No, you鈥檙e not experiencing d茅j脿 vu. No, we’re not talking about some recent cyber incidents caused by teenagers, such as the PowerSchool data breach by a 19-year-old hacker from Massachusetts in 2024 who accessed sensitive data of more than 60 million students and 10 million teachers.

Watching PowerSchool make a comeback from such an incident made it clear that organizations can no longer afford to wait for proof that weaknesses exist. Continuous testing and engaging diverse perspectives are the best ways to stay ahead. That鈥檚 why this effort that began in July was intentionally designed to make students part of the solution, not the problem 鈥� to transform the same curiosity and skill that might lead to hacking toward cyber defense. 

After all, kids have been hacking computers, systems and schools since they鈥檝e existed 鈥� and they鈥檒l keep doing it. The difference now is that teenage defenders can help protect against teenage attackers.

The large-scale cyber incidents by teenagers emphasize three interconnected problems facing schools and our broader society:

First, our schools are dependent on a few key technology vendors that, if hacked, could shut down school districts across the country or lead to massive breaches of sensitive student, teacher and family data.

Second, teenage hackers who are fluent English-speakers 鈥� in loosely affiliated groups that go by names like Scattered Spider, Shiny Hunters, and Lapsus 鈥� have been behind some of the biggest cyber incidents in the past few years. They鈥檝e hacked organizations from Caesars casinos to Snowflake to Salesloft. Even giants like Google and Microsoft haven鈥檛 been spared. 

Some cyber experts have begun calling these young hackers Advanced Persistent Teenagers (or APTeens), a play on Advanced Persistent Threats (or APTs), the term used to describe sophisticated nation-state hacking groups from countries like China, Russia, Iran and North Korea. 

Ultimately, our country faces a cyber workforce challenge that most strongly impacts 鈥渢arget rich, cyber poor鈥� sectors like schools, state and local governments, and small businesses that lack the funding and capacity to defend themselves against cyber threats.

With a different approach, progress can be made on all three problems 鈥� insecure tech, teenage hackers and the cyber workforce challenge 鈥� by creating an alternative pathway for teenage hackers. To make this work, edtech companies, hackers, policymakers, higher education and even high schools must provide a pathway that builds the skills the workforce needs. That includes offering the opportunity to receive immediate payment for hacking and bolstering the cybersecurity of key technologies society relies on daily.

With this in mind, in July, joined the and the to flip the APTeen challenge on its head. The goal was to promote hacking for good to secure our schools. The EdProtect Cybersecurity Research Symposium brought together teenage hackers, professional security researchers, and Skyward, a widely used edtech product, for a two-week live hacking event. 

The teenagers, college students from around the country, received support and training as they worked to find and report bugs. We know people learn best through hands-on experiences where novices can work alongside seasoned professionals and mentors, who were once teenagers too.

While live hacking events and bug bounty programs 鈥� where companies pay good-faith security researchers to find and share software bugs that can be used to hack their systems 鈥� are not new, they are rare in 鈥渢arget rich, cyber poor鈥� sectors like education. 

Since the nation鈥檚 14,000 school districts rely on the same few software vendors for their critical infrastructure, efforts like this to strengthen the cybersecurity of key vendors can have a dramatic impact for millions of students, families and teachers across the country. Furthermore, these endeavors shift the burden for managing cyber risk to the companies that are best positioned to address it.

Computer hacker and former college student Matthew Lane 鈥� who was a teenager when he carried out a massive cyberattack on education technology company PowerSchool 鈥� was sentenced in federal court on Tuesday to four years in prison and ordered to pay more than $14 million in restitution.聽

Lane, a former Assumption University freshman who federal prosecutors described as a sophisticated and experienced cybercriminal, told a federal judge that his crimes occurred during an 鈥渆xtremely dark time in my life,鈥� but acknowledged, 鈥淚 deserve to be punished.鈥� In June, Lane pleaded guilty to what is widely considered the largest exposure of private student data in history, a breach that compromised the sensitive information of some 60 million students and 10 million educators.

鈥淚 robbed actual people and their families of their sense of security,鈥� Lane, now 20, told U.S. District Court Judge Margaret Guzman, his shaggy hair obscuring his eyebrows and the tops of his glasses, adding he was 鈥渢hankful I got caught.鈥�

Lane said he takes 鈥渇ull responsibility” for his crimes but that he was 鈥渄isconnected from reality鈥� while he engaged in hacking. He has since become 鈥渟ober not just from drugs, but from the internet as well,” he told Guzman.

Accompanied in court by family members and several friends, Lane broke down and sobbed after learning his sentence, which includes three years of supervised release and a $25,000 fine.

He was convicted of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft. Federal prosecutors were seeking a seven-year prison term, describing Lane in a sentencing memo as being motivated by greed and said the threat to Powerschool warned, 鈥渨e fully intend to destroy your company and bankrupt it to the point of no absolute return 鈥� if it didn鈥檛 meet a $2.85 million ransom demand in Bitcoin.

Lane鈥檚 sentencing concludes a yearlong cybercrime saga, which began in September 2024 when prosecutors say he hacked into PowerSchool鈥檚 computer network and transferred stolen records to a leased server in Ukraine. About three months later, PowerSchool officials received the extortion demand to prevent sensitive student and teacher data 鈥� including the Social Security numbers of children as young as 5 鈥� from being leaked 鈥渨orldwide.鈥� 

Lane also pleaded guilty to working with an unnamed co-conspirator from Illinois to extort $200,000 from an unnamed U.S.-based wireless telecommunications company between April and May 2024 before he discussed the 鈥渘eed to hack another shitty company that[鈥橾ll pay鈥� and set his sights on PowerSchool. 

Guzman, who appeared sympathetic to Lane鈥檚 young age at the time he carried out multiple cyberattacks, said the case should serve as a cautionary tale to parents everywhere and expressed alarm about the 鈥渂readth and reach of technology鈥� to commit crimes anonymously. Guzman said the challenges Lane faced as a teenager, including social isolation and struggles to fit in with his peers, made him 鈥渧ulnerable to falling through the rabbit hole.鈥� 

Guzman said society can鈥檛 go back to the days of typewriters and television sets with just five channels. But parents have placed computers in their children’s bedrooms and provided cell phones to grade schoolers without proper guardrails. Lane, she said, won鈥檛 be the last one to exhibit 鈥渂ravado behind the screen of a computer.鈥� 

Defense attorney Sean Smith asked the judge to sentence Lane to three years in prison and three years of supervised release. Smith said Lane was 鈥渧ery much cognizant of the seriousness鈥� of his offenses and that he pleaded guilty and 鈥渁dmitted fault almost from the get-go.鈥� 

Smith said Lane was a teenager when the cyberattacks unfolded and had no previous convictions. Letters of support submitted by family members to the court made clear Lane was 鈥渁 generous, loving, patient individual,鈥� who grappled with loneliness, depression and anxiety.

The seriousness of Lane鈥檚 actions 鈥渃an鈥檛 be overstated,鈥� said Assistant U.S. Attorney Kristen Kearney, who called his behavior 鈥渃alculated.鈥� The PowerSchool data breach has caused real harm to millions of people, she said, who now face stifled job prospects, heightened insurance costs and other harms that will follow them 鈥渇or the rest of their lives.鈥� 

Kearney noted that Lane made several efforts to conceal his identity and avoid detection and was financially motivated: He desired designer clothes and jewelry, she said, and to 鈥渉ost parties at extravagant Airbnbs.鈥� 

Lane 鈥渄id not make a teenage mistake鈥� or get 鈥渕ixed up with the wrong crowd,鈥� she argued, but carried out 鈥渃arefully planned attacks鈥� for financial gain. Personal statements that put Lane in a positive light, she said, showed he was living 鈥渁 double life.鈥� In the online world, she said, digital chat messages included racial slurs, antisemitism and threats of sexual violence. 

The prosecutor challenged Lane鈥檚 request for a three-year prison sentence, arguing that other cybercriminals could see it as the cost of doing business if they have millions of dollars in cryptocurrency waiting for them after their release. Lane returned about $160,000 to the government, according to a sentencing memo released last week, but roughly $3 million remains unaccounted for. 

Kearney also disputed Smith鈥檚 assertion that Lane was a first-time offender at the time of the PowerSchool breach, despite his absence of a criminal record. Last week, federal officials accused him of carrying out at least eight cyberattacks dating back to at least 2021 when he was still in high school.

Prosecutors said the PowerSchool attack resulted in more than $14 million in damages, including the ransom payment and identity theft services for the students and teachers who were victimized. 

In a statement to 蜜桃影视 on Tuesday, PowerSchool said it 鈥渁ppreciates the efforts of the prosecutors and law enforcement who brought this individual to justice鈥� and that the company remains focused on 鈥渟upporting our school partners and safeguarding student, family and educator data.鈥�

After the sentencing hearing, a tearful Lane, who wasn鈥檛 immediately taken into custody, was embraced by friends and family members. 

鈥淚鈥檓 sorry, guys,鈥� he said to four friends outside the courtroom, exchanging hugs and handshakes before getting into an elevator. 鈥淚 love you guys.鈥�

Three union members filed suit in March, just days after the union announced a data breach had occurred on July 6, 2024.

A union investigation into the incident, completed Feb. 18, found that an 鈥渦nauthorized actor鈥� gained access to records like Social Security numbers, bank account numbers, birthdates and taxpayer identification information.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out the cyberattack.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the said 517,487 people were affected.

The suits allege the union failed 鈥渢o properly secure and safeguard private information that was entrusted to them鈥� and that those affected 鈥� including the relatives of members 鈥� will suffer financial losses and lost time detecting and preventing identity theft. 

Educators must provide personal information to the union to receive its benefits, according to the lawsuits. 

The plaintiffs also allege that the union waited too long to announce the data breach. were sent out on March 17, a month after the union鈥檚 investigation was finished.

鈥淲e took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,鈥� the union said in the notification letter.

The attack occurred on computer systems that needed security upgrades, the lawsuits allege. Two of the plaintiffs have reportedly experienced increased numbers of spam calls and emails.

鈥淸The union] failed to properly monitor the computer network and systems that housed the private information,鈥� one lawsuit says. 鈥淗ad [the union] properly monitored its computer network and systems, it would have discovered the massive intrusion sooner rather than allowing cybercriminals almost a month of unimpeded access.鈥�

The union, which represents 178,000 members, said in a previous statement that it isn鈥檛 aware of identity theft connected to the breach. It did not respond to a request for comment from 蜜桃影视 about the lawsuits.

The plaintiffs are seeking compensatory damages and want the court to order the union to pay for at least 10 years of credit monitoring services for those affected. Motions were filed in a Pennsylvania district court Tuesday to consolidate the lawsuits into one class-action case.

When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate 鈥� unsuccessfully 鈥� with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by 蜜桃影视 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn鈥檛 hand over 60 bitcoin which, at the time, was worth about $660,000. 

鈥淚f we don鈥檛 reach an agreement we will start leaking your private data,鈥� the hacker wrote, noting that for bitcoin they would also offer 鈥渁 list of security measures鈥� to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by 蜜桃影视 describes the ransom payment as being for 鈥渢echnical consultant services and remediation.鈥�

鈥淭ypically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,鈥� Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn鈥檛 respond to requests for comment for this story. 

