No, you鈥檙e not experiencing d茅j脿 vu. No, we’re not talking about some recent cyber incidents caused by teenagers, such as the PowerSchool data breach by a 19-year-old hacker from Massachusetts in 2024 who accessed sensitive data of more than 60 million students and 10 million teachers.

Watching PowerSchool make a comeback from such an incident made it clear that organizations can no longer afford to wait for proof that weaknesses exist. Continuous testing and engaging diverse perspectives are the best ways to stay ahead. That鈥檚 why this effort that began in July was intentionally designed to make students part of the solution, not the problem 鈥� to transform the same curiosity and skill that might lead to hacking toward cyber defense. 

After all, kids have been hacking computers, systems and schools since they鈥檝e existed 鈥� and they鈥檒l keep doing it. The difference now is that teenage defenders can help protect against teenage attackers.

The large-scale cyber incidents by teenagers emphasize three interconnected problems facing schools and our broader society:

First, our schools are dependent on a few key technology vendors that, if hacked, could shut down school districts across the country or lead to massive breaches of sensitive student, teacher and family data.

Second, teenage hackers who are fluent English-speakers 鈥� in loosely affiliated groups that go by names like Scattered Spider, Shiny Hunters, and Lapsus 鈥� have been behind some of the biggest cyber incidents in the past few years. They鈥檝e hacked organizations from Caesars casinos to Snowflake to Salesloft. Even giants like Google and Microsoft haven鈥檛 been spared. 

Some cyber experts have begun calling these young hackers Advanced Persistent Teenagers (or APTeens), a play on Advanced Persistent Threats (or APTs), the term used to describe sophisticated nation-state hacking groups from countries like China, Russia, Iran and North Korea. 

Ultimately, our country faces a cyber workforce challenge that most strongly impacts 鈥渢arget rich, cyber poor鈥� sectors like schools, state and local governments, and small businesses that lack the funding and capacity to defend themselves against cyber threats.

With a different approach, progress can be made on all three problems 鈥� insecure tech, teenage hackers and the cyber workforce challenge 鈥� by creating an alternative pathway for teenage hackers. To make this work, edtech companies, hackers, policymakers, higher education and even high schools must provide a pathway that builds the skills the workforce needs. That includes offering the opportunity to receive immediate payment for hacking and bolstering the cybersecurity of key technologies society relies on daily.

With this in mind, in July, joined the and the to flip the APTeen challenge on its head. The goal was to promote hacking for good to secure our schools. The EdProtect Cybersecurity Research Symposium brought together teenage hackers, professional security researchers, and Skyward, a widely used edtech product, for a two-week live hacking event. 

The teenagers, college students from around the country, received support and training as they worked to find and report bugs. We know people learn best through hands-on experiences where novices can work alongside seasoned professionals and mentors, who were once teenagers too.

While live hacking events and bug bounty programs 鈥� where companies pay good-faith security researchers to find and share software bugs that can be used to hack their systems 鈥� are not new, they are rare in 鈥渢arget rich, cyber poor鈥� sectors like education. 

Since the nation鈥檚 14,000 school districts rely on the same few software vendors for their critical infrastructure, efforts like this to strengthen the cybersecurity of key vendors can have a dramatic impact for millions of students, families and teachers across the country. Furthermore, these endeavors shift the burden for managing cyber risk to the companies that are best positioned to address it.

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students鈥� sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district鈥檚 police department. In filed with the California attorney general鈥檚 office, the company disclosed that an unspecified number of individuals鈥� personal information was compromised after an 鈥渦nauthorized third party鈥� accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation鈥檚 second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because 鈥渢here鈥檚 no question that [Kokomo is] managing exceptionally sensitive information鈥� about campus safety issues and students鈥� medical information, school cybersecurity expert Doug Levin said. 

鈥淭his is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. 鈥淲e definitely would benefit from knowing more about how they were compromised and how they鈥檙e going to fix it.鈥�

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.鈥檚 back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn鈥檛 heard about the data breach before being contacted by 蜜桃影视.

鈥淚 have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?鈥� asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. 鈥淎nd how deep was the breach? Obviously that would be of concern to the parents.鈥�

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report 鈥渟uspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues鈥� to the district鈥檚 . 

That same year, L.A. schools  鈥� along with the Children鈥檚 Hospital Los Angeles and Hazel Health 鈥� to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district鈥檚 website, while Kokomo24/7鈥檚 services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students 鈥渢o access healthcare when not feeling well during school hours鈥� with the supervision of a school nurse 鈥渨hile remaining in school and focusing on learning.鈥� 

Kokomo founder and CEO Daniel Lee lauding the company鈥檚 ability to 鈥渢ransform鈥� L.A. Unified鈥檚 COVID-tracking and health data system in a year after the school system鈥檚 previous tool became 鈥渃lunky, difficult to customize and expensive to maintain.鈥� The post notes the company鈥檚 role in creating the anonymous reporting application and the district鈥檚 Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students鈥� mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students鈥� psychological evaluations had been exposed but then had to acknowledge that they were after 蜜桃影视鈥檚 investigation revealed the records鈥� existence on the dark web.

Meanwhile, the district鈥檚 rollout last year of a highly touted AI chatbot named 鈥淓d鈥� was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company鈥檚 founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told 蜜桃影视 AllHere鈥檚 student data security practices violated both industry standards and the district鈥檚 own policies. 

