected. In fact, the Securities and Exchange Commission about the scope of the incident. A number of years ago, the education company Edmodo also endured a massive breach. 

So there are some large incidents that have happened but the more we learn about the Illuminate Education breach, the worse it does appear to be.

What sets this hack apart from previous incidents? 

Some education vendors don’t know a whole lot about the students they’re serving. They may have a student ID, they may know their grades or academic performance in one subject, but not a lot else about that student or their context. The Illuminate Education breach did involve a pretty large swath of sensitive information about students that could be used by criminals to commit identity theft and credit fraud against students. 

So that sets it apart. 

Unfortunately, it鈥檚 the latest and the most high-profile student data breach that is occurring not directly by school districts but by their vendors and partners. A lot of times the security conversation has been focused on the practices of schools themselves and attacks that have targeted schools. There have been a number of high-profile ransomware attacks that have brought school districts to a halt, , and . Those are very eye-opening incidents and they draw a lot of attention, but they are localized in their impact. They are very significant for those communities, but they only affect those communities. 

When a vendor experiences an incident, the impact and the scope of that breach can be massive. If you think about the vendors and suppliers that school districts work with, whether they’re for-profit, nonprofit, or even the state education agencies themselves, if they experience an incident, the scope and magnitude of that incident is likely to be significantly larger. 

There’s sort of this idiosyncratic issue in K-12 education where we have been laser focused on issues of student data privacy and a majority of states have now passed new student data privacy regulations in the last five to 10 years largely because the federal law, the Family Educational Rights and Privacy Act, has not been updated since 1974.

But if we only look at this issue through the lens of student data privacy, it is like we have horse blinders on, we are not seeing the full picture. And while ensuring student data privacy is critically important, these are not security laws and they do not adequately address the various ways that unauthorized users can gain access to student data. 

In fact, vendors and partners are the most frequent cause of school district data breaches. 

This is an era where we need to broaden our lens from student data privacy exclusively to also include security. School districts themselves need to do more due diligence with respect to vendors鈥� security practices and in making sure they have contractual requirements in place that require the prompt notification and remediation of issues. 

With Illuminate Education, it has taken several months for individuals who were affected to find that out. The gap between when the company first learned about the incident and when parents are informed of the incident so they can take steps to protect their children is really too long. We really need to work on tightening that timeframe to protect students from the risks that we are introducing to them. 

We don鈥檛 know a lot about the scope of the Illuminate Education data breach. How would you describe the company鈥檚 overall response? Why does so much remain unclear? 

Frankly, it comes down to the state of policy and regulations. In the vast majority of cases, when an incident is experienced by an organization, whether it be by a school district or a partner, one of the first things they will do is look to see what they鈥檙e obligated to report under the law. 

So setting aside the ethical or moral desire and need to help individuals take steps to protect themselves when you have been at fault in causing an incident, many will look to what they are strictly required to do. And the fact of the matter is that there are many, many loopholes in existing notification laws. 

Organizations do not want to share bad news with their customers and stakeholders, and so there are reasons that people don’t like to disclose these things. But there’s also a compelling number of reasons why stakeholders deserve and need to know.

If hacks are not publicly disclosed, policymakers won鈥檛 understand the scope of the issue and they can鈥檛 take steps to provide more resources to protect against these sorts of threats. That’s exactly the sort of issue we’ve had in K-12. For years, no one talked about the incidents that schools were experiencing, so people thought that schools really weren’t experiencing incidents. That was simply not the case. 

Secondly, threat actors that attack schools and their vendors repeat their tactics in predictable ways. If they鈥檙e successful at attacking one school district, they will use those exact same tools and techniques against other school districts. So it鈥檚 important that organizations share with them a heads-up so that they can take the steps to protect themselves from being compromised in the same ways. 

With hacks, there is the potential for people to experience real harms. They can have their identity stolen, tax fraud, credit fraud, they could be embarrassed. They could have things disclosed about them 鈥� whether it’s their health status, their legal status, their immigration status 鈥� that were never supposed to be public and that may lead to very serious repercussions. 

There really is a moral obligation for people to disclose these incidents. 