Records show that Beazley, the school district鈥檚 cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack鈥檚 impact and its data breach reporting obligations, but it wasn鈥檛 until November 鈥� four months later 鈥攖hat the firm told them a 鈥減rogrammatic review of the files鈥� had been completed. 

鈥淏aker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,鈥� staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would 鈥渃onduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.鈥� 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,鈥� said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district鈥檚 lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: 鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

Tedford asked if the accusation was legitimate and if the police had been notified.

鈥淚 need to cover these bases now that we have been made aware of this claim,鈥� Tedford wrote in an Aug. 3 email. 鈥淚t鈥檚 clear the attorneys don鈥檛 want law enforcement involved, and that鈥檚 fine, but this is a different issue.鈥�

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is 鈥渨ell aware of that situation,鈥� which was related to an incident during an out-of-town show choir event. 

鈥淎fter a thorough investigation, no charges were filed,鈥� Shoonover wrote, adding in a later email that an officer 鈥渋nterviewed dozens of kids鈥� in response to 鈥渢his entire unfortunate event.鈥� 

In August 2020, the district was working on its talking points to the public and it鈥檚 clear the consultants weren鈥檛 far away. 蜜桃影视 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would 鈥渉ave preferred to notify the public earlier鈥� but couldn鈥檛 鈥渢o ensure the privacy of student records,鈥� that they were unsure what, if any, records may have been compromised and that they were encouraged to 鈥渨ait to release any information until the investigation鈥� was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was 鈥渦nable to provide any further information鈥� about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized 鈥� but he didn鈥檛 divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 鈥� five months after the incident 鈥� and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver鈥檚 license and credit card numbers. 

As President Donald Trump reportedly mulls an executive order to eliminate the Education Department, the federal government鈥檚 role could shift from ensuring children have equal educational opportunities to making it easier to deport them. 

One closely watched avenue where that could happen is allowing immigration enforcement in schools. Trump last month barring federal agents from conducting raids in sensitive locations like churches, hospitals and schools. 

A protest Thursday against the administration targeting schools in its mass deportation pledge was sparked in part by claims that last month was precipitated by rampant classroom bullying, with the student鈥檚 peers claiming the Texas girl’s family was undocumented and would get deported.

鈥淭he presence of immigration enforcement in our classrooms will not make schools safer, it will actually do the opposite,鈥� Alejandra Gonzalez Rizo, an eighth-grade teacher in Washington, D.C., and a former DACA recipient, said during a Thursday press call organized by two advocacy groups, United We Dream Action and The Immigration Hub. 鈥淚t will create chaos and fear, forcing students and teachers to look over their shoulders instead of focusing on learning.鈥� 

The big picture: To date, I鈥檓 not aware of any cases during Trump鈥檚 second term where immigration officials carried out enforcement actions inside a school. Advocates warned of a greater fallout to come. 

• School police in Texas have opened an investigation into Jocelynn’s death. |
• Now you see it, now you don鈥檛: The Trump administration implemented 鈥� then walked back just days later 鈥� an order that sidelined a federal program that allows nonprofits to provide legal representation to undocumented children who are in the country without their parents. |
  • The young migrants, called unaccompanied minors, have become a central target in Trump鈥檚 immigration crackdown. |
  • Prohibiting ICE activities at or near schools or bus stops 鈥渃ould significantly limit immigration enforcement in Denver,鈥� the Trump administration said in response to a lawsuit from the city鈥檚 school district seeking to prevent an end to the sensitive locations policy. |
  • In February, a federal judge blocked immigration officials from conducting raids and arrests at a handful of churches and places of worship that sued to halt the policy shift. Trump鈥檚 directive, the judge ordered, likely denied religious freedoms protected by the First Amendment. |

Emboldened states: Decades ago, the Supreme Court ruled that all children in the U.S. are entitled to a free public education regardless of their immigration status. Conservative state officials want that to change 鈥� with lawmakers in Tennessee, Oklahoma, Indiana and Texas introducing bills to bar undocumented kids from classrooms. |

The Pinellas County, Florida, police department has reportedly applied for a federal program that deputizes local officers with immigration enforcement powers. |

• On Thursday, Pinellas school officials said they would cooperate with ICE but would stop short of instructing its officers to work alongside federal immigration agents. |

Departing gifts: From soccer balls to handwritten letters, educators across the country have been giving heartfelt mementos to multilingual learners whose families have chosen to leave their schools and their homes rather than risk scrutiny from immigration agents. | 蜜桃影视

In the news

R.I.P. ED? Trump is expected to sign an executive order as early as today calling for an end to the Department of Education, throwing into uncertainty an agency that enforces federal civil rights laws and distributes financial support to low-income schools and students with disabilities. But here鈥檚 the thing: The department was created by Congress 鈥� and bringing down a federal agency will take a lot more than a few scribbles on a piece of paper. |

Now you see it, now you don鈥檛 (again): The department appeared to walk back a controversial order that threatened to strip federal funding from schools with diversity, equity and inclusion policies. | 蜜桃影视

• In response to the original order, some educators said they had no intention of playing along. In Long Beach, California, for example, school officials moved forward with plans to open the Center of Black Student Excellence despite federal pressure. | 蜜桃影视
  
• In a lawsuit Wednesday, the ACLU and the nation鈥檚 largest teachers union alleged Trump鈥檚 anti-DEI order stifled educators鈥� free speech rights. |

In a first-in-the-nation move, Iowa Gov. Kim Reynolds has signed a law that strips state anti-discrimination protections from transgender and nonbinary students. |

A lawsuit has accused a former security guard at a Milwaukee private school of secretly recording underage girls in a campus locker room. |

• More from Milwaukee: City officials approved a $1.6 million plan to station police officers in public schools 鈥� more than 400 days after a state law went into effect requiring cops on campuses. |

The Senate failed to pass legislation that sought to bar transgender students from participating in school athletics programs consistent with their gender identity. | 蜜桃影视

Free from gun-free zones: A new Wyoming law has banned 鈥済un-free zones鈥� in schools and other public spaces. |

Kept in the Dark

For a recent investigation for 蜜桃影视 and Wired, I fell down a dark web rabbit hole and chronicled more than 300 school cyberattacks in the last five years 鈥� and revealed the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. 

This week, I highlighted my investigation into a ransomware attack on the Providence, Rhode Island, school district 鈥� where educators denied a massive student data breach in plain sight. 

As a result of that 18-month-long investigation, I was interviewed last week on KARE 11, the NBC affiliate in Minnesota’s Twin Cities. Public records I obtained from Minneapolis Public Schools uncovered sharp disparities in what district leaders told the FBI after a 2023 data breach and what it communicated to the public. You can watch the newscast .

ICYMI @The74

• To Make Ed Tech More Secure, Software Companies Need to Step Up
  
• AI Chatbots Can Cushion the High School Counselor Shortage 鈥� But Are They Bad for Students?
  
• 1st Confirmed Death in Texas Measles Outbreak Is Unvaccinated, School-Aged Child

Emotional support

Oh hey, springtime, is that you? 蜜桃影视 editor Andrew Brownstein鈥檚 pup Sagan is already out in the yard waiting for longer, warmer days. 

After the Providence, Rhode Island, school district fell victim to a September 2024 cyberattack by the Medusa ransomware gang, school officials said an ongoing investigation found 鈥渘o evidence that any personal information for students has been impacted.鈥� 

An investigation by 蜜桃影视, including a review of stolen files captured in the 217-gigabyte leak, indicates otherwise. Sexual misconduct allegations involving both students and teachers, children鈥檚 special education records and their vaccine histories were posted online after Providence Public Schools did not pay the cybercriminals鈥� $1 million ransom demand. 

The district鈥檚 failure to acknowledge that students鈥� records had been exposed 鈥� even after being informed otherwise by 蜜桃影视 鈥� means that parents and students were likely unaware that their private affairs had entered the public domain. 

In October 2024, Providence schools notified 12,000 current and former employees that their personal information, such as their names, addresses and Social Security numbers, had been compromised. But the letter never makes mention of students鈥� sensitive records. 

In response to 蜜桃影视鈥檚 findings in mid-October 2024, a district spokesperson didn鈥檛 acknowledge that students鈥� sensitive information was compromised. He said the district 鈥渉as been able to confirm that some [of its] files鈥� were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

Meanwhile, in an unsolicited phone call to 蜜桃影视, a state education department spokesperson appeared to contradict that, saying 鈥渘o one had actually gone in to see the files.鈥� 

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and their demographic information, including disability status, home addresses, contact information and parents鈥� names. Another contains information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents reveals a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Following an investigation published by 蜜桃影视 and in October, the district to families acknowledging that students鈥� personal information, such as vaccine records and special education details, were exposed in the attack.

In response to an inquiry from 蜜桃影视, a district spokesperson said in a November statement that educators remain 鈥渃ommitted to transparency and the security of personal information.鈥�

鈥淒uring these types of incidents, districts typically start with limited information on what occurred and then gain more information over the course of the investigation,鈥� the statement continues. 鈥淎s we navigated the initial uncertainty of the situation, PPSD prioritized taking real-time action and communicating with all stakeholders as we gathered more information.鈥�

The school district in Louisiana鈥檚 St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack 鈥� long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general鈥檚 office. 

A December 2023 investigation by 蜜桃影视 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack. 

Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status.

Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online. 

鈥淭hey want to brush everything under the rug,鈥� said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary. 

After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws. 

鈥淲e never received reports of the actual information that was obtained,鈥� she said in November 2023. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥� 

Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general鈥檚 office was on the  phone with the district, questioning them 鈥渄irectly in response to the article鈥� and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark.

School board attorney Courtney Joiner responded a day later to the attorney general鈥檚 office, saying they were working 鈥渢o address the notice issue without further delay.鈥�

In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� records show. Officials didn鈥檛 send a formal notice to the AG鈥檚 office until Jan. 10, 2024.

Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter 鈥渨ell after the fact鈥� she and her colleagues had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she told reporters. 鈥淭his should have happened much earlier.鈥� 

School officials couldn鈥檛 be reached for comment for this story.

This story was supported by a grant from the Fund for Investigative Journalism.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district鈥檚 computer network, accessing reams of students鈥� and educators鈥� sensitive information, officials contacted the FBI and laid out what happened. 

The district 鈥渋mmediately initiated an investigation鈥� after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker鈥檚 demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an 鈥渆ncryption event鈥� and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by 蜜桃影视 through public records requests, the district told families in a Feb. 24 email that its investigation 鈥渉as found no evidence that personal information was compromised.鈥� 

The statement was sent after cybersecurity experts advised district communications staff that 鈥渟haring the least amount of information鈥� as possible was 鈥渋n the best interest鈥� of district security. 

Threat actors with the ransomware gang Medusa 鈥� known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what鈥檚 known as a 鈥渄ouble-extortion鈥� scheme 鈥� took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn鈥檛 acknowledge for nearly two weeks after the attack that sensitive records may have been compromised 鈥� and waited months to notify breach victims directly by letter. 