The L.A. district for the chatbot bid 鈥� including Kokomo24/7 鈥� before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told 蜜桃影视 that Ed 鈥渞emains on hold.鈥� 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars 鈥� the company was the 鈥渉ealth and safety software provider鈥� 鈥� United Airlines鈥� subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students鈥� temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company鈥檚 website.

Kokomo24/7鈥檚 connections to the L.A. district were widely featured on the company鈥檚 website until this week. In fact, listed four foundational events, including the 2023 launch of the 鈥渁nonymous reporting app for students and an emergency alert system for staff鈥� for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department鈥檚 logo. Press releases announcing Kokomo鈥檚 work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called 鈥渃ritically important.鈥� Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people鈥檚 ability to 鈥渞elay in an anonymous way 鈥� or not 鈥� potential threats鈥� to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn鈥檛 been universally praised, and last year filed by anti-surveillance activists who alleged the tool created 鈥渁 culture of mass suspicion鈥� and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members 鈥渢o surveil each other鈥� on behalf of school police and to file reports that don鈥檛 require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate 鈥渟uspicious activity.鈥� 

鈥淭he app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,鈥� the activist .

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by 蜜桃影视 confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs 鈥� or roughly 64,000 files 鈥� were exposed.

Company spokesperson Michele Steinmetz told 蜜桃影视 Diligent began notifying all BoardDocs customers 鈥� including those who were not directly affected  鈥� on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by 蜜桃影视 and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with 蜜桃影视, one customer called the glitch 鈥渁n improper misconfiguration of the vendor’s products.鈥� An option to store records in 鈥渁 private folder鈥� within the district鈥檚 broader public library 鈥渃ould be misleading and people could think, and rightfully so, 鈥楢nything I put in there is not publicly available,鈥� when, in fact, it could be accessed by an unauthenticated user.鈥�

The official, who spoke on the condition of anonymity because they weren鈥檛 authorized to discuss the BoardDocs situation or draw attention to their district鈥檚 cybersecurity practices, said their school system was not 鈥渘otified proactively鈥� about the fallibility that came to light in Lower Merion.

鈥淚t was something that should not have been in place,鈥� the official said. 鈥淭he vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.鈥�

Nithya Das, Diligent鈥檚 chief legal and chief administrative officer, acknowledged the problem to 蜜桃影视, saying, 鈥淒ocuments that were supposed to be set to private access were made accessible.鈥�  She declined to elaborate on the misconfiguration but said the company took 鈥渋mmediate action to resolve the issue鈥� once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only 鈥渇or a matter of a few months鈥� and existed only on that platform, meaning that someone could not have 鈥済one onto [their] web browser and pulled up Google or Yahoo or something like that鈥� to find them. 

 鈥淚 don鈥檛 mean to downplay the situation, but I do think it鈥檚 important to just keep in mind that it was extremely limited in terms of scope, impact and duration,鈥� Das said. 鈥淚n order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.鈥�

鈥楬ow am I reading this?鈥�

It鈥檚 likely that some of the documents that may have been exposed would be those dealt with during school boards鈥� executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district鈥檚 lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt 鈥渨eird;鈥�  鈥淚 was like, 鈥榃ait, how am I reading this?鈥欌��

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was 鈥渁 great concern鈥� because school boards regularly discuss sensitive issues concerning these children. It鈥檚 unclear whether BoardDoc files related to special education services were compromised.

鈥淲e know of instances where families have been retaliated against because of information that鈥檚 been shared and made public through one means or another from board meetings,鈥� she said. 鈥淚t鈥檚 important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.鈥� 

The vulnerability at BoardDocs is the latest example of how school districts鈥� reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn鈥檛 respond to requests for comment from 蜜桃影视. On , the trade group gave a 鈥渟pecial shout out to BoardDocs鈥� for their 鈥済enerous support鈥� of the nonprofit鈥檚 85th anniversary celebration.

BoardDocs doesn鈥檛 list its fees on its website. The New York State School Boards Association that the tool is available 鈥渇or as little as $3,000 per year and a one-time $1,000 start-up fee.鈥� 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

鈥淎ny reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,鈥� Levin said. 鈥淚 certainly don’t fault anyone for taking a private setting at face value.鈥�

Not trying 鈥榯o hide the issue here鈥�

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by 蜜桃影视 that the district鈥檚 private records 鈥渃ould have been returned as part of a public search result if specific search terms were used.鈥�

鈥淥ur investigation determined that your organization鈥檚 BoardDocs site had documents鈥� in the accessible private folder, MarKeith Allen, Diligent鈥檚 chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to 蜜桃影视 on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent鈥檚 chief legal and chief administrative officer, said that for 鈥渃ustomers we believed could have been impacted,鈥�  the company 鈥渟ent them a different communication, obviously letting them know of that situation.鈥� Das declined to provide copies of those communications to 蜜桃影视 and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

鈥淲e did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,鈥� said Das, who noted the company does not plan to release a public statement about the breach. 鈥淭he goal was not to try to hide the issue here.鈥�

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent 鈥渁dmitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.鈥� Still, Buckman said the district put Diligent on notice that it 鈥渨ould hold BoardDocs responsible for any damages resulting from the breach.鈥�

This isn鈥檛 Diligent鈥檚 first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told 蜜桃影视 they hadn鈥檛 received notices about the incident. 

