The hackers鈥� new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth鈥檚 decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students鈥� and 9.5 million educators鈥� personal information.

It appears the cybercriminals 鈥� perhaps predictably 鈥� didn鈥檛 keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers鈥� demands to local educators will be shared with the state attorney general鈥檚 office, which is investigating the fallout from the December attack. 

鈥淎t the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,鈥� Green said. 鈥淯nfortunately, that, at least at this point, is proving to be incorrect.鈥� 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors鈥� direct outreach to schools 鈥渋n an attempt to extort them using data鈥� stolen during the December breach. Samples of data supplied to school leaders 鈥渕atch the data previously stolen in December,鈥� the company said. 

It referred to a 鈥渄ifficult decision,鈥� one its leadership team 鈥渄id not make lightly,鈥� to pay the ransom demand in the days after the attack, believing it was the best option to protect students鈥� records. Social Security numbers, special education records and detailed medical information.

鈥淎s is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,鈥� the company said in a statement on Wednesday. 鈥淲e sincerely regret these developments 鈥� it pains us that our customers are being threatened and re-victimized by bad actors.鈥�

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted 鈥渢hrough various emails,鈥� including to both their work and personal email addresses, seemingly based on the hackers鈥� ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were 鈥渕ade aware that the data was not destroyed鈥� when the threat actor contacted them directly. 

鈥淲e could not find any type of trend in who they picked to email. We tend to think it鈥檚 emails that they could publicly find and contacted that person,鈥� Wrenn said. 鈥淭his exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.鈥� 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool鈥檚 student information system. 

That鈥檚 about to change. Green said the state鈥檚 contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus 鈥� in part because of its promise of better cybersecurity practices. 

鈥淚t is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,鈥� Green said. 鈥渨e are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.鈥�

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working 鈥渃losely with our customers to support them.鈥�

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by 社区黑料 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer 鈥減rivileged investigations鈥�, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months 鈥� and in some cases more than a year 鈥� later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools鈥� messaging is no coincidence. 

That鈥檚 because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools鈥� exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms 鈥�&苍产蝉辫;诲耻产产别诲  by one law professor for their massive caseloads 鈥� hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools鈥� behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online 鈥� from their financial and medical information to traumatic events in young people鈥檚 lives 鈥� are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs鈥� ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers鈥� willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are 鈥渁ll but guaranteed.鈥� 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 鈥�  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers 鈥� often called breach coaches 鈥� arrive on the scene. 

鈥淭here鈥檚 a fine line between misleading and, you know, technically accurate,鈥� Schwarcz told 社区黑料. 鈥淲hat breach coaches try to do is push right up to that line 鈥� and sometimes they cross it.鈥�

When breaches go unspoken

社区黑料鈥檚 investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs鈥� leak sites. 

Some of students鈥� most sensitive information lives indefinitely on the dark web, a hidden part of the internet that鈥檚 often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search 鈥� even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

社区黑料 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials鈥� false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students鈥� detailed psychological records. 

In many instances, 社区黑料 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, 社区黑料 could find no information at all about alleged school cyberattacks uncovered by its reporting 鈥� suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to 社区黑料鈥檚 investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond 鈥渢o potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.鈥� Those at Florida鈥檚 River City Science Academy said the school 鈥渁cted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.鈥� 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation鈥檚 seventh-largest district said they notified student breach victims 鈥渂y email, mail and a telephone call鈥� and 鈥渟et up a special hotline for affected families to answer questions.鈥�

Hackers have exploited officials鈥� public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

鈥淏ut those negotiations do not go on forever,鈥� said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'鈥� the ransom.

鈥淎ll right, well, negotiation is over,鈥� Levin said. 鈥淵ou need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students 鈥�

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them.

The extent to which this involves keeping critical information out of the public鈥檚 hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico鈥檚 Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll鈥檚 findings from public view. 

鈥淲ithout privacy counsel in place, public records would be accessible in the event of an information leak,鈥� she wrote in an email to school leaders that was obtained by 社区黑料 through a public records request. School districts routinely denied 社区黑料鈥檚 requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by 社区黑料 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California鈥檚 Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an 鈥渋nformation technology system outage鈥� 鈥� and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn鈥檛 stop the leak of data for more than 22,000 people, nor did the district鈥檚 initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

鈥淲hat brainiac recommended this?鈥� asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who 鈥渞ecommended the deceitful description.鈥�

It wasn鈥檛 until June 2023 鈥� four months after the attack 鈥� that Sweetwater their records were compromised. But the district鈥檚 breach notice never says what specific records had been taken, refers to files that 鈥渕ay have been taken鈥� and tells those receiving the notice that their 鈥減ersonal information was included in the potentially taken files.鈥�

鈥淲ell, was my information taken or not?鈥� April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked 社区黑料. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks 鈥渢o avoid exacerbating their liability, quite frankly,鈥� in a way that prevents families from being able to 鈥渁ssert their rights more competently.鈥� 

顿颈蝉迟谤颈肠迟蝉鈥� vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

鈥淭he wording in notices is disheartening,鈥� Strauss told 社区黑料. 鈥淚t鈥檚 almost like revictimization.鈥�

Who鈥檚 in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they鈥檝e been hacked. Cyberattacks were called an  鈥渆ncryption event鈥� in Minneapolis; a 鈥渘etwork security incident鈥� in Blaine County, Idaho; 鈥渢emporary network disruptions鈥� in Chambersburg, Pennsylvania, and 鈥渁nomalous activity鈥� in Camden, New Jersey. 

In several cases, consultants advised educators against using words like 鈥渂reach鈥� and 鈥渃yberattack鈥� in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district鈥檚 computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

鈥� 鈥楥yberattack鈥� is severe language that we prefer to avoid when possible,鈥� the firm鈥檚 representative wrote .

The district called it 鈥渋rregular activity鈥� instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe鈥檚 most notorious cybergangs 鈥� many with known ties to Russia 鈥� officials have claimed in arresting and indicting some of the masterminds. Yet 社区黑料 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only 鈥渋n conjunction with qualified counsel.鈥� 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized 鈥減ayment of ransoms that fuel cyber crime ecosystems.鈥� 

鈥淭his is a troubling practice that must end,鈥� she wrote.

Records obtained by 社区黑料 show that in Somerset, Massachusetts, Beazley, the school district鈥檚 cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district鈥檚 incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district鈥檚 course of action, they didn鈥檛 express it. In fact, William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

But he was quick to defer to the district and its lawyers.

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote. 鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.鈥�

While ransom payments are 鈥渆thically wrong because you鈥檙e funding criminal organizations,鈥� insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

鈥淭he insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,鈥� he told 社区黑料. 鈥淭hey see dollar signs 鈥� that everybody wants this protection 鈥� but they鈥檙e losing their butts on it.鈥� 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told 社区黑料 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by 社区黑料 鈥� one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its 鈥渢hird-party forensic investigation firm鈥� communicating with the gang 鈥渞egarding the ransom.鈥�

Mullen Coughlin then told the FBI that it was leading 鈥渁 privileged investigation鈥� into the attack and, at the school district鈥檚 request, 鈥渁ll questions, communication and requests in connection with this notification should be directed鈥� to the law firm. Mullen Coughlin didn鈥檛 respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants鈥� discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn鈥檛 the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials鈥� knowledge. Taken by surprise, Camden schools were not 鈥渁ble to preemptively advise each of you about the notice and what it meant.鈥�

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

鈥淚n terms of how law enforcement can help you out, there鈥檚 really not a whole lot that can be done to be honest with you,鈥� said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn鈥檛 respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but 鈥渢he problem is there鈥檚 not enough funding and personnel for them to be able to be responsive to incidents.鈥� 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn鈥檛 know where to go to vet if they were any good or not.鈥�

He said it had been a community member 鈥� not a paid consultant 鈥� who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes 鈥� or over 1,000 gigabytes 鈥� of stolen data.

鈥淲e were literally taking that right to the cyber companies and going, 鈥楬ey, they鈥檙e finding this, can you confirm this so that we can get a message out?鈥� 鈥� he told 社区黑料. 鈥淭hat is what I probably would tell you is the most frustrating part is that you鈥檙e relying on them and you鈥檙e at the mercy of that a little bit.鈥�

The breach coach

Breach notices and other incident response records obtained by 社区黑料 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a 鈥渜uarterback.鈥� 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district鈥檚 cyber insurance policy 鈥�  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector 鈥� which, Paluzzi noted, isn鈥檛 鈥渁lways the best when it comes to the latest protections."

When asked why districts鈥� initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

鈥淚t鈥檚 not a time to make assumptions, to say, 鈥榃e think this data has been compromised,鈥� until we know that,鈥� Paluzzi said. 鈥淚f we start making assumptions and that starts our clock [on legally mandated disclosure notices], we鈥檙e going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.鈥� 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

鈥淲hile it often looks a bit canned and formulaic, it鈥檚 often because we just don鈥檛 know and we鈥檙e doing so many things,鈥� Paluzzi said. 鈥淲e鈥檙e trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.鈥�

A data breach is confirmed, he said, only after 鈥渁 full forensic review.鈥� Paluzzi said that process can take up to a year, and often only after it鈥檚 completed are breaches disclosed and victims notified. 

鈥淲e run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,鈥� he said. 鈥淲e try, in most cases, to get to that level of specificity, and our letters are very specific.鈥�

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase 鈥渢he likelihood of a data breach class action [lawsuit] in the process.鈥� Companies that under-notify 鈥渕ay reduce the likelihood of a data breach class action,鈥� but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches鈥� chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to 鈥渞etain their primacy鈥� in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers鈥� emphasis on reducing payouts to parents who sue overstates schools鈥� actual exposure and is another way to promote themselves as 鈥減roviding a tremendous amount of value by limiting the risk of liability by providing you with a shield.鈥�

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine 鈥渢he long-term cybersecurity of their clients and society more broadly.鈥�

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by 社区黑料 show school cyberattacks carry particularly devastating consequences for the nation鈥檚 most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district 鈥渟how choir鈥� event. The accusations were investigated by local police and no charges were filed.

鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,鈥� the hacker alleges in records obtained by 社区黑料. 鈥淭his is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

The exposure of intimate records presents a situation where 鈥渧ulnerable kids are being disadvantaged again by weak data security,鈥� said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

鈥淚t鈥檚 not just that you have a leak of the information,鈥� Citron told 社区黑料. 鈥淏ut the leak then leads to online abuse and torment.鈥�

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students鈥� personal information, a parent reported being contacted by the hackers who placed a 鈥渟trange call demanding money for ransoming their child.鈥�

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are 鈥渦nfunded mandates鈥� and 鈥渢here鈥檚 been no enforcement that we know of,鈥� according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It鈥檚 a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls 鈥渢he multiverse of madness.鈥� 

鈥淚t's like you're living in different privacy realities based on the state that you live in,鈥� Hendricks said. He said federal cybersecurity rules could provide a 鈥渓evel playing field鈥� for data breach victims who have fewer protections 鈥渂ecause they live in a certain state.鈥� 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn鈥檛 require disclosure when outside forces cause those records to be exposed. Schools that have 鈥渁 policy or practice鈥� of routinely releasing students鈥� records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they鈥檝e grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told 社区黑料 he got the district鈥檚 September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are 鈥渕ostly worthless.鈥� 

It may be enforcement against districts鈥� misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to 鈥渃ommunicate very carefully and very deliberately and very accurately鈥� the known facts of cyberattacks and data breaches. 

鈥淐ommunities smell blood in the water,鈥� she said, 鈥渂ecause we鈥檝e got these mixed messages.鈥�

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for 社区黑料.

This story was supported by a grant from the Fund for Investigative Journalism.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by 社区黑料 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain 鈥� and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students鈥� sensitive records and, district spokesperson Jay W茅gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥�

An analysis by 社区黑料 of the stolen files 鈥� posted by the threat actors to the messaging platform Telegram  鈥� indicates otherwise. Included in the 217 gigabyte data leak are students鈥� specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter鈥檚 underwear. After one incident, a boy uttered a threat: 鈥淒on鈥檛 tell nobody.鈥� 

In a statement to 社区黑料 on Wednesday, W茅gimont said the district has 鈥渂een able to confirm that some files鈥� stored on the district鈥檚 internal servers were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

W茅gimont鈥檚 statement doesn鈥檛 acknowledge that students鈥� records had been compromised. 

The district鈥檚 failure to acknowledge the breach affected students and parents 鈥� even after being informed otherwise 鈥� is 鈥渁 massive violation of trust with communities,鈥� student privacy expert Amelia Vance told 社区黑料.

鈥淧eople should be aware 鈥� especially when particularly sensitive information is being released in ways that could make it findable and searchable later,鈥� said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence 鈥渁re likely to have a substantial impact on people鈥檚 future lives, whether it be their opportunities, their ability to get a job or their relationships with others.鈥� 

The school district acknowledged in an Oct. 4 letter to the state attorney general鈥檚 office 鈥� and in letters to the individuals themselves 鈥� that the sensitive information of 12,000 current and former employees was 鈥減otentially impacted鈥� in the attack. A spokesperson for the AG鈥檚 office shared the letter that Providence Superintendent Javier Monta帽ez submitted 鈥渁s required by statute,鈥� but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days 鈥� but the breach 鈥減oses a significant risk of identity theft.鈥� Covered records include individuals鈥� names, Social Security numbers, driver鈥檚 license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It鈥檚 unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department鈥檚 spokesperson, said in a phone call on Wednesday. 

鈥淣o one had actually gone in to see the files,鈥� he told 社区黑料, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are 鈥渨orking closely with the district鈥� on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents鈥� names. Another includes information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents revealed a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web 鈥渘ame and shame blog,鈥� it then previews the victim鈥檚 stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa鈥檚 many tentacles 

The Medusa attack and Providence鈥檚 response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district 鈥� what officials there vaguely called an 鈥渆ncryption event鈥� 鈥� the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack 鈥� and only after a joint investigation by 社区黑料 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General鈥檚 Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records 鈥� like those pertaining to student civil rights investigations, security plans and financial records 鈥� a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher鈥檚 German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what 鈥渋rregular activity鈥� on its computer network but on whether they鈥檇 been the target of ransomware. In 鈥� and the same day that Medusa鈥檚 ransom deadline expired 鈥� Superintendent Monta帽ez acknowledged that 鈥渁n unverified, anonymous group鈥� had gained 鈥渦nauthorized access鈥� to its computer network and claimed to have stolen sensitive records. 

鈥淲hile we cannot confirm the authenticity of these files and verify their claims,鈥� Monta帽ez wrote, 鈥渢here could be concerns that these alleged documents could contain personal information.鈥�

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

A Los Angeles Unified School District spokesperson confirmed they鈥檙e investigating a listing on a notorious dark web marketplace, posted Thursday by a user named 鈥淭he Satanic Cloud,鈥� which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they鈥檝e become a growing scourge for districts of all sizes.

鈥淪chool districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,鈥� Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation鈥檚 schools and libraries are real and growing.鈥�

鈥淪o today, we鈥檙e going to do something about it,鈥� she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to 鈥減rovide funding to as many schools and school districts as possible,鈥� it . While the funding 鈥渨ill not, by itself, be sufficient to fund all of the school鈥檚 cybersecurity needs,鈥� the fact sheet notes, the commission seeks to ensure that 鈥渆ach participating school will receive funding to prioritize implementation of solutions within one major technological category.鈥�

The Satanic Cloud, which posted the most recent batch of LAUSD data, told 社区黑料 it鈥檚 entirely separate from what was stolen in the September 2022 ransomware attack on the nation鈥檚 second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor鈥檚 claims, a spokesperson told 社区黑料 in an email Thursday, and 鈥渋s investigating the claim and engaging with law enforcement to investigate and respond to the incident.鈥�

鈥業t鈥檚 definitely sensitive data鈥�

In an investigation last year, 社区黑料 found that thousands of L.A. students鈥� psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had.聽

Just last month, a joint investigation by 社区黑料 and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district鈥檚 assertion otherwise, and that St. Landry had likely violated the state鈥檚 breath notification law. Within hours of the first story publishing, the Louisiana Attorney General鈥檚 Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told 社区黑料 鈥渢here is no connections鈥� to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they鈥檝e sought to sell stolen data. Cyble鈥檚 research team, he told 社区黑料, sees 鈥渁 high likelihood鈥� that the data was sourced from files exposed in the earlier ransomware attack. 

鈥淗istorically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,鈥� Medhe said. Either way, Medhe said it鈥檚 incumbent on district officials to take urgent action. The files, he said, could be useful for 鈥渟ome kind of profiling or some kind of targeted phishing activity.

鈥淚t鈥檚 definitely sensitive data, for sure,鈥� he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. 鈥淭hey would need to do a thorough incident response and investigation to rule out the possibility of a new breach.鈥� 

鈥楢n important step forward鈥�

During Thursday鈥檚 FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is 鈥渆ssential for education in the 21st century.鈥�

鈥淭echnology and high-speed internet access opens doors and unbounded opportunity for those who have it,鈥� Gomez said. 鈥淯nfortunately, our increasingly digital world also creates opportunities for malicious actors.鈥� 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It鈥檚 a move that more than 1,100 school districts endorsed in a joint 2022 letter 鈥� but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate 鈥渢o ensure gains in enhanced cybersecurity do not undermine E-rate鈥檚 success in connecting schools and libraries and promoting digital equity.鈥� The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support.聽

鈥淭he FCC鈥檚 decision today to create a cybersecurity pilot is an important step forward for our nation鈥檚 libraries and library workers, too many of whom face escalating costs to secure their institution鈥檚 systems and data,鈥� President Emily Drabinski said in a statement. 鈥淲e remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.鈥�

Among the pilot program鈥檚 critics is school cybersecurity expert Doug Levin, who told 社区黑料 that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be 鈥渁 good fit for school systems with scarce capacity.鈥�

鈥淭here鈥檚 no argument that schools need support,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC鈥檚 鈥渢echno-solutions point of view to the problem,鈥� he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that 鈥渕ay end up convincing some [schools] to buy solutions that, frankly, they don鈥檛 need.鈥� 

In response to an inquiry by 社区黑料, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥� status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data. 

鈥淲e are reviewing the details of Raptor Technologies鈥� leak to determine if the company has violated its Pledge commitments,鈥� David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥� 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥� government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥� that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥� withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥� has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥� he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler鈥檚 audit. 

鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥� like an active shooting, Fowler said in an interview with 社区黑料. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌��

David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥� 

鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥� Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥� 

鈥楳aybe this is a pattern鈥�

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students鈥� personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥� of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥� 

Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥� The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥� including encryption 鈥渂oth at rest and in-transit,鈥� meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥� measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥� 

Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor鈥檚 claims that data were encrypted, Fowler told 社区黑料 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥� adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥� 鈥渆xcept maybe it wasn鈥檛.鈥� 

A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥�

鈥淗ow can educators know if a company is taking security seriously?鈥� Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥� 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥� and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 社区黑料 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥� Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥� 

鈥楽weep it under the rug鈥�

The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum鈥檚 decision to remove Illuminate followed an article in 社区黑料, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥� and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥� It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥� in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 社区黑料 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥� that protects students鈥� sensitive information鈥� and to 鈥渃omply with applicable laws,鈥� including New York鈥檚  鈥渆xplicit data encryption requirement.鈥� 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar. 

Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 社区黑料 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥� that can be quickly brushed aside. 

鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥� he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥� a little bit of bad press and you just sweep it under the rug and move on.鈥� 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has 鈥渁 great deal of admiration鈥� for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥� when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥� he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌��  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn鈥檛 think much about it 鈥� even after her Facebook got hacked. 

Now, she鈥檚 left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by 社区黑料 and The Acadiana Advocate revealed. The reporting included a data analysis by 社区黑料 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels 鈥� enough to prompt the Biden White House to convene an August summit on how to tackle the threat 鈥� and in multiple instances, districts have been accused of withholding information from the public.