The district didn鈥檛 respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by 蜜桃影视.  The cyber insurance provider will 鈥渇acilitate breach counsel and forensic investigation teams,鈥� the plan notes, and deploy 鈥渆xperienced negotiators鈥� to communicate directly with the hackers. The policy also states it would cover the district鈥檚 liability for bad press, fines and 鈥渞egulatory proceedings鈥� related to a cyberattack. 

鈥淭he insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,鈥� the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a 鈥減rivileged investigation,鈥� according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

鈥淧er [Minneapolis Public Schools鈥橾 request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,鈥� according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn鈥檛 respond to 蜜桃影视鈥檚 request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed 鈥渢he world鈥檚 most profitable spy organization.鈥� The researchers prepared 鈥渁 report detailing the forensic analysis process and analysis鈥� at Mullen Coughlin鈥檚 direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went 鈥渢hrough the list of what TA [the threat actor] might鈥檝e accessed,鈥� and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the 鈥淢edusa contact team,鈥� urging the person to respond to the threat actors immediately or else 鈥渨e will ensure your popularity.鈥� 

In March, Medusa ransomware actors posted the district鈥檚 stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom 鈥� a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by 蜜桃影视, include confidential and highly sensitive records about individual students and teachers. 

It wasn鈥檛 until September 2023 鈥� seven months after the attack 鈥� that 105,617 people were notified the 鈥渉acking鈥� incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general鈥檚 office. The notice states that the process to identify that information had been completed in July 鈥� a month and a half before officials notified victims.

鈥淎lthough it has been difficult to not share more information with you sooner,鈥� the letter to victims notes, 鈥渢he accuracy and the integrity of the review were essential.鈥�

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.

The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. 

Three subsequent class-action lawsuits from parents accused the nation鈥檚 second-largest district of taking inadequate steps to protect their children鈥檚 personal records 鈥� and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. 

The trio of events encompass a September 2022 ransomware attack that exposed students鈥� highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. 

Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An told the local press that students鈥� psychological evaluations were included in the leak, a revelation Carvalho refuted as 鈥渁bsolutely incorrect.鈥� 

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system but said the 鈥渧ast majority鈥� of exposed student records involved their names, academic records and home addresses. 

An investigation by 蜜桃影视 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that 鈥渁pproximately 2,000鈥� student psychological evaluations 鈥� including those of 60 current students 鈥� had been uploaded to the dark web. 

In a statement to 蜜桃影视, a district spokesperson said its cybersecurity response protocol 鈥渇ollows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.鈥� The process, the district said, is 鈥渄esigned with transparency, compliance and community trust in mind.鈥�

Due to the sensitive nature of the information, students may have to 鈥渄eal with this breach for the rest of their lives,鈥� attorney Ryan Clarkson told 蜜桃影视. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students鈥� personal records had been compromised.  

鈥淚t鈥檚 hard to bury it, it鈥檚 hard to get away from it, it鈥檚 kind of part of who we are,鈥� Clarkson said in an interview. 鈥淵our psychology as a child is always going to be your psychology as a child.鈥�

While the parents of special education students had been left in the dark about the breach, so too were members of the district鈥檚 special education committee. Carvalho acknowledged at a September 2022 that L.A. Unified was a 鈥渄istrict under siege鈥� and sought to 鈥渄ispel rumors鈥� about the incident, including one that multiple attacks had occurred. He didn鈥檛 make any statements regarding the impact on sensitive special education records. 

Carl Petersen, who served on the committee at the time, told 蜜桃影视 that Carvalho left the committee members without information about the attack鈥檚 ramifications on children with disabilities. 

鈥淎t that point it was, 鈥極h, this was a very minor thing. We caught them in the system immediately and we shut it down,鈥� said Petersen, who described Carvalho鈥檚 comments as part of a larger district effort to obfuscate. 

In January 2023 鈥� four months after the attack 鈥� L.A. school officials acknowledged in that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn鈥檛 until March 2023 that they disclosed to state regulators the leak had also compromised . 

The letter submitted to the California AG鈥檚 office doesn鈥檛 make clear the types of student records that were affected but urges individuals to 鈥渒eep a copy of this notice for your records in case of future issues with your child鈥檚 medical records.鈥� 

蜜桃影视 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho鈥檚 communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any 鈥渘on-privileged responsive records,鈥� meaning that they didn鈥檛 have to provide any of the records that were responsive because they were legally protected from disclosure. 

A week after it was discovered, the school board to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to 鈥渆nter into any and all contracts鈥� to address the incident 鈥渨ithout advertising or inviting bids and for any dollar amount necessary.鈥� 

鈥楽hared with the world鈥�

In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.

鈥淚f we want to safeguard our children鈥檚 futures, we must protect their personal data,鈥� she said at the first-ever K-12 cybersecurity summit. 鈥淓very student deserves the opportunity to see a school counselor when they鈥檙e struggling and not worry that these conversations will be shared with the world.鈥�

Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn鈥檛 touch on the leak of students鈥� mental health records but said the number of stolen files 鈥渃ould have been much worse鈥� had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because 鈥渨e don鈥檛 negotiate with terrorists.鈥�  

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she鈥檚 worried that fallout from the data breach could divert money from the services her children with disabilities need.

鈥淚 would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,鈥� said Harman-Holmes, while acknowledging it 鈥渨ould be very disturbing鈥� if her own child鈥檚 psychological evaluations were leaked online. 

As L.A. Unified鈥檚 response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district鈥檚 mitigation efforts weren鈥檛 just inadequate 鈥� they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students鈥� sensitive records and failed to provide enough notice to victims once that information was stolen. 

An inspector general鈥檚 office audit highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students鈥� psychological records and other files were published online. 

The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System 鈥� the district鈥檚 primary student data portal. The district 鈥渉as stated under oath in discovery responses鈥� that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs.

Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide 鈥減rompt and accurate notice of the data breach.鈥� 

The breached portal 鈥渋s currently the largest student data system in the United States,鈥� the 162-page complaint notes, yet district officials 鈥減rioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.鈥� 

One district, three breaches

Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general鈥檚 office in May 2022, some unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected. 

Then, in June 2024, a threat actor who goes by the name 鈥渢he Satanic Cloud鈥� posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as 鈥淪p1d3r鈥� similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. 

The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn鈥檛 disclose the name of the vendor or the types of records that may have been compromised. 

The district denied a public records request by 蜜桃影视 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. 

The incident doesn鈥檛 appear in a California attorney general鈥檚 office database of data breaches.

This story was supported by a grant from the Fund for Investigative Journalism.

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country鈥檚 second-largest school district 鈥� and the leak of thousands of highly sensitive student mental health records 鈥� that set me off.

Published reports that the breach exposed students鈥� psychological evaluations, Carvalho said, were 鈥渁bsolutely incorrect.鈥� The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday and supported by a grant from the .

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers 鈥� the real victims of the hacks and subsequent data breaches 鈥� in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials 鈥� sometimes even after their students鈥� and employees鈥� personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks 鈥� and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools鈥� messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer 鈥減rivileged investigations,鈥� which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: 鈥淔or institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won鈥檛 want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from 蜜桃影视鈥檚 Kathy Moore.

And Matilda.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by 蜜桃影视 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer 鈥減rivileged investigations鈥�, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months 鈥� and in some cases more than a year 鈥� later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools鈥� messaging is no coincidence. 

That鈥檚 because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools鈥� exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms 鈥�&苍产蝉辫;诲耻产产别诲  by one law professor for their massive caseloads 鈥� hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools鈥� behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online 鈥� from their financial and medical information to traumatic events in young people鈥檚 lives 鈥� are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs鈥� ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers鈥� willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are 鈥渁ll but guaranteed.鈥� 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 鈥�  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers 鈥� often called breach coaches 鈥� arrive on the scene. 

鈥淭here鈥檚 a fine line between misleading and, you know, technically accurate,鈥� Schwarcz told 蜜桃影视. 鈥淲hat breach coaches try to do is push right up to that line 鈥� and sometimes they cross it.鈥�

When breaches go unspoken

蜜桃影视鈥檚 investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs鈥� leak sites. 

Some of students鈥� most sensitive information lives indefinitely on the dark web, a hidden part of the internet that鈥檚 often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search 鈥� even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

蜜桃影视 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials鈥� false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students鈥� detailed psychological records. 

In many instances, 蜜桃影视 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, 蜜桃影视 could find no information at all about alleged school cyberattacks uncovered by its reporting 鈥� suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to 蜜桃影视鈥檚 investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond 鈥渢o potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.鈥� Those at Florida鈥檚 River City Science Academy said the school 鈥渁cted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.鈥� 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation鈥檚 seventh-largest district said they notified student breach victims 鈥渂y email, mail and a telephone call鈥� and 鈥渟et up a special hotline for affected families to answer questions.鈥�

Hackers have exploited officials鈥� public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

鈥淏ut those negotiations do not go on forever,鈥� said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'鈥� the ransom.

鈥淎ll right, well, negotiation is over,鈥� Levin said. 鈥淵ou need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students 鈥�

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them.

The extent to which this involves keeping critical information out of the public鈥檚 hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico鈥檚 Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll鈥檚 findings from public view. 

鈥淲ithout privacy counsel in place, public records would be accessible in the event of an information leak,鈥� she wrote in an email to school leaders that was obtained by 蜜桃影视 through a public records request. School districts routinely denied 蜜桃影视鈥檚 requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by 蜜桃影视 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California鈥檚 Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an 鈥渋nformation technology system outage鈥� 鈥� and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn鈥檛 stop the leak of data for more than 22,000 people, nor did the district鈥檚 initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

鈥淲hat brainiac recommended this?鈥� asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who 鈥渞ecommended the deceitful description.鈥�

It wasn鈥檛 until June 2023 鈥� four months after the attack 鈥� that Sweetwater their records were compromised. But the district鈥檚 breach notice never says what specific records had been taken, refers to files that 鈥渕ay have been taken鈥� and tells those receiving the notice that their 鈥減ersonal information was included in the potentially taken files.鈥�

鈥淲ell, was my information taken or not?鈥� April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked 蜜桃影视. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks 鈥渢o avoid exacerbating their liability, quite frankly,鈥� in a way that prevents families from being able to 鈥渁ssert their rights more competently.鈥� 

顿颈蝉迟谤颈肠迟蝉鈥� vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

鈥淭he wording in notices is disheartening,鈥� Strauss told 蜜桃影视. 鈥淚t鈥檚 almost like revictimization.鈥�

Who鈥檚 in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they鈥檝e been hacked. Cyberattacks were called an  鈥渆ncryption event鈥� in Minneapolis; a 鈥渘etwork security incident鈥� in Blaine County, Idaho; 鈥渢emporary network disruptions鈥� in Chambersburg, Pennsylvania, and 鈥渁nomalous activity鈥� in Camden, New Jersey. 

In several cases, consultants advised educators against using words like 鈥渂reach鈥� and 鈥渃yberattack鈥� in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district鈥檚 computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

鈥� 鈥楥yberattack鈥� is severe language that we prefer to avoid when possible,鈥� the firm鈥檚 representative wrote .