鈥淎t this point in time we have no information on this topic,鈥� Barth Paine, the spokesperson for California鈥檚 Fremont Unified School District, wrote to 蜜桃影视. 鈥淧lease email us back if you have more details about our specific District. We are now investigating this issue.鈥�

On , the state鈥檚 largest teachers union about a security data breach that occurred July 6, 2024. An investigation into the incident, completed Feb. 18, found that sensitive personal information was acquired by an 鈥渦nauthorized actor鈥� who accessed files on the union鈥檚 network, according to the letter.

The letter said people’s names were revealed, along with birthdates, user names and passwords, Social Security numbers, payment information, passport numbers, taxpayer identification and bank account numbers, and health insurance and medical information.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the said 517,487 people were affected.

鈥淲e took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,鈥� the union said in the notification letter.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out a cyberattack on the union. In 2023 and 2024, the same group claimed data thefts of sensitive documents from school districts in Maryland, Texas, New Jersey and Tennessee.

The union, which represents 178,000 members, said in an email statement that it isn鈥檛 aware of identity theft connected to the breach.

鈥淎s soon as we became aware of this incident, we engaged cybersecurity professionals with expertise in these occurrences,鈥� the union told 蜜桃影视. 鈥淲e are complying with all legal and regulatory requirements, and are providing credit monitoring for eligible individuals who were impacted by this incident.鈥�

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country鈥檚 second-largest school district 鈥� and the leak of thousands of highly sensitive student mental health records 鈥� that set me off.

Published reports that the breach exposed students鈥� psychological evaluations, Carvalho said, were 鈥渁bsolutely incorrect.鈥� The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday and supported by a grant from the .

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers 鈥� the real victims of the hacks and subsequent data breaches 鈥� in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials 鈥� sometimes even after their students鈥� and employees鈥� personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks 鈥� and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools鈥� messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer 鈥減rivileged investigations,鈥� which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: 鈥淔or institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won鈥檛 want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from 蜜桃影视鈥檚 Kathy Moore.

And Matilda.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by 蜜桃影视 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer 鈥減rivileged investigations鈥�, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months 鈥� and in some cases more than a year 鈥� later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools鈥� messaging is no coincidence. 

That鈥檚 because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools鈥� exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms 鈥�&苍产蝉辫;诲耻产产别诲  by one law professor for their massive caseloads 鈥� hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools鈥� behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online 鈥� from their financial and medical information to traumatic events in young people鈥檚 lives 鈥� are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs鈥� ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers鈥� willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are 鈥渁ll but guaranteed.鈥� 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 鈥�  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers 鈥� often called breach coaches 鈥� arrive on the scene. 

鈥淭here鈥檚 a fine line between misleading and, you know, technically accurate,鈥� Schwarcz told 蜜桃影视. 鈥淲hat breach coaches try to do is push right up to that line 鈥� and sometimes they cross it.鈥�

When breaches go unspoken

蜜桃影视鈥檚 investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs鈥� leak sites. 

Some of students鈥� most sensitive information lives indefinitely on the dark web, a hidden part of the internet that鈥檚 often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search 鈥� even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

蜜桃影视 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials鈥� false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students鈥� detailed psychological records. 

In many instances, 蜜桃影视 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, 蜜桃影视 could find no information at all about alleged school cyberattacks uncovered by its reporting 鈥� suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to 蜜桃影视鈥檚 investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond 鈥渢o potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.鈥� Those at Florida鈥檚 River City Science Academy said the school 鈥渁cted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.鈥� 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation鈥檚 seventh-largest district said they notified student breach victims 鈥渂y email, mail and a telephone call鈥� and 鈥渟et up a special hotline for affected families to answer questions.鈥�

Hackers have exploited officials鈥� public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

鈥淏ut those negotiations do not go on forever,鈥� said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'鈥� the ransom.

鈥淎ll right, well, negotiation is over,鈥� Levin said. 鈥淵ou need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students 鈥�

But what isn鈥檛 as apparent to students, parents and district employees is that these individuals are not there to protect them 鈥� but to protect schools from them.

The extent to which this involves keeping critical information out of the public鈥檚 hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico鈥檚 Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll鈥檚 findings from public view. 

鈥淲ithout privacy counsel in place, public records would be accessible in the event of an information leak,鈥� she wrote in an email to school leaders that was obtained by 蜜桃影视 through a public records request. School districts routinely denied 蜜桃影视鈥檚 requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by 蜜桃影视 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California鈥檚 Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an 鈥渋nformation technology system outage鈥� 鈥� and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn鈥檛 stop the leak of data for more than 22,000 people, nor did the district鈥檚 initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

鈥淲hat brainiac recommended this?鈥� asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who 鈥渞ecommended the deceitful description.鈥�

It wasn鈥檛 until June 2023 鈥� four months after the attack 鈥� that Sweetwater their records were compromised. But the district鈥檚 breach notice never says what specific records had been taken, refers to files that 鈥渕ay have been taken鈥� and tells those receiving the notice that their 鈥減ersonal information was included in the potentially taken files.鈥�

鈥淲ell, was my information taken or not?鈥� April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked 蜜桃影视. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks 鈥渢o avoid exacerbating their liability, quite frankly,鈥� in a way that prevents families from being able to 鈥渁ssert their rights more competently.鈥� 

顿颈蝉迟谤颈肠迟蝉鈥� vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

鈥淭he wording in notices is disheartening,鈥� Strauss told 蜜桃影视. 鈥淚t鈥檚 almost like revictimization.鈥�

Who鈥檚 in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they鈥檝e been hacked. Cyberattacks were called an  鈥渆ncryption event鈥� in Minneapolis; a 鈥渘etwork security incident鈥� in Blaine County, Idaho; 鈥渢emporary network disruptions鈥� in Chambersburg, Pennsylvania, and 鈥渁nomalous activity鈥� in Camden, New Jersey. 