鈥淭hey want to brush everything under the rug,鈥� said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Among the district鈥檚 breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana鈥檚 data breach notification rules.

and other entities notify affected individuals 鈥渨ithout unreasonable delay,鈥� 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven鈥檛 taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general鈥檚 office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn鈥檛 respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is 鈥渁 long time to not notify somebody of that level of sensitive information.鈥�

鈥淏ecause the school district hasn鈥檛 issued a notice, then it鈥檚 hard to know exactly what happened and why,鈥� Lee said. 鈥淭hat鈥檚 important because that also leads you to, 鈥榃ell, what does the individual need to do to protect themselves now that their information has been exposed?鈥欌��

鈥楧ouble extortion鈥�

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry鈥檚 computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� and became available for download on Telegram, an encrypted social media platform that鈥檚 been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that鈥檚 grown in popularity in recent years called 鈥渄ouble extortion.鈥� Hackers gain access to a victim鈥檚 computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son鈥檚 information was leaked 鈥� especially because he hasn鈥檛 attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

鈥淚f they鈥檙e lying about it and our information did get out there, then that鈥檚 a whole other situation,鈥� she said. 鈥淭hey’re telling all their employees all of our information did not get messed with.鈥� 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

鈥淲e never received reports of the actual information that was obtained,鈥� she said. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥�

The board, Fontenot said, decided to 鈥渢rust the process.鈥�

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry鈥檚 computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

鈥淵ou know how many people get hacked a year? Can you point that to the school board 100%?鈥� Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer鈥檚 desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents鈥� phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That鈥檚 because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff鈥檚 offices to parish governments to school boards. St. Landry Parish鈥檚 sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools鈥� is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach 鈥� a reality she called 鈥渁larming.鈥� 

鈥淚 feel like I should have gotten a more formal notification about this,鈥� Lyons said.

鈥楢 soft target鈥�

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It鈥檚 also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are 鈥渓ow-hanging fruit,鈥� said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

鈥淓ducational entities are going to be a soft target,鈥� he said. 鈥淚f they鈥檙e not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.鈥� 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

鈥淭hey鈥檙e such a small fish in the ocean, (they think) why would anybody bother with them?鈥� said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It鈥檚 improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

鈥淚t鈥檚 a question of them throwing their fishing hook in the barrel 鈥� and just waiting to see who bites,鈥� Levin said. 鈥淭hey don鈥檛 know who their next victim is going to be and they don鈥檛 really care.鈥� 

When a small- or medium-sized district takes the bait, the impact can be substantial because they鈥檙e often among their communities鈥� largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

鈥楢 cause of action鈥�

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

鈥淚 just want (the district) to be professional,鈥� said Vidrine, the former science teacher. 鈥淎 notification that this happened: 鈥榃e鈥檙e tending to it and you need to protect yourself. We made a mistake.鈥欌��

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is 鈥渨hat class actions are made of,鈥� Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don鈥檛 typically have credit cards, they also don鈥檛 receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children鈥檚 Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they鈥檝e been compromised, the problem 鈥渋s not easy to address and can have lifelong impacts,鈥� he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as 鈥済hosting.鈥�

鈥楾he hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of 鈥渧ery sophisticated networks鈥� based overseas.

鈥淚t鈥檚 not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,鈥� Lee said. 鈥淭hat鈥檚 not the hacker of today. They鈥檙e not sitting in their parents鈥� basement. They鈥檙e in call centers in Dubai and in Cambodia and in North Africa.鈥�

It鈥檚 important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn鈥檛 authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims 鈥� including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

鈥淭hat they didn鈥檛 notify us of this, it鈥檚 disappointing,鈥� said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

鈥淏ut it鈥檚 a poor parish and I don鈥檛 think they do anything unless they really, really have to.鈥�

This story was supported by a grant from the Fund for Investigative Journalism.

鈥淚鈥檓 so sorry to tell you this but unfortunately your private information has been leaked,鈥� read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they鈥檇 just spent the night asleep. 

鈥淏e careful out there,鈥� the cryptic message warned. 鈥淒on鈥檛 shoot the messenger!鈥�

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation鈥檚 fifth-largest district and where Hecht鈥檚 three daughters are enrolled. But the message, she鈥檇 soon learn, was not from a California student but from the student鈥檚 email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a 鈥渂urner鈥� account to brazenly extort Clark County schools by frightening district parents directly.

鈥淚 put my child on the bus and then immediately called the district,鈥� Hecht told 社区黑料. 鈥淚 called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.鈥�

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords 鈥� in this case students鈥� dates of birth 鈥� and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students鈥� special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

鈥淭his is not going to qualify as sophisticated hacking,鈥� said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. 鈥淕iven that they reached out to the media鈥� and have demanded payments smaller than those typically leveraged by ransomware gangs, 鈥渋t seems they may be more interested in publicity and reputation than they are money.鈥�

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a 鈥渃ybersecurity incident鈥� on Oct. 5, noting in that it was 鈥渃ooperating with the FBI as they investigate the incident鈥� and that such attacks against schools have become routine. 鈥淩est assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.鈥�

When contacted by 社区黑料, a Clark County spokesperson declined to comment further and shared a copy of the district鈥檚 previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County鈥檚 computer systems. In two follow-up emails shared with 社区黑料, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student鈥檚 email address 鈥渢o show how much of a joke their IT security is and to show how seriously they are taking this.鈥� 

Beyond outreach to parents, the hacker 鈥� which could be one or multiple people 鈥� on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as 鈥淪ingularityMD (the hacker team),鈥� the threat actor disputed Clark County鈥檚 statement that it had detected 鈥渁 security issue鈥� on its own and that district leaders had only become aware after the hackers sent an email 鈥渢o tell them we had been in their network for a few months.鈥� 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward 鈥渄ouble-extortion ransomware鈥� schemes, where they gain access to a victim鈥檚 computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students鈥� sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students鈥� passwords to their birth date at the beginning of each academic year. Using a student鈥檚 date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student鈥檚 account, they claim to have exploited poor data-sharing practices in the district鈥檚 Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

鈥淕oogle groups and google drives, if not configured correctly will expose teachers and staff files and conversations,鈥� the hacker told DataBreaches.net. 鈥淚n rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.鈥�

Schools are particularly easy targets because so many students have access to a district鈥檚 computer network, the hacker noted, with a word of advice: 鈥淚 would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.鈥� 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker鈥檚 breach methods should set off alarm bells for educators nationwide, with 鈥渧irtually every school in the U.S.鈥� relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

鈥淚t鈥檚 very easy to overshare information and grant rights for people who shouldn’t be able to see this information,鈥� Levin said. 鈥淭hat鈥檚 what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.鈥� 

Google spokesperson Ross Richendrfer said in an email that as districts become 鈥渁 top target鈥� for cybercriminals, 鈥渢here鈥檚 not just one way that attackers attempt to infiltrate schools.鈥� This particular incident, he said, was 鈥渢he result of compromised passwords and configuration issues at the user/admin level.鈥� 

He pointed to the company鈥檚 , which notes that while Google products 鈥渁re built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.鈥� The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received 鈥渁larming email messages from an external cybersecurity threat actor.鈥� The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as 鈥渂urner accounts鈥� when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn鈥檛 become the victim of a data breach, Superintendent Lori Villanueva told 社区黑料. She said the student鈥檚 email address was used to send four emails, which were then deleted. 

鈥淲e canceled that email account, we set up a new one for the student, and we鈥檙e just running our own diagnostics to make sure there was no other unusual activity,鈥� Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. 鈥淢y people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we鈥檙e really limited to that one tiny piece of information.鈥� 

Never before had she experienced an incident where a student鈥檚 email address was compromised and exploited in such a major way, she said. 

鈥淣othing this widespread, nothing in another state, nothing this big,鈥� she said. 鈥淔or our little neck of the woods here, this was a little crazy.鈥� 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

鈥淭he only thing I can think of is somebody knows that I鈥檓 not quiet, that I will talk,鈥� she said. If the hacker鈥檚 goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn鈥檛 been able to get any answers from school administrators. 

鈥淚鈥檝e emailed the superintendent and I just continue to call that helpline,鈥� she said 鈥淣othing. Nobody has responded. I can鈥檛 even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.鈥�

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused 鈥渢o fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.鈥� 

鈥淲e think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,鈥� attorney Steve Hackett, who represents the families, told 社区黑料.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

鈥淎s the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,鈥� the statement said. 

The district also offered a sharp rebuttal to calls for Jara鈥檚 resignation, specifically referring to with the local teachers union: 鈥淪uperintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,鈥� the statement continued 鈥淣o bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.鈥� 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

鈥淚t worries me because this stuff is going to follow them for life,鈥� she said. 鈥淟ook, I know that our district is not great, but if you鈥檙e going to go against the district, don鈥檛 take our kids down with you. They did nothing wrong.鈥�

Yet even before the first class started, the 133,000-student district in Prince George鈥檚 County, Maryland, faced an assault on its security 鈥� one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district鈥檚 computer network. The mid-August intrusion meant the high-performing school system 鈥� among the nation鈥檚 20 largest 鈥� joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

鈥淪chools have this delicious trove of data and do not have the same protections鈥� as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George鈥檚 County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by 社区黑料 of the cyber group鈥檚 dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida鈥檚 Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

鈥淵our confidential documents, personal data and sensitive info has been downloaded,鈥� the group wrote in a ransom note obtained by 社区黑料. 鈥淧ublished information will be seen by your colleagues, competitors, lawyers, media and the whole world.鈥� 

Ultimately, the district refused to pay the group鈥檚 $300,000 ransom demand, leading to a small data breach that doesn鈥檛 appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees鈥� financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told 社区黑料 the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

鈥淚t was an inconvenience for sure, but I鈥檝e seen a lot of data breaches over the years and ours is nothing comparable,鈥� Walton said. 鈥淚 couldn鈥檛 imagine that happening when school starts because we鈥檙e all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.鈥� 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn鈥檛 limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth 鈥淪ocial Security numbers and medical records stolen and shared online,鈥� such attacks have left 鈥渃lassroom technology paralyzed and lessons ended,鈥� First Lady Jill Biden said. 鈥淪o if we want to safeguard our children鈥檚 futures, we must protect their personal data.鈥�

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it鈥檚 also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students鈥� hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

鈥淲ith all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,鈥� Levin said. 鈥淚t’s definitely a time where you know people are more likely to make mistakes.鈥�

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

鈥淭hreat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,鈥� the warning notes. 鈥淲ithin the last few weeks, publicly announced ransomware attacks sharply increased.鈥�

鈥楨xclusive, unique and impressive鈥�

Following a common ransomware playbook in Prince George鈥檚 County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the 鈥渆xclusive, unique and impressive鈥� data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group鈥檚 leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang鈥檚 leak site, meant to signify the district鈥檚 approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, 鈥渨ill be contacted in the coming days.鈥� 

The school system is 鈥渙ffering free credit monitoring and identity protections to all staff,鈥� district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack 鈥渕ay result in unauthorized disclosure of personal information.鈥� 

鈥淲e are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,鈥� the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George鈥檚 district hasn鈥檛 done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told 社区黑料, 鈥渉as not been clearly communicated.鈥� Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George鈥檚 County, she fears.