The district called it 鈥渋rregular activity鈥� instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe鈥檚 most notorious cybergangs 鈥� many with known ties to Russia 鈥� officials have claimed in arresting and indicting some of the masterminds. Yet 蜜桃影视 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only 鈥渋n conjunction with qualified counsel.鈥� 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized 鈥減ayment of ransoms that fuel cyber crime ecosystems.鈥� 

鈥淭his is a troubling practice that must end,鈥� she wrote.

Records obtained by 蜜桃影视 show that in Somerset, Massachusetts, Beazley, the school district鈥檚 cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district鈥檚 incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district鈥檚 course of action, they didn鈥檛 express it. In fact, William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

But he was quick to defer to the district and its lawyers.

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote. 鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.鈥�

While ransom payments are 鈥渆thically wrong because you鈥檙e funding criminal organizations,鈥� insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

鈥淭he insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,鈥� he told 蜜桃影视. 鈥淭hey see dollar signs 鈥� that everybody wants this protection 鈥� but they鈥檙e losing their butts on it.鈥� 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told 蜜桃影视 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by 蜜桃影视 鈥� one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its 鈥渢hird-party forensic investigation firm鈥� communicating with the gang 鈥渞egarding the ransom.鈥�

Mullen Coughlin then told the FBI that it was leading 鈥渁 privileged investigation鈥� into the attack and, at the school district鈥檚 request, 鈥渁ll questions, communication and requests in connection with this notification should be directed鈥� to the law firm. Mullen Coughlin didn鈥檛 respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants鈥� discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn鈥檛 the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials鈥� knowledge. Taken by surprise, Camden schools were not 鈥渁ble to preemptively advise each of you about the notice and what it meant.鈥�

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

鈥淚n terms of how law enforcement can help you out, there鈥檚 really not a whole lot that can be done to be honest with you,鈥� said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn鈥檛 respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but 鈥渢he problem is there鈥檚 not enough funding and personnel for them to be able to be responsive to incidents.鈥� 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn鈥檛 know where to go to vet if they were any good or not.鈥�

He said it had been a community member 鈥� not a paid consultant 鈥� who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes 鈥� or over 1,000 gigabytes 鈥� of stolen data.

鈥淲e were literally taking that right to the cyber companies and going, 鈥楬ey, they鈥檙e finding this, can you confirm this so that we can get a message out?鈥� 鈥� he told 蜜桃影视. 鈥淭hat is what I probably would tell you is the most frustrating part is that you鈥檙e relying on them and you鈥檙e at the mercy of that a little bit.鈥�

The breach coach

Breach notices and other incident response records obtained by 蜜桃影视 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a 鈥渜uarterback.鈥� 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district鈥檚 cyber insurance policy 鈥�  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector 鈥� which, Paluzzi noted, isn鈥檛 鈥渁lways the best when it comes to the latest protections."

When asked why districts鈥� initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

鈥淚t鈥檚 not a time to make assumptions, to say, 鈥榃e think this data has been compromised,鈥� until we know that,鈥� Paluzzi said. 鈥淚f we start making assumptions and that starts our clock [on legally mandated disclosure notices], we鈥檙e going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.鈥� 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

鈥淲hile it often looks a bit canned and formulaic, it鈥檚 often because we just don鈥檛 know and we鈥檙e doing so many things,鈥� Paluzzi said. 鈥淲e鈥檙e trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.鈥�

A data breach is confirmed, he said, only after 鈥渁 full forensic review.鈥� Paluzzi said that process can take up to a year, and often only after it鈥檚 completed are breaches disclosed and victims notified. 

鈥淲e run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,鈥� he said. 鈥淲e try, in most cases, to get to that level of specificity, and our letters are very specific.鈥�

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase 鈥渢he likelihood of a data breach class action [lawsuit] in the process.鈥� Companies that under-notify 鈥渕ay reduce the likelihood of a data breach class action,鈥� but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches鈥� chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to 鈥渞etain their primacy鈥� in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers鈥� emphasis on reducing payouts to parents who sue overstates schools鈥� actual exposure and is another way to promote themselves as 鈥減roviding a tremendous amount of value by limiting the risk of liability by providing you with a shield.鈥�

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine 鈥渢he long-term cybersecurity of their clients and society more broadly.鈥�

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by 蜜桃影视 show school cyberattacks carry particularly devastating consequences for the nation鈥檚 most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district 鈥渟how choir鈥� event. The accusations were investigated by local police and no charges were filed.

鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,鈥� the hacker alleges in records obtained by 蜜桃影视. 鈥淭his is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

The exposure of intimate records presents a situation where 鈥渧ulnerable kids are being disadvantaged again by weak data security,鈥� said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

鈥淚t鈥檚 not just that you have a leak of the information,鈥� Citron told 蜜桃影视. 鈥淏ut the leak then leads to online abuse and torment.鈥�

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students鈥� personal information, a parent reported being contacted by the hackers who placed a 鈥渟trange call demanding money for ransoming their child.鈥�

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are 鈥渦nfunded mandates鈥� and 鈥渢here鈥檚 been no enforcement that we know of,鈥� according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It鈥檚 a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls 鈥渢he multiverse of madness.鈥� 

鈥淚t's like you're living in different privacy realities based on the state that you live in,鈥� Hendricks said. He said federal cybersecurity rules could provide a 鈥渓evel playing field鈥� for data breach victims who have fewer protections 鈥渂ecause they live in a certain state.鈥� 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn鈥檛 require disclosure when outside forces cause those records to be exposed. Schools that have 鈥渁 policy or practice鈥� of routinely releasing students鈥� records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they鈥檝e grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told 蜜桃影视 he got the district鈥檚 September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are 鈥渕ostly worthless.鈥� 

It may be enforcement against districts鈥� misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to 鈥渃ommunicate very carefully and very deliberately and very accurately鈥� the known facts of cyberattacks and data breaches. 

鈥淐ommunities smell blood in the water,鈥� she said, 鈥渂ecause we鈥檝e got these mixed messages.鈥�

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for 蜜桃影视.

This story was supported by a grant from the Fund for Investigative Journalism.

If so, your sensitive data 鈥� like Social聽Security聽numbers and medical records 鈥斅�. Their target was education technology behemoth PowerSchool, which provides a centralized system for reams of student data to damn near every聽school聽in America.

Given the cyberattack鈥檚 high stakes and its potential to harm millions of current and former students, I teamed up Wednesday with Doug Levin of the  to moderate a timely webinar about what happened, who was affected 鈥� and the steps school districts must take to keep their communities safe.

Concern about the PowerSchool breach is clearly high: Some 600 people tuned into the live event at one point and pummeled Levin and panelists Wesley Lombardo, technology director at Tennessee’s Maryville City Schools; Mark Racine, co-founder of RootED Solutions; and Amelia Vance, president of the Public Interest Privacy Center, with questions. 

PowerSchool declined our invitation to participate but sent a statement, saying it is 鈥渨orking to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.鈥�

The individual or group who hacked the ed tech giant has yet to be publicly identified.

Asked and answered: Why has the company鈥檚 security safeguards faced widespread scrutiny? What steps should parents take to keep their kids鈥� data secure? Will anyone be held accountable?

In the news

Oklahoma schools Superintendent Ryan Walters, who says undocumented immigrants have placed 鈥渟evere financial and operational strain鈥� on schools in his state, proposed rules requiring parents to show proof of citizenship or legal immigration status when enrolling their kids 鈥� a proposal that not only violates federal law, but is likely to keep some parents from sending their children to school. | 

• Not playing along: Leaders of the state鈥檚 two largest school districts 鈥� Oklahoma City and Tulsa 鈥� rebuked the proposal and said they would not collect students鈥� immigration information. Educators nationwide fear the incoming Trump administration could carry out arrests on campuses. | 
   
• Walters filed a $474 million federal lawsuit this week alleging immigration enforcement officials mismanaged the U.S.-Mexico border, leading to 鈥渟kyrocketing costs鈥� for Oklahoma schools required 鈥渢o accommodate an influx of non-citizen students.鈥� | 
   
• Timely resource guide: With ramped-up immigration enforcement on the horizon 鈥� and with many schools already sharing student information with ICE 鈥� here are the steps school administrators must take to comply with longstanding privacy and civil rights laws. | 

A federal judge in Kentucky struck down the Biden administration鈥檚 Title IX rules that enshrined civil rights protections for LGBTQ+ students in schools, siding with several conservative state attorneys general who argued that harassment of transgender students based on their gender identity doesn鈥檛 constitute sex discrimination. 

Fires throw L.A. schools into chaos: As fatal wildfires rage in California, the students and families of America鈥檚 second-largest school district have had their lives thrown into disarray. Schools serving thousands of students were badly damaged or destroyed. Many children have lost their homes. Hundreds of kids whose schools burned down returned to makeshift classrooms Wednesday after losing 鈥渢heir whole lifestyle in a matter of hours.鈥� |  

• At least seven public schools in Los Angeles that were destroyed, damaged or threatened by flames will remain closed, along with campuses in other districts. | 

Has TikTok鈥檚 time run out? With a national ban looming for the popular social media app, many teens say they鈥檙e ready to move on (and have already flocked to a replacement). | 

Instagram and Facebook parent company Meta restricted LGBTQ+-related content from teens鈥� accounts for months under its so-called sensitive content policy until the effort was exposed by journalist Taylor Lorenz. | 

The Federal Communications Commission on Thursday announced the participants in a $200 million pilot program to help聽schools聽and libraries bolster their cybersecurity defenses. They include 645聽schools聽and districts and 50 libraries. |聽

Scholastic falls to 鈥渇urry鈥� hackers:聽The education and publishing giant that brought us Harry Potter has fallen victim to a cyberattacker, who reportedly stole the records of some 8 million people. In an added twist, the culprit gave a shout-out to 鈥渢he puppygirl hacker polycule,鈥� an apparent reference to a hacker dating group interested in human-like animal characters. |聽

• Dig deeper: Here鈥檚 how AI is being used by cybercriminals to rob schools. |  

Not just in New Jersey:聽In a new survey, nearly a quarter of teachers said their聽schools聽are patrolled by drones and a third said their聽schools聽have surveillance cameras with facial recognition capabilities. |聽

The number of teens abstaining from drugs, alcohol and tobacco use has hit record highs, with experts calling the latest data unprecedented and unexpected. | 

ICYMI @The74

Emotional Support

New pup just dropped.

Meet Woodford, who, at just 9 weeks, has already aged like a fine bourbon. I鈥檓 told that Woody 鈥� and the duck, obviously 鈥� have come under the good care of 74 reporter Linda Jacobson鈥檚 daughter.

From gun-toting math teachers to federal rules that decide which bathroom a kid can use, the student safety and civil rights issues that are central to the School (in)Security newsletter could be in for some major changes. 