In several cases, consultants advised educators against using words like 鈥渂reach鈥� and 鈥渃yberattack鈥� in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district鈥檚 computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

鈥� 鈥楥yberattack鈥� is severe language that we prefer to avoid when possible,鈥� the firm鈥檚 representative wrote .

The district called it 鈥渋rregular activity鈥� instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe鈥檚 most notorious cybergangs 鈥� many with known ties to Russia 鈥� officials have claimed in arresting and indicting some of the masterminds. Yet 蜜桃影视 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only 鈥渋n conjunction with qualified counsel.鈥� 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized 鈥減ayment of ransoms that fuel cyber crime ecosystems.鈥� 

鈥淭his is a troubling practice that must end,鈥� she wrote.

Records obtained by 蜜桃影视 show that in Somerset, Massachusetts, Beazley, the school district鈥檚 cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district鈥檚 incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district鈥檚 course of action, they didn鈥檛 express it. In fact, William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

But he was quick to defer to the district and its lawyers.

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote. 鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.鈥�

While ransom payments are 鈥渆thically wrong because you鈥檙e funding criminal organizations,鈥� insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

鈥淭he insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,鈥� he told 蜜桃影视. 鈥淭hey see dollar signs 鈥� that everybody wants this protection 鈥� but they鈥檙e losing their butts on it.鈥� 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told 蜜桃影视 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by 蜜桃影视 鈥� one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its 鈥渢hird-party forensic investigation firm鈥� communicating with the gang 鈥渞egarding the ransom.鈥�

Mullen Coughlin then told the FBI that it was leading 鈥渁 privileged investigation鈥� into the attack and, at the school district鈥檚 request, 鈥渁ll questions, communication and requests in connection with this notification should be directed鈥� to the law firm. Mullen Coughlin didn鈥檛 respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants鈥� discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn鈥檛 the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials鈥� knowledge. Taken by surprise, Camden schools were not 鈥渁ble to preemptively advise each of you about the notice and what it meant.鈥�

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

鈥淚n terms of how law enforcement can help you out, there鈥檚 really not a whole lot that can be done to be honest with you,鈥� said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn鈥檛 respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but 鈥渢he problem is there鈥檚 not enough funding and personnel for them to be able to be responsive to incidents.鈥� 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn鈥檛 know where to go to vet if they were any good or not.鈥�

He said it had been a community member 鈥� not a paid consultant 鈥� who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes 鈥� or over 1,000 gigabytes 鈥� of stolen data.

鈥淲e were literally taking that right to the cyber companies and going, 鈥楬ey, they鈥檙e finding this, can you confirm this so that we can get a message out?鈥� 鈥� he told 蜜桃影视. 鈥淭hat is what I probably would tell you is the most frustrating part is that you鈥檙e relying on them and you鈥檙e at the mercy of that a little bit.鈥�

The breach coach

Breach notices and other incident response records obtained by 蜜桃影视 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a 鈥渜uarterback.鈥� 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district鈥檚 cyber insurance policy 鈥�  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector 鈥� which, Paluzzi noted, isn鈥檛 鈥渁lways the best when it comes to the latest protections."

When asked why districts鈥� initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

鈥淚t鈥檚 not a time to make assumptions, to say, 鈥榃e think this data has been compromised,鈥� until we know that,鈥� Paluzzi said. 鈥淚f we start making assumptions and that starts our clock [on legally mandated disclosure notices], we鈥檙e going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.鈥� 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

鈥淲hile it often looks a bit canned and formulaic, it鈥檚 often because we just don鈥檛 know and we鈥檙e doing so many things,鈥� Paluzzi said. 鈥淲e鈥檙e trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.鈥�

A data breach is confirmed, he said, only after 鈥渁 full forensic review.鈥� Paluzzi said that process can take up to a year, and often only after it鈥檚 completed are breaches disclosed and victims notified. 

鈥淲e run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,鈥� he said. 鈥淲e try, in most cases, to get to that level of specificity, and our letters are very specific.鈥�

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase 鈥渢he likelihood of a data breach class action [lawsuit] in the process.鈥� Companies that under-notify 鈥渕ay reduce the likelihood of a data breach class action,鈥� but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches鈥� chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to 鈥渞etain their primacy鈥� in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers鈥� emphasis on reducing payouts to parents who sue overstates schools鈥� actual exposure and is another way to promote themselves as 鈥減roviding a tremendous amount of value by limiting the risk of liability by providing you with a shield.鈥�

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine 鈥渢he long-term cybersecurity of their clients and society more broadly.鈥�

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by 蜜桃影视 show school cyberattacks carry particularly devastating consequences for the nation鈥檚 most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district 鈥渟how choir鈥� event. The accusations were investigated by local police and no charges were filed.

鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,鈥� the hacker alleges in records obtained by 蜜桃影视. 鈥淭his is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

The exposure of intimate records presents a situation where 鈥渧ulnerable kids are being disadvantaged again by weak data security,鈥� said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

鈥淚t鈥檚 not just that you have a leak of the information,鈥� Citron told 蜜桃影视. 鈥淏ut the leak then leads to online abuse and torment.鈥�

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students鈥� personal information, a parent reported being contacted by the hackers who placed a 鈥渟trange call demanding money for ransoming their child.鈥�

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are 鈥渦nfunded mandates鈥� and 鈥渢here鈥檚 been no enforcement that we know of,鈥� according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It鈥檚 a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls 鈥渢he multiverse of madness.鈥� 

鈥淚t's like you're living in different privacy realities based on the state that you live in,鈥� Hendricks said. He said federal cybersecurity rules could provide a 鈥渓evel playing field鈥� for data breach victims who have fewer protections 鈥渂ecause they live in a certain state.鈥� 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn鈥檛 require disclosure when outside forces cause those records to be exposed. Schools that have 鈥渁 policy or practice鈥� of routinely releasing students鈥� records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they鈥檝e grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told 蜜桃影视 he got the district鈥檚 September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are 鈥渕ostly worthless.鈥� 

It may be enforcement against districts鈥� misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to 鈥渃ommunicate very carefully and very deliberately and very accurately鈥� the known facts of cyberattacks and data breaches. 

鈥淐ommunities smell blood in the water,鈥� she said, 鈥渂ecause we鈥檝e got these mixed messages.鈥�

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for 蜜桃影视.

This story was supported by a grant from the Fund for Investigative Journalism.

If so, your sensitive data 鈥� like Social聽Security聽numbers and medical records 鈥斅�. Their target was education technology behemoth PowerSchool, which provides a centralized system for reams of student data to damn near every聽school聽in America.

Given the cyberattack鈥檚 high stakes and its potential to harm millions of current and former students, I teamed up Wednesday with Doug Levin of the  to moderate a timely webinar about what happened, who was affected 鈥� and the steps school districts must take to keep their communities safe.

Concern about the PowerSchool breach is clearly high: Some 600 people tuned into the live event at one point and pummeled Levin and panelists Wesley Lombardo, technology director at Tennessee’s Maryville City Schools; Mark Racine, co-founder of RootED Solutions; and Amelia Vance, president of the Public Interest Privacy Center, with questions. 

PowerSchool declined our invitation to participate but sent a statement, saying it is 鈥渨orking to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.鈥�

The individual or group who hacked the ed tech giant has yet to be publicly identified.

Asked and answered: Why has the company鈥檚 security safeguards faced widespread scrutiny? What steps should parents take to keep their kids鈥� data secure? Will anyone be held accountable?

In the news

Oklahoma schools Superintendent Ryan Walters, who says undocumented immigrants have placed 鈥渟evere financial and operational strain鈥� on schools in his state, proposed rules requiring parents to show proof of citizenship or legal immigration status when enrolling their kids 鈥� a proposal that not only violates federal law, but is likely to keep some parents from sending their children to school. | 

• Not playing along: Leaders of the state鈥檚 two largest school districts 鈥� Oklahoma City and Tulsa 鈥� rebuked the proposal and said they would not collect students鈥� immigration information. Educators nationwide fear the incoming Trump administration could carry out arrests on campuses. | 
   
• Walters filed a $474 million federal lawsuit this week alleging immigration enforcement officials mismanaged the U.S.-Mexico border, leading to 鈥渟kyrocketing costs鈥� for Oklahoma schools required 鈥渢o accommodate an influx of non-citizen students.鈥� | 
   
• Timely resource guide: With ramped-up immigration enforcement on the horizon 鈥� and with many schools already sharing student information with ICE 鈥� here are the steps school administrators must take to comply with longstanding privacy and civil rights laws. | 

A federal judge in Kentucky struck down the Biden administration鈥檚 Title IX rules that enshrined civil rights protections for LGBTQ+ students in schools, siding with several conservative state attorneys general who argued that harassment of transgender students based on their gender identity doesn鈥檛 constitute sex discrimination. 

Fires throw L.A. schools into chaos: As fatal wildfires rage in California, the students and families of America鈥檚 second-largest school district have had their lives thrown into disarray. Schools serving thousands of students were badly damaged or destroyed. Many children have lost their homes. Hundreds of kids whose schools burned down returned to makeshift classrooms Wednesday after losing 鈥渢heir whole lifestyle in a matter of hours.鈥� |  

• At least seven public schools in Los Angeles that were destroyed, damaged or threatened by flames will remain closed, along with campuses in other districts. | 

Has TikTok鈥檚 time run out? With a national ban looming for the popular social media app, many teens say they鈥檙e ready to move on (and have already flocked to a replacement). | 

Instagram and Facebook parent company Meta restricted LGBTQ+-related content from teens鈥� accounts for months under its so-called sensitive content policy until the effort was exposed by journalist Taylor Lorenz. | 

The Federal Communications Commission on Thursday announced the participants in a $200 million pilot program to help聽schools聽and libraries bolster their cybersecurity defenses. They include 645聽schools聽and districts and 50 libraries. |聽

Scholastic falls to 鈥渇urry鈥� hackers:聽The education and publishing giant that brought us Harry Potter has fallen victim to a cyberattacker, who reportedly stole the records of some 8 million people. In an added twist, the culprit gave a shout-out to 鈥渢he puppygirl hacker polycule,鈥� an apparent reference to a hacker dating group interested in human-like animal characters. |聽

• Dig deeper: Here鈥檚 how AI is being used by cybercriminals to rob schools. |  

Not just in New Jersey:聽In a new survey, nearly a quarter of teachers said their聽schools聽are patrolled by drones and a third said their聽schools聽have surveillance cameras with facial recognition capabilities. |聽

The number of teens abstaining from drugs, alcohol and tobacco use has hit record highs, with experts calling the latest data unprecedented and unexpected. | 

ICYMI @The74

Emotional Support

New pup just dropped.