鈥淭here have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?鈥� said Stanley, founder of the special education advocacy group 鈥淣ot knowing what was leaked and who was affected, it鈥檚 difficult to say what the ramifications will be.鈥� 

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

鈥淭his is only going to get worse,鈥� he said, 鈥渦ntil we give schools the resources they need to up their defensive game.鈥� 

Ransomware鈥檚 long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington 鈥� a development that for locals may feel like d茅j脿 vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a 鈥渄ata event鈥� was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to 社区黑料. 

It鈥檚 unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions 鈥� especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became 鈥渁ware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,鈥� Weinberg said. 

鈥淲e reviewed the district鈥檚 network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,鈥� Weinberg continued. 鈥淔urther, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.鈥� 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation鈥檚 second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an 鈥渆ncryption event,鈥� tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. 鈥淚 had my bank account drained last week and had $3 to my name,鈥� one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children鈥檚 college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a 鈥渢ime-intensive鈥� review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

鈥淎lthough it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,鈥� the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools鈥檚 first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

鈥淒isclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,鈥� Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it鈥檚 more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

鈥淎 lot of times schools are reactive rather than proactive,鈥� she said.  If district leaders aren鈥檛 doing enough to protect the data from being stolen in the first place, 鈥渢hen it鈥檚 almost too late.鈥�

Such unrelenting attacks 鈥� this time against a Bergen County, New Jersey, district 鈥攁re what brought the first lady as well as some 200 federal cybersecurity officials, school district leaders and tech company executives together for a first-ever White House summit on strengthening school district defenses.

鈥淚t鈥檚 going to take all of us,鈥� Biden said. 

The breaches have grinded school technology systems nationwide 鈥渢o a halt,鈥� the first lady said at the East Room gathering, forcing some districts to cancel classes as reams of sensitive student, parent and educator data were stolen and leaked online. In March, a Medusa attack on Minneapolis Public Schools exposed records about child abuse inquiries, student mental health crises and campus physical security details. 

鈥淚f we want to safeguard our children鈥檚 futures, we must protect their personal data,鈥� she said. 鈥淓very student deserves the opportunity to see a school counselor when they鈥檙e struggling and not worry that these conversations will be shared with the world.鈥�

Among the new strategies announced Tuesday is the creation of a Government Coordinating Council that will provide 鈥渇ormal, ongoing collaboration鈥� between all levels of government and school districts to prepare for and respond to data breaches. Officials with the Cybersecurity and Infrastructure Security Agency said the agency would provide individualized assessments and cybersecurity training to 300 K-12 education entities over the next year. 

Tuesday鈥檚 cybersecurity event didn鈥檛 come with the announcement of any new federal regulations but was instead positioned as the first step in a new-found federal urgency around cybersecurity in schools. The Federal Communications Commission in late July proposed a $200 million pilot program to enhance cybersecurity in schools and libraries that still needs to be approved.

鈥淲hen schools face cyber attacks, the impacts can be huge,鈥� Education Secretary Miguel Cardona said. 鈥淟et鈥檚 be clear, we need to be taking these cyber attacks on schools as seriously as we do the physical attacks on critical infrastructure.鈥�

In released by the Education Department and the Cybersecurity and Infrastructure Security Agency, the agencies recommended that school districts implement multi-factor authentication, enforce minimum password strength standards and ensure software is kept up to date. They should also consider moving on-premises information technology services to cloud-based systems. 

鈥淒o not underestimate the ruthlessness of those who wish to do us harm,鈥� Homeland Security Secretary Alejandro Mayorkas said. 鈥淭hey have proven their willingness to steal and leak such private student information as psychiatric hospitalizations, home struggles and suicide attempts. Do not wait until the crisis comes to start preparing.鈥� 

School cybersecurity expert Doug Levin, who attended the summit, said it was a positive development to see the federal government, and the Education Department in particular, focus on the effects of ransomware on schools. The Education Department has been 鈥渕ostly absent from these conversations鈥� in the past, said the national director of The K12 Security Information eXchange.

Meanwhile, several companies, including education technology vendors, unveiled new commitments to help facilitate digital security in schools. Amazon Web Services announced a new $20 million grant program to bolster K-12 school cybersecurity while Cloudflare committed to providing free cybersecurity tools to small districts with 2,500 or fewer students. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

In the U.S. school district cyber attacks reached a record high of 37 in the month of June alone, , but Tuesday鈥檚 event centered largely on a crisis that unfolded in Los Angeles nearly a year ago. 

Last September, a notorious ransomware group carried out an attack on the Los Angeles Unified School District, the nation鈥檚 second largest, that resulted in some 500 gigabytes of district data being published to the Russian-speaking group鈥檚 dark-web leak site. 

A major theme of the White House summit was the politically connected superintendent鈥檚 swift outreach to federal agencies, including the U.S. Department of Education and the Federal Bureau of Investigation. That collaboration, Superintendent Alberto Carvalho and federal education officials said, set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called it 鈥渢he Harvard Business School case study on how to get this right.鈥� 

Other school districts should respond similarly, said FBI Deputy Director Paul Abbate. When school leaders suspect they鈥檝e been the target of an attack, he said, it鈥檚 incumbent that they 鈥減lease call us immediately.鈥� In L.A.鈥檚 case, the FBI was able to have a team of agents on the ground in less than 24 hours, he said, enabling them to freeze vulnerable accounts and secure sensitive information that had been sought out by the threat actors. 

That coordinated response didn鈥檛 prevent some 2,000 current and former students鈥� highly sensitive psychological evaluations from being leaked on the dark web, an investigation by 社区黑料 revealed. Carvalho initially denied that such records were exposed in the attack, but the district acknowledged they were after the story was published. The district also initially said the attack began and ended on Sept. 3 鈥� the Saturday of Labor Day weekend 鈥� but a follow-up investigation determined that an intrusion began as early as July 31, the .

While Carvalho didn鈥檛 comment Tuesday on the leak of sensitive psychological information, he said the number of stolen files 鈥渃ould have been much worse,鈥� adding that the hackers 鈥渆ncrypted and exfiltrated very little thanks to our actions.鈥� Among the actions they didn鈥檛 take, the schools chief said, was paying the undisclosed ransom demand because 鈥渨e don鈥檛 negotiate with terrorists.鈥�

Last year, a startling 80% of schools suffered ransomware attacks, according to and released last month. That鈥檚 a surge from 2021, when 56% claimed they were victims. The rate has doubled over two years, making ransomware 鈥渁rguably the biggest cyber risk facing education providers today,鈥� researchers found.

 The victimization rate against schools was higher than all other surveyed industries, including health care, technology, financial services and manufacturing. 

While the Sophos survey included responses from 400 IT professionals working in education globally, U.S. institutions are 鈥渢he prime target for many of these gangs,鈥� particularly since Russia invaded Ukraine, said Chester Wisniewski, field chief technology officer of applied research at Sophos. 

Yet even among American institutions, he said two factors have made schools particularly vulnerable to threat actors. Costly cybersecurity safeguards in schools often fail to rival those in place at major businesses like banks and technology companies. And schools aren鈥檛 just easy to hack, they鈥檙e also easy to exploit for profit, he said. Nearly half of attacks against schools last year 鈥� 47% 鈥� led to ransom payments, researchers found, and their willingness to shell out cryptocurrencies to retrieve stolen files may have backfired. 

鈥淚f a given sector pays more often than another sector, then they get targeted more often and if a given sector is really insecure and it鈥檚 super easy to break in, they鈥檒l also get targeted more,鈥� he said. 鈥淚n the case of education, unfortunately, it鈥檚 a double whammy because they do pay very often and they also are really easy to break into.鈥�

The rise in ransomware attacks on schools coincides with the growth in double-extortion schemes, researchers found. In double-extortion ransomware attacks, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. If victims don鈥檛 pay, the criminals sell the data or publish it to a leak site. 

Files contained in those data breaches routinely contain sensitive and confidential information about students, their parents and educators. After an attack last year against the Los Angeles Unified School District, threat actors published highly sensitive psychological evaluations of some 2,000 current and former students. Following a computer breach this spring at Minneapolis Public Schools, a cyber gang uploaded to the internet a trove of stolen files including ones detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

While both incidents were large-scale attacks, many others likely unfold on a much smaller scale, Wisniewski said. Of the 80% of districts reporting attacks, he said the figure likely includes instances of a single student鈥檚 or educator鈥檚 computer being compromised. 

鈥淭he sophistication is very low, it鈥檚 smash-and-grab stuff,鈥� he said. 鈥淭hey literally are just encrypting a laptop and saying, 鈥楶ay us $500 for the keys,鈥� and they don鈥檛 have the time nor the skills to bother exfiltrating data and stuff like the big groups do.鈥� 

Scott Elder, the superintendent of Albuquerque Public Schools, knows firsthand the challenges that education leaders face when their districts become the targets of cyber criminals. A r last year, forcing the district to cancel classes. Ultimately, the district and law enforcement were able to resolve the attack without paying a ransom. He told 社区黑料 he was surprised that schools have become the top ransomware target because 鈥渨e don鈥檛 have any money.鈥� But he鈥檚 well aware that districts are vulnerable. 

鈥淭he reality is, we have incredibly dedicated people who are working incredibly hard to keep our data safe, but we  just can鈥檛 pay as much as the private sector,鈥� Elder said. 鈥淚鈥檇 imagine there are a lot of districts that are struggling to attract top-tier talent to do this type of work.鈥� 

Last year, stolen data was encrypted in 81% of cases against schools and attacks were stopped in just 18% of cases before district information was locked, according to the Sophos report. Of schools that had their documents locked behind an encryption key, threat actors made their own copies of the information in 27% of cases. 

While schools may be tempted to pay ransoms to retrieve stolen data quickly and minimize harm, the Sophos report offers counterintuitive findings. Recovery costs were higher in districts that shelled out ransoms, even before factoring in the cyber gang鈥檚 financial demands. It also took those districts longer to get back up and running, according to the report. While 35% of districts that relied on file backups for their data recovered within a week, the same was true for 32% of those that paid ransoms. The report doesn鈥檛 explore the number of school districts which didn鈥檛 pay ransom demands and then had their confidential data leaked online. 

The confidential nature of compromised data, and the potential damage of its public release, influence districts鈥� decisions to pay ransom, Elder said. 