Here are 11:

• The return of an architect of the family separation immigration policy during the first Trump administration. | 
  
• An effort to end the constitutional right of citizenship for children born in the U.S. regardless of their parents鈥� immigration or citizenship status. | 
  
• A rollback of civil rights and anti-discrimination protections for transgender students. | 
  
• A shakeup at the federal government鈥檚 primary cybersecurity agency, which has taken a leading role in school cyberattack prevention. | 
  
• Efforts to unwind bipartisan firearm restrictions approved in 2022 following the mass shooting at Robb Elementary School in Uvalde, Texas. | 
  
• Policies that address school violence through a renewed focus on suspensions and 鈥渉ardening schools鈥� with measures like campus-based police and metal detectors. |  
  
• Efforts to strengthen protections for students accused of sexual misconduct. | 
  
• A promise to eliminate the U.S. Department of Education 鈥� and the potential return of policies enacted during the first Trump administration that scaled back investigations into discrimination based on students鈥� race, sex or religion. | 
  
• A vice president who said school shootings 鈥� which have surged exponentially in the last decade 鈥� are a 鈥渇act of life鈥� and that schools are 鈥渟oft targets鈥� if you are a 鈥減sycho and you want to make headlines.鈥� | 
  
• Efforts to reform anti-discrimination rules to remove 鈥渄isparate impact鈥� liability, including for racial disparities in school discipline. | 
  
• Efforts to eliminate federal funds for schools that recognize students鈥� transgender identities and grant equal access to bathrooms and locker rooms. | 

In the news

To school shooting survivor David Hogg, Democrats鈥� failure to motivate voters rests on the shoulders of one constituency above all: Boomers. I recently profiled , a well-financed political action committee designed to elevate Gen Z and millennial progressives. Here鈥檚 how they fared on Nov. 5. | 

Notorious swatter confesses: An 18-year-old from California has pleaded guilty to making 375 swatting calls throughout the U.S., including false police reports of school shootings and bombings. | 

Federal authorities indicted two suspected cybercriminals accused of breaking into a cloud computing platform and exposing the data of major corporations and the Los Angeles school district. | 

A federal judge has temporarily halted a new Louisiana law that would require public schools to display the Ten Commandments in classrooms. | 

A drop in the bucket: The Federal Communications Commission said demand for a $200 million school cybersecurity pilot program far exceeded its capacity, with 2,734 applications requesting a total of $3.7 billion. | 

The Providence, Rhode Island, school district acknowledged in a letter to families that a recent cyberattack compromised sensitive student information 鈥� but only after I published  into the extent of the breach. | 

鈥楢 culture of bullying:鈥� Federal authorities have opened a civil rights investigation into a New Jersey school district where school resource officers are accused of failing to protect an 11-year-old student from harassment before she died by suicide last year. | 

The 28-year-old athletics director of a New York school district has been arrested in an extortion case, accused of demanding that a 17-year-old student send him sexual photos over Snapchat under a threat of exposing personal information about the minor. 

ICYMI @The74

Emotional Support

George, the four-legged companion of education consultant David Irwin, found the perfect lobster costume for Halloween a decade ago and hasn鈥檛 looked back.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by 蜜桃影视 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain 鈥� and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students鈥� sensitive records and, district spokesperson Jay W茅gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥�

An analysis by 蜜桃影视 of the stolen files 鈥� posted by the threat actors to the messaging platform Telegram  鈥� indicates otherwise. Included in the 217 gigabyte data leak are students鈥� specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter鈥檚 underwear. After one incident, a boy uttered a threat: 鈥淒on鈥檛 tell nobody.鈥� 

In a statement to 蜜桃影视 on Wednesday, W茅gimont said the district has 鈥渂een able to confirm that some files鈥� stored on the district鈥檚 internal servers were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

W茅gimont鈥檚 statement doesn鈥檛 acknowledge that students鈥� records had been compromised. 

The district鈥檚 failure to acknowledge the breach affected students and parents 鈥� even after being informed otherwise 鈥� is 鈥渁 massive violation of trust with communities,鈥� student privacy expert Amelia Vance told 蜜桃影视.

鈥淧eople should be aware 鈥� especially when particularly sensitive information is being released in ways that could make it findable and searchable later,鈥� said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence 鈥渁re likely to have a substantial impact on people鈥檚 future lives, whether it be their opportunities, their ability to get a job or their relationships with others.鈥� 

The school district acknowledged in an Oct. 4 letter to the state attorney general鈥檚 office 鈥� and in letters to the individuals themselves 鈥� that the sensitive information of 12,000 current and former employees was 鈥減otentially impacted鈥� in the attack. A spokesperson for the AG鈥檚 office shared the letter that Providence Superintendent Javier Monta帽ez submitted 鈥渁s required by statute,鈥� but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days 鈥� but the breach 鈥減oses a significant risk of identity theft.鈥� Covered records include individuals鈥� names, Social Security numbers, driver鈥檚 license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It鈥檚 unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department鈥檚 spokesperson, said in a phone call on Wednesday. 

鈥淣o one had actually gone in to see the files,鈥� he told 蜜桃影视, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are 鈥渨orking closely with the district鈥� on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents鈥� names. Another includes information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents revealed a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web 鈥渘ame and shame blog,鈥� it then previews the victim鈥檚 stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa鈥檚 many tentacles 

The Medusa attack and Providence鈥檚 response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district 鈥� what officials there vaguely called an 鈥渆ncryption event鈥� 鈥� the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack 鈥� and only after a joint investigation by 蜜桃影视 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General鈥檚 Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records 鈥� like those pertaining to student civil rights investigations, security plans and financial records 鈥� a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher鈥檚 German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what 鈥渋rregular activity鈥� on its computer network but on whether they鈥檇 been the target of ransomware. In 鈥� and the same day that Medusa鈥檚 ransom deadline expired 鈥� Superintendent Monta帽ez acknowledged that 鈥渁n unverified, anonymous group鈥� had gained 鈥渦nauthorized access鈥� to its computer network and claimed to have stolen sensitive records. 

鈥淲hile we cannot confirm the authenticity of these files and verify their claims,鈥� Monta帽ez wrote, 鈥渢here could be concerns that these alleged documents could contain personal information.鈥�

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Alabama State Schools Superintendent Eric Mackey said Wednesday that the Alabama State Department of Education鈥檚 computer systems had been breached last month, and that students and employees of the department may have been affected.

Speaking at a press conference in Montgomery, Mackey said  the breach took place on June 17. According to Mackey, the department鈥檚  staff interrupted and stopped the attack.

Mackey said that there 鈥渨as no question鈥� that it was a denial of service attack to encrypt and steal data so they need to be paid off, but said officials were 鈥渟till assessing exactly which data were taken.鈥�

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

鈥淲hat I would say is that to all parents, and all local and state education employees out there, they should monitor their credit, they should assume that there鈥檚 a possibility that some of their data were compromised,鈥� he said.

Mackey said that the department does not keep direct deposit information.

鈥淲e do have information about which data possibly could be taken because we鈥檙e able to look and see which servers they were not able to get to in the time they were in there,鈥� he said.

A foreign agent may have been involved, Mackey said, but he said that he could not provide more information.

鈥淚 shouldn鈥檛 say I鈥檓 not aware,鈥� he said. 鈥淚鈥檓 not able to answer that.鈥�

According to a statement from the department, the Alabama Attorney General, the Alabama Office of Information Technology and an independent contractor are working with the department to strengthen the cyber defenses and identify which data may have been compromised.

The statement said notification will be made to relevant parties in full compliance with laws and best practices.

The Department has launched a dedicated landing site 鈥� 鈥� and questions and comments can be sent to databreach@alsde.edu.

Mackey said that their websites will be down for 鈥渃ritical updates鈥� beginning at 5 p.m. Wednesday evening for several hours.

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Alabama Reflector maintains editorial independence. Contact Editor Brian Lyman for questions: info@alabamareflector.com. Follow Alabama Reflector on and .

Last week, I set out to write a quick news hit on the  鈥� a pilot program that will pump $200 million toward next-gen firewalls and other tools.

But that鈥檚 when things got weird. 

I came upon a new listing on a notorious dark web forum 鈥� the Amazon for stolen data, if you will 鈥� that offered millions of files purportedly stolen from the Los Angeles Unified School District for a thousand bucks.

LAUSD officials said they鈥檙e investigating the anonymous threat actor鈥檚 claims and a threat intelligence executive told me the district must carry out a full incident response to verify if the files are real.

Or new. 

It isn鈥檛 d茅j脿 vu: America鈥檚 second-largest school district fell victim to a massive ransomware attack in 2022. Thousands of students鈥� mental health records and other sensitive files found their way to the dark web. It鈥檚 possible that the LAUSD data got a facelift of its own, with the same data repackaged to make a quick buck. 

Read more about the latest LAUSD incident 鈥� and about the FCC鈥檚 new effort to thwart similar attacks nationally 鈥� here. 

In the news

Today in Florida, workers are set to demolish the Marjory Stoneman Douglas High School building where a gunman killed 17 people in a 2018 rampage. |

Relatives of 17 children killed during the 2022 school shooting in Uvalde, Texas, have sued state law enforcement officers who waited 77 minutes before confronting the gunman at Robb Elementary School. |

Special report: Through an unprecedented trove of dispatch call data for 852 California school addresses, reporters offer a rare look at 鈥渢he vast presence of police in schools.鈥� A third of calls 鈥渨ere about serious incidents that reasonably required a police presence.鈥� |

New York lawmakers approved landmark rules that ban social media companies from using 鈥渁ddictive鈥� algorithms to customize children鈥檚 feeds. Here鈥檚 a strong rundown on how the rules work. |

SWATted down: A Washington man has been sentenced to three years in prison for calling in hoax police reports in more than 20 states, including inciting false school shooting panic, leading to frantic lockdowns and massive police responses. |

First they came for the books. Next they came for the books about book bans. |

A new program in Illinois to help low-income families pay for the funeral costs of children killed by guns was designed to ease grief and financial burdens. After a year, just two families have been compensated. |

Prioritizing 鈥榩rofit over the wellbeing and safety of children鈥�: Residential treatment companies that provide behavioral health services have put children at risk of sexual abuse and dangerous physical restraints, a new Senate committee report argues. |

First comes marriage, then comes homeroom: Missouri lawmakers failed to pass legislation that sought to prevent anyone under 18 years old from getting married, keeping in place the state鈥檚 minimum age of 16. |

A Tennessee school district where officials failed to prevent rampant racist bullying against a Black student will overhaul its anti-harassment procedures after reaching a settlement agreement with the Justice Department. Federal investigators found the student鈥檚 classmates passed around a drawing of a Ku Klux Klansmen, added him to a bigoted group chat and sold him to white peers in a mock 鈥渟lave auction.鈥� |

New York City school bathrooms could soon have 鈥渧ape sensors鈥� following a court settlement with tobacco company Juul that鈥檒l direct $27 million to the city鈥檚 schools to combat youth vaping. |

Research & advocacy

鈥楴ew Jim Code鈥�: Federal officials have failed to deter the civil rights harms that artificial intelligence in schools poses to students of color, a new report argues. |

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. |

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. |

ICYMI @The74

• Report: Higher Rates of Depression, Anxiety for LGBTQ Teens Forcibly Outed
  
• LA Schools Chief Carvalho Warns Student Homelessness Across City Worse Than Data Shows
  
• Psychologist Peter Gray Sounds the Alarm About Excessive Adult Oversight & What It鈥檚 Doing to Kids鈥� Mental Health

Emotional support

I promised you a new pup. I bring you a new pup. 

Sinead, editor Kathy Moore鈥檚 new emotional support companion, surveys her domain. 

For more school safety news,聽subscribe to Mark’s School (in)Security newsletter below.

Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months 鈥� long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General鈥檚 Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general鈥檚 office was on the phone to the school district. The attorney, focused on consumer protection, questioned them 鈥渄irectly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and 蜜桃影视, contradicted school district assertions that no sensitive student, employee or business owners鈥� information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general鈥檚 office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry鈥檚 data breach response obligations under state law 鈥� rules that school officials had failed to follow. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It鈥檚 unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board鈥檚 attorney Courtney Joiner wrote in a response email to Styron a day later that he was 鈥渨orking with the School Board to address the notice issue without further delay.鈥� 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� according to the records. Officials didn鈥檛 send a formal notice to the attorney general鈥檚 office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail 鈥渨ell after the fact鈥� that she had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she said. 鈥淭his should have happened much earlier.鈥�

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they 鈥渕ay have been impacted by the incident鈥� and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general鈥檚 office didn鈥檛 respond to interview requests. 

St. Landry鈥檚 response resembles that of school districts across the country, investigative reporting by 蜜桃影视 has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat鈥檚 impact on students and teachers, education leaders nationwide have sought to downplay the attacks鈥� severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based said the delay by St. Landry officials is 鈥渞eflective of a problem we have鈥� nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

鈥淚n many instances, it鈥檚 because the decision to issue a notice resides 100% with the organization that loses control of the information,鈥� Lee said. 鈥淗ighlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they鈥檙e at risk.鈥� 

鈥楩or reasons that are unknown鈥�

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn鈥檛 contain any sensitive employee or student information.

But 蜜桃影视鈥檚 data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG鈥檚 office, the district stated that the stolen files had been 鈥渞ecovered.鈥� However, a check by 蜜桃影视 last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don鈥檛 pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district鈥檚 computer network had been encrypted by 鈥渁 malicious person or group鈥� in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled 鈥淟OOK!!!!,鈥� which includes a link to Medusa鈥檚 dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa鈥檚 Telegram channel and to a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that 鈥渁n unknown number of files containing sensitive information鈥� had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site 鈥渨ere recovered by the Cyber Crime Unit鈥� with the state police, Batiste鈥檚 letter continues, 鈥渂ut, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6鈥� 鈥� two days after the newspaper investigation published. 

鈥楬ow do you recover it?鈥�

The cybercriminals behind the St. Landry breach employed 鈥渄ouble extortion,鈥� a growing ransomware strategy where hackers break into a victim鈥檚 computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn鈥檛 lead to a breach of sensitive information 鈥� despite overwhelming evidence that it had 鈥� district officials acknowledged they hadn鈥檛 taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district鈥檚 computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools 鈥� even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district鈥檚 supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

鈥淲e never received reports of the actual information that was obtained,鈥� Fontenot said. 鈥淎ll of that is under investigation. We have not received anything in regard to that investigation.鈥�

Fontenot鈥檚 statement contradicts Batiste鈥檚 timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by 鈥渁n unknown malicious鈥� threat actor but isn鈥檛 explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets鈥� investigation 鈥� including teachers, staff, students and sales tax filers from across the country 鈥� received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because 鈥渢he process of obtaining and then reviewing the acquired files took several months.鈥�

鈥淲e are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,鈥� the letter states, acknowledging that stolen information contains individuals鈥� names, addresses, birth dates, Social Security numbers and driver鈥檚 licenses. 

Louisiana鈥檚 data breach notification law doesn鈥檛 apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn鈥檛 exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

鈥淚n fact, I don鈥檛 think I鈥檝e ever heard of that kind of arrangement,鈥� he said. 鈥淢ost organizations do hire their own cybersecurity experts whether it鈥檚 a school district or it鈥檚 a nonprofit or a commercial entity.鈥� 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring 鈥� a common practice after entities suffer data breaches 鈥� Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

鈥淗ow do you recover it once it鈥檚 out there?鈥� she said. 鈥淒o you tell the people who got it illegally that you have to take it down and hope they do?鈥�

This story was supported by a grant from the Fund for Investigative Journalism

In response to an inquiry by 蜜桃影视, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥� status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data. 

鈥淲e are reviewing the details of Raptor Technologies鈥� leak to determine if the company has violated its Pledge commitments,鈥� David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥� 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥� government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥� that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥� withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥� has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥� he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler鈥檚 audit. 

鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥� like an active shooting, Fowler said in an interview with 蜜桃影视. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌��

David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥� 

鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥� Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥� 

鈥楳aybe this is a pattern鈥�

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students鈥� personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥� of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥� 

Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥� The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥� including encryption 鈥渂oth at rest and in-transit,鈥� meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥� measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥� 

Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor鈥檚 claims that data were encrypted, Fowler told 蜜桃影视 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥� adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥� 鈥渆xcept maybe it wasn鈥檛.鈥� 

A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥�

鈥淗ow can educators know if a company is taking security seriously?鈥� Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥� 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥� and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 蜜桃影视 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥� Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥� 

鈥楽weep it under the rug鈥�

The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum鈥檚 decision to remove Illuminate followed an article in 蜜桃影视, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥� and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥� It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥� in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 蜜桃影视 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥� that protects students鈥� sensitive information鈥� and to 鈥渃omply with applicable laws,鈥� including New York鈥檚  鈥渆xplicit data encryption requirement.鈥� 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar. 

Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 蜜桃影视 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥� that can be quickly brushed aside. 

鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥� he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥� a little bit of bad press and you just sweep it under the rug and move on.鈥� 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has 鈥渁 great deal of admiration鈥� for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥� when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥� he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌��  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 蜜桃影视.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn鈥檛 think much about it 鈥� even after her Facebook got hacked. 

Now, she鈥檚 left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by 蜜桃影视 and The Acadiana Advocate revealed. The reporting included a data analysis by 蜜桃影视 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels 鈥� enough to prompt the Biden White House to convene an August summit on how to tackle the threat 鈥� and in multiple instances, districts have been accused of withholding information from the public.

鈥淭hey want to brush everything under the rug,鈥� said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Among the district鈥檚 breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana鈥檚 data breach notification rules.

and other entities notify affected individuals 鈥渨ithout unreasonable delay,鈥� 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven鈥檛 taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general鈥檚 office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn鈥檛 respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is 鈥渁 long time to not notify somebody of that level of sensitive information.鈥�

鈥淏ecause the school district hasn鈥檛 issued a notice, then it鈥檚 hard to know exactly what happened and why,鈥� Lee said. 鈥淭hat鈥檚 important because that also leads you to, 鈥榃ell, what does the individual need to do to protect themselves now that their information has been exposed?鈥欌��

鈥楧ouble extortion鈥�

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry鈥檚 computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� and became available for download on Telegram, an encrypted social media platform that鈥檚 been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that鈥檚 grown in popularity in recent years called 鈥渄ouble extortion.鈥� Hackers gain access to a victim鈥檚 computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son鈥檚 information was leaked 鈥� especially because he hasn鈥檛 attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

鈥淚f they鈥檙e lying about it and our information did get out there, then that鈥檚 a whole other situation,鈥� she said. 鈥淭hey’re telling all their employees all of our information did not get messed with.鈥� 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

鈥淲e never received reports of the actual information that was obtained,鈥� she said. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥�

The board, Fontenot said, decided to 鈥渢rust the process.鈥�

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry鈥檚 computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

鈥淵ou know how many people get hacked a year? Can you point that to the school board 100%?鈥� Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer鈥檚 desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents鈥� phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That鈥檚 because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff鈥檚 offices to parish governments to school boards. St. Landry Parish鈥檚 sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools鈥� is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach 鈥� a reality she called 鈥渁larming.鈥� 

鈥淚 feel like I should have gotten a more formal notification about this,鈥� Lyons said.

鈥楢 soft target鈥�

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It鈥檚 also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are 鈥渓ow-hanging fruit,鈥� said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

鈥淓ducational entities are going to be a soft target,鈥� he said. 鈥淚f they鈥檙e not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.鈥� 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

鈥淭hey鈥檙e such a small fish in the ocean, (they think) why would anybody bother with them?鈥� said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It鈥檚 improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

鈥淚t鈥檚 a question of them throwing their fishing hook in the barrel 鈥� and just waiting to see who bites,鈥� Levin said. 鈥淭hey don鈥檛 know who their next victim is going to be and they don鈥檛 really care.鈥� 

When a small- or medium-sized district takes the bait, the impact can be substantial because they鈥檙e often among their communities鈥� largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

鈥楢 cause of action鈥�

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

鈥淚 just want (the district) to be professional,鈥� said Vidrine, the former science teacher. 鈥淎 notification that this happened: 鈥榃e鈥檙e tending to it and you need to protect yourself. We made a mistake.鈥欌��

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is 鈥渨hat class actions are made of,鈥� Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don鈥檛 typically have credit cards, they also don鈥檛 receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children鈥檚 Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they鈥檝e been compromised, the problem 鈥渋s not easy to address and can have lifelong impacts,鈥� he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as 鈥済hosting.鈥�

鈥楾he hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of 鈥渧ery sophisticated networks鈥� based overseas.

鈥淚t鈥檚 not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,鈥� Lee said. 鈥淭hat鈥檚 not the hacker of today. They鈥檙e not sitting in their parents鈥� basement. They鈥檙e in call centers in Dubai and in Cambodia and in North Africa.鈥�

It鈥檚 important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn鈥檛 authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims 鈥� including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

鈥淭hat they didn鈥檛 notify us of this, it鈥檚 disappointing,鈥� said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

鈥淏ut it鈥檚 a poor parish and I don鈥檛 think they do anything unless they really, really have to.鈥�

This story was supported by a grant from the Fund for Investigative Journalism.

鈥淚鈥檓 so sorry to tell you this but unfortunately your private information has been leaked,鈥� read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they鈥檇 just spent the night asleep. 

鈥淏e careful out there,鈥� the cryptic message warned. 鈥淒on鈥檛 shoot the messenger!鈥�

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation鈥檚 fifth-largest district and where Hecht鈥檚 three daughters are enrolled. But the message, she鈥檇 soon learn, was not from a California student but from the student鈥檚 email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a 鈥渂urner鈥� account to brazenly extort Clark County schools by frightening district parents directly.