Meet Woodford, who, at just 9 weeks, has already aged like a fine bourbon. I鈥檓 told that Woody 鈥� and the duck, obviously 鈥� have come under the good care of 74 reporter Linda Jacobson鈥檚 daughter.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by 蜜桃影视 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain 鈥� and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students鈥� sensitive records and, district spokesperson Jay W茅gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥�

An analysis by 蜜桃影视 of the stolen files 鈥� posted by the threat actors to the messaging platform Telegram  鈥� indicates otherwise. Included in the 217 gigabyte data leak are students鈥� specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter鈥檚 underwear. After one incident, a boy uttered a threat: 鈥淒on鈥檛 tell nobody.鈥� 

In a statement to 蜜桃影视 on Wednesday, W茅gimont said the district has 鈥渂een able to confirm that some files鈥� stored on the district鈥檚 internal servers were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

W茅gimont鈥檚 statement doesn鈥檛 acknowledge that students鈥� records had been compromised. 

The district鈥檚 failure to acknowledge the breach affected students and parents 鈥� even after being informed otherwise 鈥� is 鈥渁 massive violation of trust with communities,鈥� student privacy expert Amelia Vance told 蜜桃影视.

鈥淧eople should be aware 鈥� especially when particularly sensitive information is being released in ways that could make it findable and searchable later,鈥� said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence 鈥渁re likely to have a substantial impact on people鈥檚 future lives, whether it be their opportunities, their ability to get a job or their relationships with others.鈥� 

The school district acknowledged in an Oct. 4 letter to the state attorney general鈥檚 office 鈥� and in letters to the individuals themselves 鈥� that the sensitive information of 12,000 current and former employees was 鈥減otentially impacted鈥� in the attack. A spokesperson for the AG鈥檚 office shared the letter that Providence Superintendent Javier Monta帽ez submitted 鈥渁s required by statute,鈥� but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days 鈥� but the breach 鈥減oses a significant risk of identity theft.鈥� Covered records include individuals鈥� names, Social Security numbers, driver鈥檚 license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It鈥檚 unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department鈥檚 spokesperson, said in a phone call on Wednesday. 

鈥淣o one had actually gone in to see the files,鈥� he told 蜜桃影视, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are 鈥渨orking closely with the district鈥� on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents鈥� names. Another includes information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents revealed a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web 鈥渘ame and shame blog,鈥� it then previews the victim鈥檚 stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa鈥檚 many tentacles 

The Medusa attack and Providence鈥檚 response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district 鈥� what officials there vaguely called an 鈥渆ncryption event鈥� 鈥� the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack 鈥� and only after a joint investigation by 蜜桃影视 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General鈥檚 Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records 鈥� like those pertaining to student civil rights investigations, security plans and financial records 鈥� a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher鈥檚 German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what 鈥渋rregular activity鈥� on its computer network but on whether they鈥檇 been the target of ransomware. In 鈥� and the same day that Medusa鈥檚 ransom deadline expired 鈥� Superintendent Monta帽ez acknowledged that 鈥渁n unverified, anonymous group鈥� had gained 鈥渦nauthorized access鈥� to its computer network and claimed to have stolen sensitive records. 

鈥淲hile we cannot confirm the authenticity of these files and verify their claims,鈥� Monta帽ez wrote, 鈥渢here could be concerns that these alleged documents could contain personal information.鈥�

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Providence public school officials last Friday were about to finalize a credit monitoring agreement to provide protection for district teachers and staff after a recent ransomware attack on the district鈥檚 network.

Then over the weekend, a video preview of selected data allegedly stolen from the Providence Public School Department (PPSD) showed up on a regular website. The site is accessible via any internet browser 鈥� what鈥檚 sometimes called the 鈥渃learnet鈥� 鈥� unlike the dark web ransom page where cybercriminal group Medusa first alleged to .

While a forensic analysis of the breach continues, the credit monitoring agreement with an unspecified vendor was finalized as of Thursday and the district was drafting a letter to go out to the staff 鈥渧ery soon鈥� with information on how to access those services, spokesperson Jay G. W茅gimont said in an email.

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

鈥淔irst and foremost, the safety and security of our staff members is of utmost importance, and the District continues to make decisions with that in mind,鈥� W茅gimont said.

鈥淲e will also continue to explore any additional services we can offer to protect the security of our staff members and students.鈥�

Meanwhile, the data breach has yet to be formally reported to the Rhode Island Attorney General鈥檚 office, said spokesperson Brian Hodge. requires any municipal or government agency to inform the AG鈥檚 office, credit reporting agencies, and people affected by a breach within 30 days of the breach鈥檚 confirmation.

PPSD first used the wording 鈥渦nauthorized access鈥� to describe the breach in a Sept. 25 letter from Superintendent Javier Monta帽ez, although the Providence School Board had used the term 鈥渂reach鈥� in a public statement on Sept. 18.

Providence Mayor Brett Smiley was 鈥渆ncouraged鈥� the district was advising potentially affected staff and finalizing the credit monitoring agreement, spokesperson Anthony Vega said in a statement emailed Tuesday to Rhode Island Current.

The Providence City Council declined to comment, said spokesperson Roxie Richner in an email. Gov. Dan Mckee鈥檚 office did not respond to a request for comment.

鈥楻obert鈥� makes a video

Ransomware group Medusa first took public credit for the pirated PPSD data on Sept. 16, when it demanded a $1 million ransom to be paid by the morning of Sept. 25.