鈥淭his is highly confidential information, some of it can be harmful, and we鈥檙e educators: We like to take care of people,鈥� Elder said. 鈥淏ut I do think sometimes we have to draw a hard line to manage our property. It鈥檚 a hard decision. I doubt there鈥檚 any single answer for anyone.鈥�

Insurance appears to be a motivating factor in districts鈥� decisions to pay ransoms, Wisniewski said. In school systems with standalone cyber insurance, 56% of victims paid the ransom compared to 43% with broad insurance policies that included cybersecurity coverage. Ransom demands are often covered by insurance, Wisniewski said, and companies who have to pay off the claims are likely to have significant influence over which districts come across with the money.

鈥淭he only conclusion I can draw from that is the insurance companies think that paying the ransom is going to save them money because in the end the insurance company is on the hook for helping you recover,鈥� he said, despite emerging data to suggest the contrary. 鈥淭he insurance companies are constantly playing catchup trying to figure out how they can offer this protection because they see dollar signs while everybody wants this protection, but they鈥檙e losing their butts on it.鈥�

A three-year pilot program announced by Rosenworcel earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn鈥檛 been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months 鈥� if not more than a year 鈥� before the help makes its way to schools as education groups demand a more urgent federal response. 

As districts become 鈥渁 prime target for cyberattacks,鈥� the proposed pilot 鈥渨ill give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,鈥� Rosenworcel said in a July 12 speech before AASA, The School Superintendents Association and the Association of School Business Officers International. 

Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested. The allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year. 

Yet officials at the national superintendents鈥� association worried that using E-Rate funds was a diversion from the program鈥檚 mission of helping schools and libraries connect to the internet, said Noelle Ellerson Ng, the group鈥檚 associate executive director of advocacy and governance. She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data. 

鈥淎ll signs point towards we鈥檙e going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,鈥� Ellerson Ng said. 鈥淭hat way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.鈥�

A found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks 鈥� a marked 43% increase from 2021. The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs. 

Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country鈥檚 second-largest school system, that resulted in the public release of students鈥� highly sensitive psychological records. An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

Last month, New York City Public Schools, the country鈥檚 largest district, in a massive cyber attack on the file-sharing software MOVEit. The MOVEit attack has resulted in and organizations, including universities in at least a dozen states. The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many 鈥� if not most 鈥� students nationally. 

鈥淐ybersecurity is definitely something that has just stormed into the forefront鈥� as districts nationwide grow increasingly alarmed by attacks, Rosenworcel said. The federal government hasn鈥檛 previously provided money to schools for cybersecurity but the pilot program, she said, offers a first step. 

The five-member FCC commission must vote on the proposal before its full details are made public, the agency said, and it must go through a formal public comment and rulemaking process. Education experts predict it could be a year or more before the money is available to districts. 

鈥淚鈥檝e told our superintendents that it鈥檚 realistic that it could take 10 months 鈥� best case scenario 鈥� before they鈥檙e able to apply,鈥� Ellerson Ng said. 

School cybersecurity expert Doug Levin said the communications commission 鈥渉as been slow-pedaling鈥� on the issue for years and that the $200 million proposal is just 鈥渁 drop in the bucket鈥� of what districts nationwide would need to counter this online enemy. The pilot could be used to generate lessons learned and to set the stage for more robust federal investments, he said, but only a small number of districts are likely to receive grants under it. 

But the threat that districts face from cyber attacks is so great, Levin said, that even a much more significant investment in digital safeguards is unlikely to thwart the problem.

鈥淚t鈥檚 hard for me to imagine that, even if they were wildly successful and every school district was able to put in place a next-generation firewall, that that鈥檚 going to make a meaningful difference in the number of successful attacks against school districts,鈥� he said. 鈥淵ou know, maybe they shouldn鈥檛 be collecting all this data that鈥檚 so sensitive in the first place.鈥�

A download link was published Tuesday night on a website designed to resemble a technology news blog 鈥� an apparent front 鈥� and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that鈥檚 been and . 社区黑料 is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes 鈥� there are 1,000 gigabytes in one terabyte 鈥� the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group鈥檚 dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

鈥淭oday, the hacker group 鈥楳edusa鈥� gave me data for publication that will become a hit,鈥� notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

鈥淪omeone will tell me that this cannot be published. I will answer this simply 鈥� the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don鈥檛 focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.鈥� 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

鈥淚f I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and 鈥渁t the very least, being extra vigilant and looking more closely at your transactions than you normally would.鈥� 

It鈥檚 also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

鈥淥nce that genie is out of the bottle, it is very difficult to get it back in,鈥� Levin said. 鈥淚 don鈥檛 know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.鈥� 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an 鈥渆ncryption event,鈥� that the ransomware group had released the stolen records on the dark web, 鈥渁 part of the internet accessible only with special software that allows users to remain untraceable.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa鈥檚 dark web blog Friday, the files weren鈥檛 readily available for download. Instead, a 鈥淒ownload data now!鈥� button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn鈥檛 respond to requests for comment from 社区黑料 Wednesday. Attempts by 社区黑料 to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang鈥檚 possession. 

In posting the download link to the 鈥渃learnet鈥� 鈥� a publicly accessible website that鈥檚 indexed by search engines 鈥� Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file鈥檚 size may serve as a barrier to access to cyber criminals interested in exploiting the information 鈥� and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn鈥檛 necessarily mean the data was downloaded.

鈥淗ey, how can I see the mps stuff,鈥� one Telegram user asked in the ransomware group鈥檚 channel. 鈥淚鈥漨 hoping I鈥檓 not on there. I attend school and work at this district.鈥� 

The Telegram user, who identified themselves to 社区黑料 as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so 鈥減lays into the cybercriminals鈥� hands by drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that 鈥渨ill take some time.鈥� 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

鈥淚 would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,鈥� Callow said. 鈥淚f my personal information may have been compromised, I would want to know straight away.鈥�

Early Friday morning, after the Medusa gang鈥檚 countdown clock on the ransom deadline struck zero, the files weren鈥檛 readily available for download on its dark web leak site. Instead, a 鈥淒ownload data now!鈥� button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by 社区黑料 to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog 鈥� a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that鈥檚 been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it 鈥渋s aware that the threat actor has released certain MPS data on the dark web today.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district continued. 鈥淭his will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.鈥� 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it鈥檚 unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

鈥淵ikes, that鈥檚 a lot,鈥� said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. 鈥淚t鈥檚 a very significant exfiltration.鈥� 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files 鈥� including thousands of current and former students鈥� sensitive mental health records 鈥� were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to 鈥渆ntire IT systems,鈥� said Levin, who was especially concerned about the breach of district backup files. 鈥淵ou鈥檙e probably looking at some of the more sensitive data that the district maintains 鈥� sensitive enough that they are backing it up and maintaining those files.鈥� 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an 鈥渆ncryption event.” That euphemistic characterization left the public in the dark about the incident鈥檚 severity, cybersecurity analysts and community members said.

Such experts said Medusa鈥檚 pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa鈥檚 decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa鈥檚 extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  鈥渦nusually uncommunicative,鈥� since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn鈥檛 receive a response. 

People who don鈥檛 work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites 鈥渨ould concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It鈥檚 much easier for people to access.鈥�

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks 鈥� but he offered a caution. 

鈥淛ust because they published a file tree doesn鈥檛 mean they necessarily obtained all of the data it shows in that tree,鈥� he said, noting that organizations like school districts can shut hackers out of their systems if they鈥檙e caught in the act. 

In a March 9 statement, the district said it had 鈥渢aken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.鈥� 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district鈥檚 computer network 鈥渨as infected with an encryption virus that was first discovered鈥� Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district鈥檚 technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks 鈥� if not months. 

鈥淓xfiltrating this amount of data without detection certainly is concerning,鈥� Levin said. 鈥淭his sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.鈥�

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands 鈥渂y drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack 鈥� or what Minneapolis school leaders euphemistically called an 鈥渆ncryption event鈥� 鈥� that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang鈥檚 leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang鈥檚 possession. 

鈥淭he video is more unusual and I don鈥檛 recall that having been done before,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang鈥檚 dark web leak site by 社区黑料 suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to 社区黑料 that it was , which prohibits users from uploading content that 鈥渋nfringes any third party鈥檚鈥� privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics 鈥渢o improve conversion rates.鈥�

鈥淭his is likely just an experiment, and if they find this works they will do it more frequently,鈥� Callow said. 鈥淭hese groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don鈥檛.鈥� 

Here鈥檚 a snippet of the video鈥檚 introduction (with all sensitive records omitted):

The Minneapolis school district hasn鈥檛 acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed 鈥渢echnical difficulties鈥� with its computer systems to the referenced 鈥渆ncryption event,鈥� a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident鈥檚 severity. 

The district 鈥渉as not paid a ransom鈥� and an investigation into the incident 鈥渉as not found any evidence that any data accessed has been used to commit fraud,鈥� school officials said in the March 1 statement.  

In a statement to 社区黑料 Tuesday, the district said it 鈥渋s aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.鈥� 

鈥淭his action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,鈥� the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

鈥淔irst and foremost, they owe an apology to the community by not being explicit right away about what was happening,鈥� said Pfefferkorn, executive director of the Midwest Center for School Transformation. 鈥淏ecause they haven鈥檛 communicated about it, they haven鈥檛 shared a plan about, 鈥楬ow will you address this? How will you respond?鈥� Not knowing how they are going to respond makes me really nervous.鈥�

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term 鈥渆ncryption event,鈥� but available information suggests the school system was the victim of 鈥渃lassic double extortion,鈥� an exploitation technique that鈥檚 become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent 鈥渁 little more time and energy鈥� than other ransomware groups in presenting the stolen data in a compelling package, 鈥渂ut the tactics seem to be the same,鈥� Levin said. 鈥淣ow that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it鈥檚 actively extorting them, that鈥檚 all I would need to know to classify this as ransomware.鈥�

In double extortion ransomware attacks, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation鈥檚 second-largest school system. Last year, the ransomware gang Vice Society broke into the district鈥檚 computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack鈥檚 effects on students. But an investigation by 社区黑料 found thousands of students鈥� comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments 鈥� including those of 60 current students 鈥� had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang鈥檚 leak site and earlier this month officials with ties to a Russian-based ransomware group that鈥檚 known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft鈥檚 Callow said. 