鈥淚 put my child on the bus and then immediately called the district,鈥� Hecht told 蜜桃影视. 鈥淚 called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.鈥�

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords 鈥� in this case students鈥� dates of birth 鈥� and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students鈥� special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

鈥淭his is not going to qualify as sophisticated hacking,鈥� said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. 鈥淕iven that they reached out to the media鈥� and have demanded payments smaller than those typically leveraged by ransomware gangs, 鈥渋t seems they may be more interested in publicity and reputation than they are money.鈥�

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a 鈥渃ybersecurity incident鈥� on Oct. 5, noting in that it was 鈥渃ooperating with the FBI as they investigate the incident鈥� and that such attacks against schools have become routine. 鈥淩est assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.鈥�

When contacted by 蜜桃影视, a Clark County spokesperson declined to comment further and shared a copy of the district鈥檚 previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County鈥檚 computer systems. In two follow-up emails shared with 蜜桃影视, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student鈥檚 email address 鈥渢o show how much of a joke their IT security is and to show how seriously they are taking this.鈥� 

Beyond outreach to parents, the hacker 鈥� which could be one or multiple people 鈥� on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as 鈥淪ingularityMD (the hacker team),鈥� the threat actor disputed Clark County鈥檚 statement that it had detected 鈥渁 security issue鈥� on its own and that district leaders had only become aware after the hackers sent an email 鈥渢o tell them we had been in their network for a few months.鈥� 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward 鈥渄ouble-extortion ransomware鈥� schemes, where they gain access to a victim鈥檚 computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students鈥� sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students鈥� passwords to their birth date at the beginning of each academic year. Using a student鈥檚 date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student鈥檚 account, they claim to have exploited poor data-sharing practices in the district鈥檚 Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

鈥淕oogle groups and google drives, if not configured correctly will expose teachers and staff files and conversations,鈥� the hacker told DataBreaches.net. 鈥淚n rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.鈥�

Schools are particularly easy targets because so many students have access to a district鈥檚 computer network, the hacker noted, with a word of advice: 鈥淚 would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.鈥� 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker鈥檚 breach methods should set off alarm bells for educators nationwide, with 鈥渧irtually every school in the U.S.鈥� relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

鈥淚t鈥檚 very easy to overshare information and grant rights for people who shouldn’t be able to see this information,鈥� Levin said. 鈥淭hat鈥檚 what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.鈥� 

Google spokesperson Ross Richendrfer said in an email that as districts become 鈥渁 top target鈥� for cybercriminals, 鈥渢here鈥檚 not just one way that attackers attempt to infiltrate schools.鈥� This particular incident, he said, was 鈥渢he result of compromised passwords and configuration issues at the user/admin level.鈥� 

He pointed to the company鈥檚 , which notes that while Google products 鈥渁re built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.鈥� The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received 鈥渁larming email messages from an external cybersecurity threat actor.鈥� The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as 鈥渂urner accounts鈥� when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn鈥檛 become the victim of a data breach, Superintendent Lori Villanueva told 蜜桃影视. She said the student鈥檚 email address was used to send four emails, which were then deleted. 

鈥淲e canceled that email account, we set up a new one for the student, and we鈥檙e just running our own diagnostics to make sure there was no other unusual activity,鈥� Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. 鈥淢y people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we鈥檙e really limited to that one tiny piece of information.鈥� 

Never before had she experienced an incident where a student鈥檚 email address was compromised and exploited in such a major way, she said. 

鈥淣othing this widespread, nothing in another state, nothing this big,鈥� she said. 鈥淔or our little neck of the woods here, this was a little crazy.鈥� 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

鈥淭he only thing I can think of is somebody knows that I鈥檓 not quiet, that I will talk,鈥� she said. If the hacker鈥檚 goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn鈥檛 been able to get any answers from school administrators. 

鈥淚鈥檝e emailed the superintendent and I just continue to call that helpline,鈥� she said 鈥淣othing. Nobody has responded. I can鈥檛 even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.鈥�

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused 鈥渢o fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.鈥� 

鈥淲e think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,鈥� attorney Steve Hackett, who represents the families, told 蜜桃影视.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

鈥淎s the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,鈥� the statement said. 

The district also offered a sharp rebuttal to calls for Jara鈥檚 resignation, specifically referring to with the local teachers union: 鈥淪uperintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,鈥� the statement continued 鈥淣o bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.鈥� 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

鈥淚t worries me because this stuff is going to follow them for life,鈥� she said. 鈥淟ook, I know that our district is not great, but if you鈥檙e going to go against the district, don鈥檛 take our kids down with you. They did nothing wrong.鈥�

, led by researchers at the University of Chicago and New York University, highlights how the scramble to adopt new technologies in schools has served to create an $85 billion industry with significant data security risks for teachers, parents and students. The issue has become particularly pervasive since the pandemic forced students nationwide into remote, online learning. 

Students鈥� sensitive information is increasingly leaked online following high-profile ransomware attacks and user data monetization is a key business strategy for tech companies, including those that serve the education market, like Google. Yet student privacy is rarely a top consideration when teachers adopt new digital tools, researchers learned in interviews with district technology officials. In fact, schools routinely lack the resources and know-how to assess potential vulnerabilities.

Such a reality could spell trouble: In an analysis of education technologies widely used or endorsed by districts nationwide, researchers discovered privacy risks abound. The analysis relied on , a privacy inspector tool created by the nonprofit news website The Markup which scours websites to uncover data-sharing practices. Those include the use of cookies that track user behaviors to deliver personalized advertisements. Analyzed education tools, they found, make 鈥渆xtensive use of tracking technologies鈥� with potential privacy implications. 

Most alarming to the researchers were the 7.4% that used 鈥渟ession recorders,鈥� a type of tracker that documents a user鈥檚 every move. 

鈥淎nyone visiting those sites would have their entire session captured which includes information such as which links they clicked on, what images they hovered over and even data entered into fields but not submitted,鈥� the report notes. 鈥淭his could include data that users might otherwise consider private such as the autofilling of saved user credentials or social network data.鈥� 

蜜桃影视 caught up with report co-author Jake Chanenson, a University of Chicago Ph.D. student, to gain insight into the report鈥檚 findings and to understand why he believes that parents and students should be concerned about how ed tech companies collect, store and use their personal data. 

The conversation has been edited for length and clarity. 

Why did remote learning pique your interest in digital privacy and what are the primary implications that worry you? 

Remote learning can be done well but we all had to get to it very quickly without a plan because we all suddenly got thrown at home because of the global pandemic. Suddenly schools had to scramble and find new solutions to reach their students, to educate their students, without being able to test the field, to think critically about it. They really were, with shoestring and gum, trying to keep their classes together. 

Whether you were in school, whether you were at work, whether you were at neither and still just trying to keep in touch with your friends, you were using anything that came your way because that鈥檚 what you had to do. I found that really interesting 鈥� and a bit concerning. It鈥檚 no one鈥檚 fault because we don鈥檛 understand the ramifications of these technologies and now that we鈥檝e used them a lot of them are here to stay. 

I don’t want to sound like some sort of demonizing figure saying that all tech is bad 鈥� that is certainly not the case. It’s merely the fact that sometimes these promises are oversold, and now we have this added element of data privacy. 

When you interact with any of these platforms, tons and tons of student data 鈥� from how you interact with it, how well you do on their assignments, when you do it, if you鈥檙e a chronic procrastinator, if you鈥檙e always getting your work done, if you seem more interested in your art class than your math class. These are all data points collected by these companies and I wanted to know, 鈥榃hat is it they鈥檙e collecting? What are they doing with it,鈥� and, specifically for this study, 鈥榃hat are schools thinking about in this space if anything at all?鈥�

This study took a two-pronged approach. You conducted surveys with experts in this space and then used technology to identify information that folks might not be aware of. Let鈥檚 discuss the surveys first. How did the school administrators and district technology officials you interviewed view privacy issues? 

Lots of them knew that something wasn鈥檛 quite up to snuff in their security and privacy practices. 

The best security and privacy practices that I saw in these school districts were entirely because someone, usually in the IT department, had an independent interest in student privacy. They were going above and beyond what their job descriptions required because they cared about the students. 

That鈥檚 not to imply that school officials don鈥檛 care about the kids 鈥攖hey care about them very much 鈥� but they鈥檙e so busy making sure the lights are on and making sure there are teachers for the classrooms, dealing with discipline issues, dealing with staffing concerns. They鈥檙e not necessarily focused on data privacy and security. 

Your research takes a unique approach to show the real-world impacts of education technology on student privacy. You identify that some of these tools raise significant privacy implications. How did you go about that?

We looked at the online websites of educational sites and tried to understand, what are the privacy risks here? What we found is that 7.4% of all these websites had a session recorder, which records everything you do when you鈥檙e interacting with a web page. How long you hovered over a certain element, how often you scrolled, what you clicked on and what you didn鈥檛 click on. 

That鈥檚 a scary amount of data collection for something that鈥檚 normally an education site. On top of that we found a high prevalence of cookies and other types of trackers that were being sent to third-parties, basically advertising networks, that were taking that data to track these students across the web. As a student, even while I鈥檓 doing my work, they鈥檙e creating an ad profile of me that not only encompasses who I am as a consumer in my spare time, but who I am as a student inside of school for this more comprehensive picture of who I am to sell me ads. 

That could be upsetting to somebody who thinks that what I鈥檓 doing in school is only the business of me and the teacher, my parents and the principal. 

Why would an education technology company use a session recorder? 

We were able to identify that these trackers, like session recorders, were running on these websites, but we don鈥檛 have any idea what they鈥檙e recording, which is a project that we鈥檙e currently working on and trying to understand. 

I can’t make any well-grounded assumptions to what this is being used for, whether it be nefarious or benign. It鈥檚 not uncommon for a session recorder to be used for diagnostic information for a technology company if they want to understand how their users use a site so they can improve it. That’s a legitimate use of one of these session recorders, but without knowing what data they collect, it could be that they鈥檙e collecting data that isn鈥檛 strictly relevant to improving the service or are over-collecting data in the guise of improving the service and retaining it for future use. 

There are, of course, but I won鈥檛 speculate on that because I don鈥檛 have definitive proof that鈥檚 what鈥檚 happening. 

Why should people care about districts鈥� technology procurements? School districts are using a huge swath of digital tools, some from Google and some from tiny tech companies. If school leaders aren鈥檛 putting privacy at the forefront of deciding which tools to use, what concerning outcomes can come from that? 

There are several concerning outcomes, the first being that the data these companies collect don鈥檛 necessarily sit on their servers. They sometimes are sold to third parties. Some companies state third parties ambiguously and others list out who they are selling it to and why. 

Just on a normative basis, I think that what you do in the classroom shouldn鈥檛 be harvested and sold, especially when many of these companies are raking in somewhere between five- and seven-figure contracts to license this technology. It鈥檚 not like they don鈥檛 have other sources of income, but the things they can take from students can be incredibly alarming: Information about socioemotional behavior, so if I act out in school, if I am in trouble for something that鈥檚 happening at home or I鈥檓 bullying another student, that data is collected by a specific service and that data is held somewhere. And of course, when you hold data, it鈥檚 a security risk. 

There was a big breach in New York City where hundreds of thousands of students had their personal information leaked because a company was holding onto all of this data. It was leaked to hackers who got that data and can do who knows what with it. That鈥檚 a huge privacy violation. Some of the things they stole in that particular breach were names, birthdays and standard things you can use to commit identity fraud, which is a problem. But it can also be more sensitive stuff, such as [special education] accommodation lists or if you qualify for free lunch. There鈥檚 stuff about disability or your economic status, stuff that is all collected by these ed tech companies and held somewhere. 

Learning management systems have incredible amounts of metadata. 鈥楢re you someone who procrastinates and only finishes an assignment one minute before it鈥檚 due? Did you do it early? Are you someone who didn鈥檛 do the reading but showed up to class anyway? Are you someone who took 10 times to get this quiz right or did it only take you one time鈥� 

These data are recorded and are available for teachers to see, but because teachers can see it, it鈥檚 sitting on a server somewhere. 