Rhode Island Current previously reported that the alleged ransom landing page did not provide access to files, but did show file and folder names, as well as partially obscured screenshots of the allegedly stolen data.

The clearnet-hosted leak includes a 24-minute screen recording in which someone clicks through an assortment of the allegedly leaked files and folders on an otherwise empty Windows desktop. The post sports a disclaimer that its author is 鈥渘ot engaged in illegal activities鈥� and showcases leaks only for 鈥減ossible information security problems.鈥�

The author signs off: 鈥淭raditional thanks to The Providence Public School Department for the provided data. Do not skimp on information security. Always yours. Robert.鈥�

While the uploader does not explicitly brand themself as affiliated with Medusa, the 鈥淩obert鈥� source appears to share all the same leaks Medusa does, and both sources use the same encrypted messaging address, according to threat researchers at Bitdefender.

Ransomware attacks, and Medusa鈥檚 methodology as well, have long been associated with social engineering 鈥� like getting people to click phishing links in emails. But it鈥檚 becoming more common that outdated hardware or software are to blame, said Bill Garneau, vice president of operations at CMIT Solutions in Cranston.

鈥淲hat we鈥檝e started to see in terms of ransomware is, it鈥檚 not only business email compromise,鈥� Garneau said. 鈥淭hreat actors out there are really pursuing systems that are out of compliance.鈥�

That could mean equipment at the end of its manufacturer-supported lifespan, or software that needs to be patched. Garneau鈥檚 company uses a crafted by the National Institute of Standards and Technology. One of its standards is to patch devices within 30 days of the patch release, before threat actors can exploit the vulnerabilities patches are meant to fix.

鈥淚f there鈥檚 a patch available, it鈥檚 because there鈥檚 a bad guy out there that knows that there鈥檚 a vulnerability, and there鈥檚 somebody that鈥檚 knocking on doors trying to find it,鈥� Garneau said.

To insure or not to insure?

Cyber insurance policies can cover some costs incurred by attacks. But they can鈥檛 prevent future threats or suddenly make insecure networks better, Garneau noted.

鈥淚nsurance is great, right? But that鈥檚 not going to solve any problem,鈥� Garneau said.

PPSD has not responded to requests about whether the district has cyber insurance. According to Lauren Greene, a spokesperson for the Rhode Island League of Cities and Towns, no public entity would disclose that information anyway. 鈥淎s you can understand, it poses a security risk for municipalities to disclose if and what type of cybersecurity insurance that they have,鈥� Greene said in an email.

鈥淢unicipalities continue to prioritize training for their staff in order to mitigate risk and draw awareness to the constantly evolving threats,鈥� Greene added, and noted that a community鈥檚 IT staff may work across multiple areas or departments like public safety and schools.

A released Monday, however, showed that states-level IT officials and security officers are not feeling confident about the budgets for their states鈥� IT infrastructure.

鈥淭he attack surface is expanding as state leaders鈥� reliance on information becomes increasingly central to the operation of government itself,鈥� Srini Subramanian, principal of Deloitte & Touche LLP, said in an with States Newsroom. 鈥淎nd CISOs (chief information security officers) have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.鈥�

Those challenges were reflected in the survey numbers, which found almost half of respondents did not know their state鈥檚 budget for cybersecurity. Roughly 40% of state IT officers said they did not have enough funds to comply with regulations or other legal requirements.

That finding echoes a , which scores and analyzes municipal bonds. 鈥淲hile robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,鈥� wrote Gregory Sobel, a Moody鈥檚 analyst and assistant vice president, in the report.

Moody鈥檚 also noted that one survey showed 92% of local governments had cyber insurance, a twofold increase over five years. But that popularity came with higher rates: One county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022. Those higher costs are also in addition to stricter stipulations on risk management practices before a policy will pay out, like better firewalls, consistent data backups and multi-factor authentication.

Douglas W. Hubbard, the CEO of consulting firm Hubbard Decision Research and coauthor of 鈥淗ow to Measure Anything in Cybersecurity Risk,鈥� told Rhode Island Current in an email that schools should exhaust the low-cost, shared or free resources available to help them manage cyber risk. Examples include (CISA) or a by the Federal Communications Commission for K-12 schools.

鈥淔or specific cybersecurity recommendations鈥here are a few things that are so fundamental that administrators don鈥檛 really even need a risk analysis to get started,鈥� Hubbard said. They include training staff and students on best practices including strong passwords or avoiding mysterious links. Multi-factor authentication is 鈥減robably the single most effective technology a school could implement,鈥� even if it involves an upfront cost, Hubbard said.

鈥淭he fundamental responsibilities of the schools should include at least using the resources which have been made available to them through the programs I mentioned,鈥� Hubbard said. 鈥淚f they aren鈥檛 doing at least that, there is room for blame.鈥�

This article was corrected to show that Rhode Island state law requires municipal agencies to notify affected parties and the state Attorney General within 30 days of a data breach. The article originally stated 45 days, which is the timeframe required for individuals to report a breach. 

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com. Follow Rhode Island Current on and .

Computer labs at Delaware libraries across the state are closed after hackers on Friday seized control of the virtual servers that run the facility鈥檚 public-use computers, according to Delaware Division of Libraries Director Annie Norman.

The hackers now are demanding money from the state in order to relinquish control of the system, Norman said. She did not know the exact amount demanded but said she 鈥渉eard鈥� it was around $1 million.