You鈥檝e observed a recent uptick in ransomware attacks. How do districts generally respond to these incidents? 

How school districts respond really depends on how proactive they have been in defending against cybersecurity risks. In the best cases, school districts have segmented their networks and made it difficult for that ransomware to spread throughout the district. In those cases, school districts are often able to restore their systems from backups, avoid paying extortion demands, investigate how the ransomware got into their system and plug those holes. 

In recent years, ransomware actors have also exfiltrated large amounts of student and staff data before they encrypt and lock those school district computers and demand a ransom. And I should note those ransom demands have been increasing dramatically for K-12 schools. In 2015 or 2016, you might have seen a ransomware demand of $5,000 to $10,000, payable in a cryptocurrency, of course. Today, it wouldn’t be surprising to see a ransomware demand of a million dollars or more being made to a school district.

When school districts are in that place, they’re really between a rock and a hard place at that point. If ransomware spreads across their system, those are the sorts of incidents that close schools for days and kids are sent home. 

In those cases, they rely on experts to come in and assess how to rebuild their systems., how to evict ransomware actors from their networks, how to handle the fact that ransomware actors have exfiltrated data already, and to reduce instances where schools have to pay those extortion demands. 

Law enforcement will never encourage a victim to pay that extortion demand. Every time a school district does so, they are really just encouraging future threat actors to target school districts with the same sort of techniques. 

Even school districts that don’t pay extortion demand face remediation and recovery costs. In Baltimore County, the recovery and remediation costs have been estimated in the millions of dollars, so you’re paying for the cost of ransomware incidents whether you pay that extortion demand or not. 

School districts are not exactly flush with cash. Why are schools a good target for hackers? Why are they particularly vulnerable?

I have often heard schools be very surprised when they鈥檙e attacked. They鈥檙e morally outraged because they鈥檙e an institution that is just trying to help kids and they鈥檙e being targeted by these criminals. 

But you made the statement that schools don’t have a lot of money and I actually want to push back on that. School districts actually manage quite a bit of money every year. They maintain facilities, transportation and food services. They may be the largest employer in many communities. 

It is correct, of course, that school districts don鈥檛 have enough money to do all the things they would like to do and need to do for kids. I鈥檓 not arguing that they are sufficiently funded. But it is not unusual for a school district of medium or large size to have an annual budget in the hundred of millions, and some of the largest districts in the country have annual budgets in the billions. That鈥檚 plenty of money to attract the attention of threat actors. 

Other than money, school districts and other government agencies have been disproportionately attacked largely because they tend to run IT systems that are older and they also tend to be under-resourced with respect to cybersecurity. They just don鈥檛 have the money and the capacity to hire experts in the way that we would hope and certainly not in the way that some private sector organizations do. 

And given that public sector organizations like school districts provide essential services and people get very upset if they鈥檙e disrupted, they may be susceptible to extortion tactics like ransomware. They also hold a lot of valuable information about those stakeholders that can be repurposed for criminal purposes. It really is a perfect storm here of school districts being, unfortunately, low-hanging fruit for criminals at a time where, as a policy issue, cybersecurity really has not been a priority. 

I think this is changing. There are conversations underway in both state legislatures and in Congress looking to provide more resources to school districts for cybersecurity. But this is a marathon not a sprint and, you know, that help has not yet arrived. 

What needs to happen legislatively in regards to school district hacks? 

There is a need for mandatory reporting. It is very difficult for anyone to get a handle on this issue and how to help schools protect themselves if we don’t know the scope of the issues that schools are facing. 

We certainly can’t bring those parties who are responsible to bear unless we get details about those sorts of incidents. 

Secondly, there is no floor, there is no minimum cybersecurity risk management practice in a school district. Parents, employees and taxpayers have reasonable assumptions about how school districts protect themselves from ransomware, data breaches and targeted phishing attacks. Yet I think they may be surprised that their expectations are not being met. Setting a minimum cybersecurity expectation on school districts is a common sense step that we can take, and those protections should also be extended to vendors. 

You built a map to track every K-12 data breach since 2016. What key trends and takeaways have you observed? 

The majority of those incidents involve student data but a significant minority involve school employee data, including teachers.