Because they鈥檙e being stored somewhere and they are not being deleted regularly and these companies are not following data minimization principles, it鈥檚 a potential privacy risk for these students should another breach happen, which we鈥檝e seen happen again and again and again. 

Breaches have affected sensitive student information. In her book Danielle Citron argues for federal rules that would protect intimate privacy as a civil right. Why are such rules needed and how would they work in an educational context? 

There are certain types of information, like nonconsensual disclosures of intimate images, so-called revenge porn. I think you can make a straight analogy for student data. Just as there should be a zone of intimate privacy around your personal intimate life, your sexuality, whatever else, we should have a similar zone around your educational life. 

Education is a space where students should be able to learn and make mistakes, and if you cannot make those mistakes without being recorded, then that can have repercussions for you later. If you’re not perfect on your first try and someone gets a hold of that, I could see that affecting your college admissions or that could affect an employment record. If I am someone who wants to hire you and I have a list of every student in a school that turns in their assignments early and all of these people were either habitually late or always procrastinating then obviously I鈥檓 going to be more interested in hiring the worker that turned stuff in early. But what that list might not tell you is that it was one data point in eighth grade and that one of those students when they were in high school finally got on top of their executive dysfunction and started turning things in on time. 

It鈥檚 ultimately nobody鈥檚 business how you do in the classroom. You have final grades, but those fine-grained data are nobody else鈥檚 business but yours and the teacher鈥檚. You have a safe space to learn and grow and make mistakes in the educational environment and to not be penalized for them outside of that classroom.

Yet even before the first class started, the 133,000-student district in Prince George鈥檚 County, Maryland, faced an assault on its security 鈥� one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district鈥檚 computer network. The mid-August intrusion meant the high-performing school system 鈥� among the nation鈥檚 20 largest 鈥� joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

鈥淪chools have this delicious trove of data and do not have the same protections鈥� as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George鈥檚 County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by 蜜桃影视 of the cyber group鈥檚 dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida鈥檚 Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

鈥淵our confidential documents, personal data and sensitive info has been downloaded,鈥� the group wrote in a ransom note obtained by 蜜桃影视. 鈥淧ublished information will be seen by your colleagues, competitors, lawyers, media and the whole world.鈥� 

Ultimately, the district refused to pay the group鈥檚 $300,000 ransom demand, leading to a small data breach that doesn鈥檛 appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees鈥� financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told 蜜桃影视 the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

鈥淚t was an inconvenience for sure, but I鈥檝e seen a lot of data breaches over the years and ours is nothing comparable,鈥� Walton said. 鈥淚 couldn鈥檛 imagine that happening when school starts because we鈥檙e all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.鈥� 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn鈥檛 limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth 鈥淪ocial Security numbers and medical records stolen and shared online,鈥� such attacks have left 鈥渃lassroom technology paralyzed and lessons ended,鈥� First Lady Jill Biden said. 鈥淪o if we want to safeguard our children鈥檚 futures, we must protect their personal data.鈥�

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it鈥檚 also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students鈥� hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

鈥淲ith all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,鈥� Levin said. 鈥淚t’s definitely a time where you know people are more likely to make mistakes.鈥�

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

鈥淭hreat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,鈥� the warning notes. 鈥淲ithin the last few weeks, publicly announced ransomware attacks sharply increased.鈥�

鈥楨xclusive, unique and impressive鈥�

Following a common ransomware playbook in Prince George鈥檚 County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the 鈥渆xclusive, unique and impressive鈥� data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group鈥檚 leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang鈥檚 leak site, meant to signify the district鈥檚 approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, 鈥渨ill be contacted in the coming days.鈥� 

The school system is 鈥渙ffering free credit monitoring and identity protections to all staff,鈥� district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack 鈥渕ay result in unauthorized disclosure of personal information.鈥� 

鈥淲e are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,鈥� the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George鈥檚 district hasn鈥檛 done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told 蜜桃影视, 鈥渉as not been clearly communicated.鈥� Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George鈥檚 County, she fears.

鈥淭here have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?鈥� said Stanley, founder of the special education advocacy group 鈥淣ot knowing what was leaked and who was affected, it鈥檚 difficult to say what the ramifications will be.鈥� 

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

鈥淭his is only going to get worse,鈥� he said, 鈥渦ntil we give schools the resources they need to up their defensive game.鈥� 

Ransomware鈥檚 long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington 鈥� a development that for locals may feel like d茅j脿 vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a 鈥渄ata event鈥� was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to 蜜桃影视. 

It鈥檚 unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions 鈥� especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became 鈥渁ware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,鈥� Weinberg said. 

鈥淲e reviewed the district鈥檚 network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,鈥� Weinberg continued. 鈥淔urther, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.鈥� 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation鈥檚 second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an 鈥渆ncryption event,鈥� tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. 鈥淚 had my bank account drained last week and had $3 to my name,鈥� one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children鈥檚 college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a 鈥渢ime-intensive鈥� review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

鈥淎lthough it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,鈥� the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools鈥檚 first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

鈥淒isclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,鈥� Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it鈥檚 more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

鈥淎 lot of times schools are reactive rather than proactive,鈥� she said.  If district leaders aren鈥檛 doing enough to protect the data from being stolen in the first place, 鈥渢hen it鈥檚 almost too late.鈥�

Des Moines Area Community College is a harder target for cyberattacks and scams than it used to be, President Rob Denson said, but it takes constant effort and vigilance to stay that way.

He and his staff will receive fake attachments, fraudulent messages from people claiming to be coworkers and applicants with intentions of taking financial aid and running rather than attending classes almost every day, despite best efforts to head them off.

鈥淭hreat actors are always looking for you to let down your guard,鈥� he said.

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

In efforts to keep campus safe, some Iowa community colleges are having to put increasingly more time, manpower and money toward cybersecurity efforts.

Aaron Warner, CEO of cybersecurity company ProCircular, said community colleges are targets for bad actors because they house a lot of sensitive information, their student populations see continuous turnover, and they鈥檙e made to be as accessible as possible.

The often-chaotic time just before school starts is also utilized by cybercriminals, as faculty and staff are busier and less likely to catch suspicious emails or other activities.

鈥淚t鈥檚 an unfortunate byproduct of the fact that they鈥檙e a community organization,鈥� Warner said. 鈥淭hey are designed to interact as best as possible with the community. Bad guys take advantage of that.鈥�

When the COVID-19 pandemic forced employees to work from home, Warner said the opportunities to conduct cyberattacks expanded. Gone was the castle-and-moat style of keeping sensitive information on one secure network as data was transferred onto home computers and laptops. The risk of a successful cyberattack or intrusion didn鈥檛 so much rise as become more distributed, he said.

DMACC and Iowa Central Community College have already faced in real time what ProCircular simulates for training 鈥� a breach in cybersecurity. Iowa Central Community College was hacked in 2018, and DMACC saw a breach in 2021.

Both colleges amped up security efforts in response, which they still keep up today.

Colleges work to stop 鈥榞host student鈥� scam

One problem DMACC has worked to curb is 鈥済host students,鈥� or applicants who use fake or stolen identities to seek financial aid. Denson said the college started seeing more fraudulent applications around two years ago, coming in groups from certain areas in different states and filing for loans without any intent of actually attending classes.

For around a year, DMACC staff have been calling every applicant to confirm their identity before putting their information into the system, Denson said. While this practice has cut down on ghost student applications, it鈥檚 not the easiest task to undertake.

In fall 2022, DMACC admitted more than 1,600 full-time, first-time students. Admissions staff and recruiters called each applicant and recorded the confirmation of their identity in the DMACC system 鈥� a time-consuming process, Denson said, as many students aren鈥檛 easy to reach over phone or email.

鈥淚t鈥檚 a terrible use of time, it鈥檚 not the best use of their skills, but it鈥檚 something we鈥檝e got to do,鈥� Denson said. 鈥淲hat we don鈥檛 want to do is get a fraudulent app inside of our learning management system.鈥�

At its peak in late July 2022, Denson said the college was receiving around 15 fraudulent applications a day. Since implementing this practice, Denson said that number has decreased significantly, but one or two a day still pop up.

Denson said the amount of time and manpower needed to verify so many applicants pulls people away from their other work.

鈥淲e would rather have recruiters out recruiting and advisors talking to students about their career, rather than verifying somebody鈥檚 identity,鈥� he said.

In order to lower the risk of a fake student infiltrating Iowa Central Community College鈥檚 systems, President Jesse Ulrich said staff purges all records of inactive students 鈥� those who applied but never signed up for classes or interacted with the college in any way 鈥� every semester.

Cybersecurity is costly

Staff and faculty at both community colleges receive training on how to spot and report phishing, and receive random test phishing emails. Iowa Central Community College has members of its IT team dedicated to servers and infrastructure, and DMACC has a cybersecurity expert on retainer.

Security software, training and insurance all require funds, Ulrich said, which could be used in other areas of the college.

鈥淎nytime you are putting more resources into cybersecurity, whether that鈥檚 through people, software, paying more for insurance; all of those things pull from the general fund or other areas of our funds to be able to really meet the core purpose of community colleges,鈥� Ulrich said.

Both colleges have cyber insurance; Denson said the college鈥檚 annual insurance cost is five times what it was, and the deductible has doubled.

Even divulging details on its cybersecurity insurance could put the college at risk, Ulrich said, as threat actors will look through public records to determine how well-insured schools are and use that in attacks.

鈥淚t鈥檚 kind of a lose-lose situation for higher ed when we鈥檙e put in that situation,鈥� he said.

However, having these safeguards isn鈥檛 really a choice, Denson said 鈥� it鈥檚 a necessity, and one that isn鈥檛 going away soon.

According to SonicWall鈥檚 2023 , educational institutions were cyber criminal鈥檚 top targets for malware attacks. At the recent annual Community Colleges for Iowa conference, Ulrich said cybersecurity was among the top 10 challenges facing higher education today.

ProCircular works with more than just community colleges to evaluate cybersecurity efforts, but the leaders at colleges Warner has met are among the most understanding of the issues and how to tackle them, he said. Much of the company鈥檚 training involves ensuring people know what to look for, how to respond in the event of a breach and helping them allocate resources in the right areas.

U.S. Rep. Zach Nunn introduced in April to help curb cyber attacks against K-12 schools by increasing available resources, expanding cyber attack prevention information sharing and improve national tracking of cyber attacks. While no bills targeting cybersecurity in higher education have been introduced, a spokesperson for Nunn鈥檚 office said they are working with as many entities as possible to help tighten cybersecurity across the board.

Community Colleges for Iowa Executive Director Emily Shields said there has been interest in the state Legislature in working to curb cybersecurity breaches in higher education, but many of the best practices suggested in discussions are already being practiced by community colleges.

When it comes to funding, Shields said colleges would rather see more dollars go into general funds than specific silos like cybersecurity, as it allows them to be more flexible in allocating resources.

The organization has worked to help keep colleges informed about cybersecurity threats and avenues to help fend off attacks, in the event one does occur, she said.

鈥淭he conversation always is not if this is going to happen in your college, it鈥檚 when,鈥� Shields said. 鈥淓verybody鈥檚 anticipating. You will have cyberattacks, probably plural 鈥� it鈥檚 making sure you鈥檙e ready for that.”

is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on and .