鈥淭here absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,鈥� he said. 鈥淏ut calling something a ransomware incident as opposed to an encryption event really isn鈥檛 problematic. Nor is telling people their personal information may have been compromised.鈥�

Pfefferkorn, the Minneapolis student privacy advocate, said she鈥檚 concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools鈥� since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There鈥檚 little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

鈥淚t鈥檚 already out there and that cannot be repaired,鈥� she said. 鈥淭here鈥檚 information out there that鈥檚 going to impact them for the rest of their lives.鈥�

Its admission on Wednesday, which included the news that 60 current students鈥� records had been compromised, comes five months after the nation鈥檚 second-largest school district was the victim of a ransomware attack and four months after schools Superintendent Alberto Carvalho categorically denied that students鈥� psychological records were part of that breach.

鈥淎s the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed,鈥� Jack Kelanic, the district鈥檚 senior administrator of IT infrastructure, said in a statement. 鈥淎pproximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as Driver鈥檚 License numbers and Social Security numbers.鈥�

社区黑料 published an extensive investigation by reporter Mark Keierleber Wednesday revealing that the records 鈥� among the most sensitive information school districts maintain on students 鈥� could be uploaded from a dark web leak site of the Russian-speaking ransomware gang Vice Society. The cyber criminal gang infiltrated LAUSD鈥檚 computer system last year and then released the records when the school district refused to pay an undisclosed ransom demand.

When presented with the results of 社区黑料鈥檚 investigation Tuesday, district officials did not retract or correct Carvalho鈥檚 earlier statements, which a district spokesperson said 鈥渨ere based on the information that had been developed at that time.鈥� The comments were made in early October, about a month after the cyber attack was first reported, and at a point where school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web, according to the schools chief.

The district is now saying that notification to individuals whose information was posted has been slowed by the painstaking nature of the process and the fact that some of the records date back nearly 30 years. To comply with state privacy rules, the district posted to the California state attorney general鈥檚 office website in January disclosing that district contractors鈥� certified payroll records and their names, addresses and Social Security numbers were leaked.

School officials have not said anything publicly about notifying current or former students or district employees that their information has been compromised, but said Wednesday their investigation is ongoing and they 鈥渨ill continue notifying individuals as they are determined.鈥� A day earlier, a district spokesperson told 社区黑料 that no current or former students had been informed that their psychological records were posted online.

The records identified by 社区黑料 were at least a decade old and involve special education students. They include a comprehensive background on the student鈥檚 medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

鈥淚t could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,鈥� a cyber security expert told the Los Angeles Daily News it published on the district鈥檚 response to 社区黑料鈥檚 investigation. 

Hundreds 鈥� and likely thousands 鈥� of sensitive files were leaked online

People are likely unaware their health records were stolen

Because the district hasn鈥檛 disclosed the trove of records exists

And federal privacy laws don鈥檛 require schools to go public

Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations 鈥� including those of 60 current students 鈥� had been uploaded to the dark web.

Detailed and highly sensitive mental health records of hundreds 鈥� and likely thousands 鈥� of former Los Angeles students were published online after the city鈥檚 school district fell victim to a massive ransomware attack last year, an investigation by 社区黑料 has revealed. 

The student psychological evaluations, published to a 鈥渄ark web鈥� leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records. 

But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn鈥檛 alerted them, a district spokesperson confirmed, and leaders haven鈥檛 acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked. 

Cybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools 鈥� even when the files themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students鈥� personal information, including medical records, is exposed. 

But keeping the extent of data breaches under wraps runs counter to schools鈥� mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. 

鈥淚t鈥檚 deeply disturbing that an organization that you鈥檝e entrusted with such sensitive information is either significantly delaying 鈥� or even hiding 鈥� the fact that individuals had very sensitive information exposed,鈥� Levin told 社区黑料. 鈥淔or a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can鈥檛 take steps to protect themselves.鈥� 

In , the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs 鈥渨ith potentially catastrophic impacts on students, their families, teachers and administrators.鈥� Threats became particularly acute during the pandemic as schools grew more reliant on technology.  The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency. 

When L.A. schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. An early news report said the leaked files contained some students鈥� psychological assessments, citing 鈥渁 law enforcement source familiar with the investigation.鈥� Carvalho called that revelation 鈥渁bsolutely incorrect.鈥� 

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system and had exposed a limited collection of students鈥� records, including their names and addresses. 

The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults鈥� Social Security cards, passports, financial records and other personnel files. 

The systemic release of students鈥� psychological assessments stolen from the Los Angeles district and published to the dark web hasn鈥檛 been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing 社区黑料 to isolate them from other types of district records that appear on the ransomware gang鈥檚 leak site, including those related to district contractors and files that are benign and do not contain confidential information. 社区黑料 has independently verified that 500 students鈥� sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that would require health care providers to publicly disclose such a data breach if it involved patient health records. 

More than 2,200 PDFs 鈥� and a large swath of other document types 鈥� follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. The records are at least a decade old and while they don鈥檛 appear to contain information about current students, they do contain highly personal information about former LAUSD students who are now in their 20s and 30s. 

In early October, Carvalho said that if their information got exposed in the data breach, assuring them, 鈥淣o news is good news.鈥� By that point, Carvalho said, school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web. 

Now, more than four months after the schools chief denied that psychological evaluations were exposed, the nation鈥檚 second-largest school district has not changed its position publicly. A district spokesperson said that Carvalho鈥檚 statements in October 鈥渨ere based on the information that had been developed at that time鈥� and that the review was still ongoing.

鈥淟os Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,鈥� the district told 社区黑料 in a statement. 鈥淥nce Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update,鈥� to affected individuals and the public.  

鈥楬uge emotional strain for the family鈥�

The particular files posted online 鈥� students鈥� psycho-educational case studies 鈥� are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in special education disputes with their children鈥檚 school district.

The evaluations are how a student鈥檚 disabilities and other factors affect their learning. They include a comprehensive background on the child鈥檚 medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

One of the reports notes that a student was placed in foster care 鈥渄ue to domestic violence in the home.鈥� The student struggled with 鈥渁 limited attention span鈥� and often refused to complete his work, the report notes, and 鈥渋s easily angered when he does not get his way.鈥� Another states a student鈥檚 desire to 鈥渂ecome a police officer so that he can 鈥榓rrest people because they do drugs.鈥欌�� A student鈥檚 father 鈥渨orks in a plant that makes airplane parts and speaks no English,鈥� one report notes. 鈥淗is mother is a librarian assistant and speaks a 鈥榣ittle English.鈥欌�� 

In general, Catron said, such reports can include details about a family鈥檚 immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has 鈥渂een hitting other children or adults in a school environment.鈥� Yet it鈥檚 often difficult for families to get sensitive information removed from the files, he said, even if it isn鈥檛 accurate. Now, with breached student records of this nature in the public domain, 鈥渨ho knows what is going to happen.鈥�

鈥淭he sheer scope of information, like you鈥檝e seen, it鈥檚 darn broad and pretty hurtful for people,鈥� Catron said. 鈥淚f those records include those types of notes, whether correct or not, it can just cause a huge emotional strain for the family.鈥� 

The files themselves note that the assessment reports 鈥渕ay contain sensitive information subject to misinterpretation by untrained individuals鈥� and that the 鈥渘onconsensual re-disclosure by unauthorized individuals is prohibited鈥� by state law. 

Available files appear to be limited to former Los Angeles students born primarily in the late 1980s and 1990s. The age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert, said. Students鈥� sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards.  

The timeline could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.

鈥淪ometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,鈥� Levin said. 鈥淔or a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that鈥檚 a daunting task and clearly is very likely to be imperfect.鈥�

The disclosure gap

Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services 鈥渨ithout unreasonable delay and in no case later than 60 days following a breach.鈥� 

The Broward County, Florida, school district recently got caught in after the country鈥檚 sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on maintained by the Department of Health and Human Services. The breach portal  鈥� often referred to as the 鈥淲all of Shame鈥� 鈥� includes all data breaches affecting 500 or more people that were reported to the federal agency in the last 24 months. 

District officials in Florida ultimately 鈥� three months longer than federal rules allow 鈥� to disclose the breach鈥檚 full extent on its website, according to the South Florida Sun-Sentinel. In a statement, a district spokesperson told 社区黑料 the school system 鈥渨orked diligently to investigate the incident.鈥� Once officials realized that records related to the district鈥檚 self-insured health plan were breached, notifications to affected personnel and the federal health administration 鈥渞equired the gathering and sorting of significant amounts of data in order to determine the individuals to be notified.鈥� 

鈥淭hat process was complex and took substantial hours,鈥� the spokesperson said. 鈥淯nder the circumstances, notification was made in an expeditious manner.鈥� 

The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools under the health privacy law. And even when they are, students鈥� education records 鈥�  鈥� are exempt. by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but, unlike HIPAA, schools to disclose when such breaches occur.

鈥淭he same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,鈥� said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools 鈥渓ive in separate universes. If it鈥檚 maintained by the school, it鈥檚 FERPA. If it鈥檚 maintained by your doctor, the same information is HIPAA protected.鈥� 

A are covered by HIPAA, the LAUSD district spokesperson said, but the psychological assessments are not. A data breach involving student鈥檚 records 鈥� like the one in Los Angeles 鈥� , according to the U.S. Department of Education. 

鈥淔ERPA requires the school to maintain direct control over the records,鈥� Siegl said. 鈥淭here is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.鈥� 

Yet, consequences for violating FERPA are next to nonexistent. Districts if they have 鈥渁 policy or practice鈥� of releasing students鈥� records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it鈥檚 from a district that broke the rules. 

鈥楢 psychological torment鈥�

To , the Los Angeles district has been about the systemic breach of sensitive records about distinct construction contractors. In posted to the California state attorney general鈥檚 office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social Security numbers of district contractors. 

The data breach notice also made clear that cyber criminals had infiltrated the district鈥檚 computer network than initially disclosed. Carvalho said in October that district cybersecurity officials were quick to detect the unauthorized access and, 鈥渋n a very, very unique way, we stopped the attack midstream.鈥� 

The district spokesperson said LAUSD is working to determine whether any of the breached files are considered 鈥渕edical information鈥� under state law and whether a notification is required. Any data breach alert to the state attorney general鈥檚 office would coincide with notifications to affected individuals, the spokesperson said. 

Asked about the school district鈥檚 notification obligations for the trove of leaked student psychological records and whether it鈥檚 investigating the matter, an AG鈥檚 office spokesperson said in an email 鈥渨e can鈥檛 comment on, even to confirm or deny, a potential or ongoing investigation,鈥� and didn鈥檛 offer any other information. Reached for comment about the data breaches in Los Angeles and Broward County, a federal Department of Health and Human Services spokesperson said its civil rights division 鈥渄oes not typically comment on open or potential investigations,鈥� and declined to say anything further. 