A variety of actors are responsible for these incidents. About a quarter are carried out by online criminals targeting school districts, but many are actually the result of the actions of insiders to the schools themselves. Like any large organization, employees make mistakes. School districts may email sensitive data to the wrong people, and very occasionally, school districts have disgruntled employees who do things on their way out the door. 

The last group of insiders are the students themselves. An IT leader joked with me once that every school district serving middle and high school students is getting free penetration testing whether they like it or not. The fact of the matter is that a proportion of students are very tech savvy and they do get bored. Kids being kids, they turn their attention to school districts themselves and, in fact, there have been some very large and significant data breaches because students themselves have compromised school district IT systems. 

What do students typically do when they compromise school technology? 

It depends on the incident. In some cases, they’re seeking to change their grades or their attendance records in a very similar vein to the . Some kids have even been enterprising and charged their fellow students for the privilege of changing their grades. 

But in other cases, they’re simply curious or are interested in making some kind of a statement and are interested in defacing a school website, a school social media account, blasting out emails that they think are funny. 

We don’t have any evidence that kids are monetizing their attacks on school districts on the dark web in the way that online criminals do. But having said that, there are a number of cases where students have crossed the line and have gotten entangled with law enforcement because the attacks they’ve carried out against school districts have been so disruptive. 

What do we know about the online criminals who target school districts? Who are they, in what cases have they been caught and in what cases have they faced any repercussions? 

Cybersecurity attacks have a unique characteristic to them because they can be carried out by individuals anywhere in the world at any time. By and large, the online criminals that are targeting school districts are based overseas and they are based in countries that make it difficult for U.S. law enforcement to reach. As a result, many of these actors are not brought to justice. 

A minority of these incidents occur from within the country and in those cases the ability of law enforcement, the FBI in particular, in bringing judgments against those folks is actually pretty good. There was a Texas school district a couple of years ago that was scammed out of several million dollars by a sophisticated phishing attack. It turned out that it was carried out by an individual in Florida who was caught and prosecuted. That person bought Rolexes and sports cars with the money that he stole from that district. But I suspect he is sitting in a jail right now or certainly awaiting the sentencing for that crime.

What lessons does the Illuminate Education breach hold for school districts and education technology vendors?

The story is still being told here, but this is going to be a very cautionary tale both for school districts and for vendors. This is going to evolve depending on the outcome of the investigations in New York. The state of New York has a fairly strict student data privacy regulation and it appears that Illuminate Education was in violation of the rules despite assurances that they were in compliance. So the state of New York has an opportunity to set an example here. Many ed tech companies will be watching very closely. 

We’re watching very closely as well. What may happen to renewals from school districts that use products from Illuminate Education? How many customers might they lose? 

It would be wise for vendors and suppliers to understand that it is only a matter of time before new regulations require more cybersecurity protections on the data that they hold about school children and school employees. 

From a school district perspective, it just underscores the importance of due diligence when they are selecting vendors and the need to consider the security practices of their vendors. This is not a one-time evaluation. Threats and vulnerabilities evolve so we need a continuous evaluation process. 

What lessons does this hack hold for parents and students, and what should they do to protect their information online?  

It should highlight for parents and students that there are risks in sharing information with schools and their partners. That risk can be managed, but I think it is beholden on parents to ask good questions of their school district about their cybersecurity risk management practices. These don’t have to be very technical questions, but I do think they deserve assurances from the school board and the superintendent that this is an issue that they’re taking seriously and a school district should be able to explain the steps that they’re taking and how they are continuously managing these risks. 

If you’re worried about being a potential victim 鈥� and I think it is always worth worrying about being a potential victim 鈥� there’s a couple of steps that I would encourage both parents and students to take. I would advise parents to freeze their children’s credit record. This is available for free at all of the major credit reporting agencies and it will prohibit an online criminal from stealing the identity of their children and opening credit accounts in their names. 

I would also underscore that good password management practices are always useful. I’m talking about not reusing the same username and password that you use for your school accounts for any of your personal accounts. to the greatest extent possible, you want to separate your school life from your private life and the best way to do that is to use a password manager. There are many free password manager applications that are available as well as a number of good paid options.