The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached to provide compensatory services to children with disabilities after an investigation by the U.S. Education Department鈥檚 civil rights office found it had failed to provide them during the pandemic. Parents and advocates said last month many children are still waiting for those services.

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she鈥檚 worried the data breach could further divert funds from those much-needed special education services. 

鈥淚 would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,鈥� said Harman-Holmes, who serves as vice chair of the district鈥檚 Community Advisory Committee for Special Education. But she acknowledged it 鈥渨ould be very disturbing鈥� if her own child鈥檚 psychological evaluations were leaked online. 

鈥淥ur middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,鈥� she said. 鈥淭hat would be very devastating to him.鈥�

During in 2014, Pesicka was one of thousands of Sony Pictures employees that had their private information exposed in the midst of aggressive attacks by a North Korean hacker group.

Now, as a mom, Pesicka worries about protecting her son Jackson, a 1st grade Playa Vista Elementary School student, so history doesn鈥檛 repeat itself.

鈥淲hen you鈥檙e a kid, you won鈥檛 ever see a credit report and find out that there’s something on there until you go off to college,鈥� Pesicka said in an interview. 鈥淏y that time, somebody has had 15 years to rack up a bunch of different credit cards or properties or whatever else on your kid鈥檚 account鈥o that’s very concerning.鈥�

Like Pesicka, LAUSD parents have raised concerns about the district鈥檚 response to the cyberattack, ranging from long term data protection to how well a hotline 鈥� created to answer parents and staff questions 鈥� is working. 

The public release of about 500 gigabytes of stolen district data was posted on the dark web Saturday by Vice Society, a Russian-speaking ransomware gang known to target school districts.

After the district and law enforcement analysts reviewed about two-thirds of the data, LAUSD Superintendent Alberto Carvalho assured students, parents and employees that there is no reason for widespread concern.

鈥淭he release was actually more limited than what we had originally anticipated,鈥� Carvalho said in a Monday downplaying the damage done.

Carvalho said any exposed student data 鈥� including names, academic information and personal addresses 鈥� was between 2013 and 2016, insisting most middle and high school students during that period already graduated.

For now, Carvalho confirmed students who did have their data breached will be contacted and offered credit monitoring services.

But many parents were not convinced the superintendent鈥檚 response was enough to ease their concerns about the cyberattack.

When Pesicka鈥檚 private information was exposed, Sony offered her one year of credit monitoring. But she found out years later she had a stolen identity and social security number.

鈥淚 had three people working under my social security number and I had my identity compromised,鈥� Pesicka said in an interview. 鈥淎nybody who鈥檚 been through identity theft knows how difficult it is and how there鈥檚 not really a streamlined process or way to scrub your information.鈥�

Teresa Gaines, the mom of 2nd and 3rd grade students at Grand View Boulevard Elementary School, was troubled by Carvalho鈥檚 response because it didn鈥檛 provide the urgency she was hoping for.

鈥淪ome people don鈥檛 realize how serious this can be because what if five or ten years from now our kids go to college and all of a sudden they get denied entrance because of something that is not their fault鈥r somebody uses that data to cause issues that prevent them from getting into certain programs or denied work,鈥� Gaines said in an interview.

Gaines also said LAUSD should provide more targeted outreach to families through 鈥渢own halls鈥� and 鈥渋nformational webinars鈥� so parents could ask questions about the cyberattack.

She is particularly concerned by the release of psychological assessments, which Carvalho insisted did not happen during his press conference. However, the Los Angeles Times did find .

For Jenna Schwartz, the mom of a 7th grade student in North Hollywood, Carvalho鈥檚 response left her cautiously optimistic.

鈥淚f I find out I was impacted鈥ut it was just my child’s school photograph from 2013 and his attendance record, I don’t care as much,鈥� Schwartz said in an interview. 鈥淚f it was my social security number and bank information, those are two very different scenarios.鈥�

Carvalho pointed parents to the district鈥檚 hotline, available Monday through Friday and this weekend for additional questions or support on the cyberattack.

But parents reported long wait times, and limited hours and information when the hotline began earlier this week.  

鈥淯nless you ask a question that fits into their script, they don’t really have a response,鈥� Pesicka said in an interview. 鈥淎nd even if you do, you’re getting a very robotic response.鈥�

In addition, Schwartz noted that she鈥檚 鈥渘ot sure what good the hotline is at this point other than sort of just to make people feel better.鈥�

After a request for comment, a spokesperson from LAUSD referred back to Carvalho鈥檚 statement on the cyberattack: 

The hotline hours have been updated to weekdays from 8 a.m. to 8 p.m. and this weekend from 6 a.m. to 3:30 p.m.

According to the initial , hackers used ransomware to freeze and disable some LAUSD systems. The Vice Society ransomware gang then reportedly published a trove of sensitive district records this past weekend, though LAUSD superintendent Alberto Carvalho sought to downplay the damage done at a Monday press conference, particularly as it relates to records about individual students. 

Authorities have said there鈥檚 no evidence confidential student information 鈥� such as social security numbers or health insurance 鈥� has been breached. Last month the district confirmed a ransom demand by the hackers, but Carvalho said there had been no response. 

鈥淪chool districts are often vulnerable targets to these kinds of attacks because they are large, have many employees, and many other users including students and parents who have access to at least some parts of the system,鈥� said Clifford Nueman, an expert on computer security and professor at USC鈥檚 Viterbi School of Engineering in an email to LA School Report. 

鈥淲hat makes LAUSD an attractive target to criminals deploying ransomware is the number of individuals that are affected when LAUSD systems become unavailable,鈥� Neuman added. 

Dr. Joseph Greenfield, Associate Professor of Practice at USC and an expert on digital forensics, offered three tips on how LAUSD families 鈥� as well as parents at any school district across the country 鈥� can keep their private data protected:  

1. LAUSD devices should be used exclusively for LAUSD services: 

In order to prevent personal information from even reaching school鈥檚 data networks, parents should ensure students are using their LAUSD devices strictly for school purposes. While students may often play online games or indulge in social media content鈥� with their LAUSD devices, these interactions are threatening due to sensitive student content reaching the school’s information history. 

2. Download a Password Manager: 

A password manager is an application tied to a subscription based service, most commonly seen through websites offering to generate customized passwords for their user. Popular examples include Apple Keychain and Dashlane. 

Essentially these programs are targeted towards not repeating passwords across the wide array of sites student鈥檚 use on a daily basis. If each application has an individual separate lock, then a compromise of one account does not lead to a compromise of all accounts.

3. Use a Multifactor Authentication Process: 

Multi Factor authentication is a process which can be implemented鈥� in any and all accounts. With the installation of this software, everytime there is a login attempt the user must present two or more forms of evidence to verify their identity. The credentials that students would need to provide may translate to them receiving a confirmation text or needing to approve login through authentication apps such as DUO. Each and every time students log in, they should be required to undergo this process of identity confirmation. 

This article is part of a collaboration between 社区黑料 and the USC Annenberg School for Communication and Journalism.

Sara Balanta is an undergraduate student at the USC Annenberg School for Communication and Journalism pursuing a Bachelor鈥檚 degree in Journalism. She is a 2022 Dragon Kim Foundation Fellow where she hosts a project called “Teacher’s Aide +”, which conducts free renovations in schools to help brighten campus environments. Aside from writing her passions include youth activism, media culture and music.

The Vice Society ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang鈥檚 dark-web 鈥渓eak site,鈥� after education leaders refused to pay 鈥� and at first even acknowledge 鈥� a ransom. 

Yet in a press conference Monday, Superintendent Alberto Carvalho sought to downplay the damage done, particularly as it relates to records about children. An said that student psychiatric evaluation records had been published online, citing a confidential law enforcement source. That reporting, Carvalho said, is 鈥渁bsolutely incorrect.鈥�

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system. The 鈥渧ast majority鈥� of exposed student data, including names, academic information and personal addresses, was from a period between 2013 and 2016. 鈥淭hat is the extent of the student information data that we have seen.鈥�

Roughly 500 gigabytes of district data was made public on Sunday by the Russian-speaking ransomware gang, which took credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear, yet after reviewing about two-thirds of the data, Carvalho said that 鈥渟o far, based on what we鈥檝e seen, critical health information or Social Security numbers for students,鈥� is not included.

Carvalho confirmed on Sunday that LAUSD鈥檚 data had been published on the dark web, but did not verify the type of data that was leaked. On Monday, he said that information from private-sector contractors, particularly those in construction, appeared most impacted. Breached records include contracts, financial information and personally identifiable data, Carvalho said.

Cybersecurity experts have warned that the release of district data could come with significant risks for current and former students. Children’s Social Security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.

James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it鈥檚 particularly important for officials to protect the sensitive data of children, who may 鈥渇ind out they own a condo in Bora Bora under their name 15 years from now鈥� because their information was exploited. 

Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision to withhold payment.

鈥淭here鈥檚 no upside to ever paying a ransom,鈥� said Turgal, 鈥淢ore likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information鈥� on their leak site. 

Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America鈥檚 second-largest school district, had initially . 

鈥淲hat I can tell you is that the demand 鈥� any demand 鈥� would be absurd,鈥� Carvalho told the Los Angeles Times. 鈥淏ut this level of demand was, quite frankly, insulting. And we鈥檙e not about to enter into negotiations with that type of entity.鈥� 

In a statement, the district acknowledged that paying a ransom wouldn鈥檛 ensure the recovery of data and asserted that 鈥減ublic dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.鈥� 

The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society鈥檚 demand.

In an email to 社区黑料, Vice Society said they published the district data because 鈥渢hey didn鈥檛 pay,鈥� and acknowledged the 鈥渞ansom demand was big鈥� without providing a specific figure. Asked what makes school districts attractive victims for such attacks, the group offered a brief explanation: 鈥淢aybe news? Don鈥檛 know 鈥� We just attack it =).鈥�

Over the weekend, they that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, 鈥渓et鈥檚 say that it was big =).鈥�

Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has 鈥渨asted our time,鈥� in an email that federal authorities were 鈥渨rong鈥� to advise the district against paying. 

鈥淲e always delete documents and help to restore network [sic], we don鈥檛 talk about companies that paid us,鈥� the group told the news outlet. 鈥淣ow LAUSD has lost 500GB of files.鈥�

社区黑料 has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it鈥檚 impossible to rein it back in.

鈥淵ou have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,鈥� Levin said. 

For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like Social Security numbers to sell on a dark web marketplace, often for identity theft.

Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 million in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.

He said it鈥檚 important that affected educators, parents and students . The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit. 

鈥淭he school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,鈥� Levin said. 鈥淯ltimately, they鈥檙e going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.鈥� 

As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar. 

Vice Society, an 鈥渋ntrusion, exfiltration and extortion鈥� group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. to prevent hackers from publishing private records on dark-web outposts.  

So what鈥檚 a ransomware attack without a demand for money?

鈥淲e have not received a ransom demand, nor have we sought a direct communication with the entity,鈥� Superintendent Alberto Carvalho said at a Friday news conference, nearly a week after the breach was detected.

On Tuesday, the L.A. school board an emergency declaration allowing Carvalho, who took the helm at the nation鈥檚 second-largest school district in February, to expedite contracts for cybersecurity for a year without competitive bidding.

The new superintendent鈥檚 statements are 鈥渘ot consistent鈥� with Vice Society鈥檚 extortion playbook, said Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security, a computer security firm that warned the district in 2021 about a cyber vulnerability. 

Holden said he fears 鈥渁 missing link鈥� between the district and the threat actors, who are 鈥渄efinitely known to send out a ransom note because that鈥檚 how they get paid.鈥� Vice Society has made clear that money is the primary motive for the cyber attack on L.A. schools, which the group says it carried out but has not provided evidence to substantiate its claims.

Holden is not the only one trying to read between the lines.

鈥淥ne big question everybody has is, 鈥楧id they pay, are they going to pay the extortion demand?鈥欌�� said Doug Levin, national director of The K12 Security Information eXchange.

Levin and other cybersecurity experts have a few theories. 

For one, it could be the case of carefully worded messaging. While Carvalho noted that the district has not 鈥渟ought a direct communication with the entity,鈥� the superintendent’s comments don鈥檛 鈥渟eem to rule out that someone on their behalf may be in touch with Vice Society,鈥� Levin said, adding that 鈥渘othing in their response or in what Vice Society has said or done rules out paying extortion and much is consistent with it.鈥�

In previous attacks, districts have declined to recognize ransom demands unless they come through official channels, he added, and it鈥檚 possible that 鈥渁 pop-up on a computer screen is not a valid way of communication to a district and therefore it does not count as being received.鈥� 

It鈥檚 possible, Holden said, that a ransom note failed to reach an audience. When organizations learn they鈥檝e been compromised, they sometimes react by defending themselves overzealously and the ransom note winds up getting blocked, he said. 

鈥淭he organizations typically tend to lose these notes, block them or don鈥檛 report them,鈥� he said. If someone reports a phishing attempt to IT, email administrators tend to purge the message and future communications. 鈥淪o they basically didn鈥檛 block the phishing email, but potentially they blocked the ransomware note.鈥�

But there could be another explanation for the missing ransom 鈥� one of success. When district officials moved quickly to take their computer systems offline after detecting the breach, they could have effectively eliminated the threat before the demand was made. 

鈥淚f there鈥檚 enough notoriety about it and they didn鈥檛 get far enough to actually encrypt enough or exfiltrate enough data, I鈥檝e seen the threat actors abandon it,鈥� cyber crime expert James Turgal told 社区黑料. 鈥淲hen law enforcement gets involved, that鈥檚 when those guys start getting really nervous.鈥�

In his press conference, Superintendent Carvalho never called out the hacking group by name but noted that federal law enforcement officials working on the criminal investigation have 鈥渋ntimate knowledge鈥� of the bad actors. 

While some cyber criminals steer clear of attacks on schools and hospitals, Vice Society 鈥� whose dark web 鈥渓eak site鈥� is styled after the video game 鈥� has no such code, Holden said.

鈥淭hese guys don鈥檛 have this stop and that鈥檚 extremely disturbing because this may indicate that they won鈥檛 stop for anything,鈥� he said.  

Reporters have received brief responses from an email address that federal law enforcement officials say is controlled by the cyber gang. In their replies, the group and of files from compromised district servers. In an email to The Associated Press, the group offered a simple explanation: 鈥淲e are not political organization, so everything is just for money and pleasure =).鈥� 

社区黑料 contacted Vice Society to request information about its ransom demand and the records it stole. In a brief response, the group said it would provide 鈥渁ll answers after they appear on our website,鈥� suggesting that the L.A. data would be leaked if negotiations fail. 

Even without a ransom, recovering from the attack will likely cost the districts millions of dollars, experts said. As such attacks on schools have become more frequent, districts face steep cyber liability insurance of as much as 300 percent. In 2021, a total of 67 ransomware attacks against U.S. schools and colleges cost an in downtime and recovery costs. In May, Lincoln College in Illinois announced it would after becoming the target of a cyber attack. 

鈥楽urveillance and grooming of our own systems鈥�

Los Angeles Unified School District, which serves more than 500,000 students, joins the ranks of districts nationwide on the receiving end of ransomware attacks in recent years, falling victim on the Saturday night of the four-day holiday weekend. The LAUSD breach appears to be part of a growing trend of back-to-school hacks, which take advantage of a chaotic moment when district cybersecurity officials are particularly busy. 

鈥淚f you were looking to extort a school district and increase the leverage on them to meet an extortion demand or a ransom demand, this time of the school year would be among the best to do it,鈥� Levin said. 鈥淲e have seen, over the last several years, that ransomware actors have taken advantage of that fact at the beginning of the school year to extort districts out of millions of dollars of money in demands.鈥�

As hackers were carrying out the attack, district technology officials detected 鈥渦nusual live data movement,鈥� and made the unprecedented decision to shut down the district鈥檚 computer system 鈥� a move 鈥渢hat itself caused a number of challenges,鈥� Carvalho said, but prevented 鈥渙ther more essential elements.鈥� 

While a district facilities system was a primary target in the hack, Carvalho acknowledged that hackers had 鈥渢ouched鈥� the online student management system. The facilities system includes information on contracts and non-sensitive records, he said, and it remains unclear whether the threat actors were able to acquire sensitive student information. 

鈥淚t is quite possible, even likely, that for a period of time in advance of the actual attack, there was a degree of surveillance and grooming of our own systems,鈥� Carvalho said, suggesting threat actors rummaged through district data prior to launching the ransomware scheme. L.A. Unified was currently in the process of rolling out passwords with multi-factor authentication, but Carvalho acknowledged the security measure had not been finalized before the breach. 

The criminal investigation into the attack involves officials from the Federal Bureau of Investigation and the Department of Homeland Security鈥檚 Cybersecurity and Infrastructure Security Agency. In , federal officials warned that Vice Society actors were 鈥渄isproportionately targeting the education sector with ransomware attacks鈥� that have led to 鈥渄elayed exams, canceled school days and unauthorized access to and theft of personal information.” Schools may be “particularly lucrative targets,” the advisory said, because they retain a large amount of sensitive student information. 

Turgal, the vice president of cyber risk and strategy at Optiv Security, offered a harsh critique of L.A. Unified鈥檚 response, noting that officials had been previously warned about vulnerabilities.

鈥淭hey鈥檙e doing the right things,鈥� but a speedy response to eliminate threats from servers is critical, said Turgal, a former executive assistant director for the FBI Information and Technology Branch. 鈥淭heir response was very measured, but it was very slow.鈥�

The district declined to comment.

While schools reopened after the Labor Day weekend as scheduled, the breach came with substantial disruptions and confusion for the 540,000 students and 70,000 district employees who were required to reset their passwords and were unable to access online platforms. 

鈥淔rom my students, I could tell they were frustrated,鈥� said Nancy Soni, an 11th grade English teacher in East Los Angeles. 鈥淎 lot of them didn’t really understand what it meant to be hacked.鈥�

鈥楢 wake-up call鈥�

Outside Los Angeles, ransomware attacks have delivered a serious blow to districts nationwide, crippling their finances with extortion demands and recovery costs. 

In Baltimore, saddled the county school district with some $10 million in recovery costs. Costs are similar in Buffalo, New York, where the district was last year but declined to pay the ransom. When education leaders in Broward County, Florida, declined to pay a $40 million ransom demand after district accounting and financial records were stolen, hackers posted some 26,000 files on the dark web. 

In fact, this isn鈥檛 Carvalho鈥檚 first experience dealing with a data breach. In 2020, while he was superintendent in Miami, Florida, the to a cyber attack on the first day of virtual classes. A 16-year-old district student who took credit for the attack to a year of probation. 

Back in L.A., district leaders were warned on multiple occasions in the last several years that their cybersecurity safeguards weren鈥檛 up to snuff and that data had been compromised. 

In January, 2021, the district inspector general of an information security audit that identified lapses that required an 鈥渋mmediate remedy鈥� including 鈥渟ignificant risks around passwords and credentials鈥� and the lack of incident response planning and preparation. 

Having been presented with 鈥渁 laundry list of things that should have been done,鈥� it鈥檚 critical to understand how the district responded to the audit, said Turgal of Optiv Security. 

Carvalho also expressed concern about how the report鈥檚 recommendations were handled, saying his 鈥渇irst order of business鈥� is to 鈥渁ctually understand that report and ask the tough questions about why were a number, if not the majority of these measures, not acted upon.鈥� 

A month later, in February, 2021, cybersecurity experts with Hold Security used an intermediary to inform L.A. district leaders of more bad news. The computer for a school psychologist who was working from home had become compromised, Holden said, likely after she was duped by a phishing email. 

District officials worked quickly to patch the hole and there鈥檚 no evidence to suggest it contributed to the recent ransomware attack, but Holden said it should have served as 鈥渁 wakeup call’ and suggests that LAUSD probably hadn鈥檛 鈥減ut enough safeguards in place to prevent something like this.鈥� 

The incident also highlights the reality that cybersecurity attacks on school districts can net highly sensitive data about children, Holden said. 

鈥淚magine what kind of sensitive information, especially about minors, this person might have within her computer or within her access,鈥� he said. Compromised data from a school psychologist is 鈥渢he worst-case scenario of what the bad guys could steal, something that would be directly harmful to kids.鈥� 

Soni, the English teacher, said that hackers’ potential access to sensitive information is concerning. As an educator in the district, she said she has access to a significant amount of information about students, including their addresses, phone numbers and whether they鈥檙e in special education.

鈥淭here鈥檚 a lot on there, and to have everybody鈥檚 personal history be jeopardized, that is scary,鈥� she said. 鈥淥ne of my concerns is having the wrong people have access to information about me, and information about my students.鈥� 

LA School Report freelancer Destiny Torres contributed to this report