Norman added that she will direct the Division of Libraries not to pay any ransom, insisting instead that the Delaware libraries rebuild the servers that run the public鈥檚 computers.

She did not immediately know when the rebuild will occur, nor when the public-access computers will again be available.

鈥淲e see a lot of stories about this around the nation, and it seems to be recommended not to pay the ransom, but to rebuild,鈥� she said.

The hack marks the latest in a trend of high-profile breaches of local government computer systems across the United States. On its website, governments have been 鈥減articularly visible targets for ransomware attacks.鈥�

Last year, Kent County鈥檚 local government experienced what it called 鈥渁 hostile network intrusion鈥� which downed its webpage and rendered its office phones unusable for more than a month. 

Last month, the Bayhealth health care system based in Dover was , who were offering much of the stolen data on dark web boards for upward of $1.4 million in Bitcoin.

The Division of Libraries technology staff has been consulting with officials from Microsoft and with the Delaware Department of Technology and Information, Norman said. They still are trying to determine 鈥渨hat happened and where they got it,鈥� she said. 

A spokeswoman from Delaware DTI declined to provide details about their consultancy.

In the days since the hack on Friday, several local libraries posted updates on social media sites about their public computer terminals not working. They did not reveal that the system had been the victim of a ransomware attack. 

On Monday, the Division of Libraries posted a note on its website stating that libraries are 鈥渆xperiencing an extended system/internet outage that is affecting some, not all, library services.鈥�

Norman鈥檚 division oversees more than 30 libraries across the state. Each operates a computer lab that offers free access to the internet and low-cost printing. The labs are relied upon by a cross section of society, especially people without regular access to the internet. 

Norman stressed that the libraries remain open and still have WiFi, though she said it has been 鈥渁 little spotty.鈥�

She also emphasized that library card holders鈥� information is not currently at risk. 

鈥淭he good news is 鈥� thank God there鈥檚 some good news 鈥� is it鈥檚 not affecting the catalog, which is where there鈥檚 patron information,鈥� she said.

The published on .

Like most kids, Aahil Valliani has been frustrated by the filters that his school uses to block inappropriate websites. Often, he has no idea why certain sites are blocked, especially when his web browsing is tied to his schoolwork.

Many students in this situation find a way around their districts鈥� web filters. They access the internet on their phones instead, or use proxy servers or virtual private networks to essentially access a different, unfiltered internet. Aahil, searching for a more systemic solution, teamed up with his younger brother and father to start a company called Safe Kids, raise almost $2 million in venture funding, and design a better filter.

As The Markup, which is part of CalMatters, reported in April, almost all schools filter the web to comply with the federal Children鈥檚 Internet Protection Act and qualify for discounted internet access, among other things. Most schools The Markup examined used filters that sort all websites into categories and block entire categories at once. Others scan webpages for certain off-limits keywords, blocking websites on which they appear regardless of the context. In both cases, the filters are blunt tools that result in overblocking and sometimes keep kids from information about politicized topics like sex education and LGBTQ resources.

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

Aahil, now 17, points out that schools鈥� overly strict controls disappear as soon as kids graduate. 鈥淭hat鈥檚 a recipe for disaster,鈥� he said. Kids, he contends, need to learn how to make good choices about how to use the internet safely when trusted adults are nearby so they are ready to make good decisions on their own later.

The Safe Kids filter turns web blocking into a teachable moment, explaining why sites are blocked and nudging students to stay away from them of their own accord. It uses artificial intelligence to assess the intent of a student鈥檚 search, reducing the number of blocks students see while conducting legitimate academic research. One example: if a student searches for Civil War rifles for a class assignment, Safe Kids would allow it. If a student tries to shop for an AK-47, it wouldn鈥檛. Other filters would block both.

The filter also keeps student browsing data private, storing only categories of websites accessed, not URLs or search terms themselves. And it works through a Chrome browser extension, which means students can鈥檛 simply get around it with a proxy server or VPN while using that browser.

Safe Kids got its start during the early COVID-19 lockdowns. Sitting around the dinner table with his father, a tech entrepreneur; his mother, a self-employed fashion designer; and his younger brother Zohran, a budding computer scientist, Aahil got his family to strategize how to help all the kids getting sucked into dark corners of the web and battling the mental health consequences of their internet use.

Their idea, building off of the invasive and ineffective filters the brothers saw in school, essentially puts better training wheels on the internet. Aahil said his father did a bit of hand-holding in these early days, helping find board members and angel investors, as well as the data scientists who would train the AI machine learning model behind the filter and psychologists who could craft and test the filter鈥檚 hallmark pop-ups directing students toward more appropriate browsing. The company also spent time and money getting their designs patented. Aahil has three patents under his name and Safe Kids has five.

As Aahil and his family were preparing to chase seed funding for Safe Kids, the ACLU of Northern California was demanding the Fresno Unified School District a product called Gaggle, which districts use to monitor students鈥� internet use, block potentially harmful content, and step in if student browsing patterns indicate they may need mental health supports. The problem, according to ACLU attorneys, was that Gaggle amounted to intrusive surveillance, trampling on students鈥� privacy and free speech rights.

The Electronic Frontier Foundation levied similar accusations against another web filter called GoGuardian after getting records from 10 school districts, including three in California, that revealed the extent of the software鈥檚 blocking, tracking and flagging of student internet use during the 2022-23 school year, when Aahil was piloting Safe Kids. Jason Kelley, a lead researcher on EFF鈥檚 GoGuardian investigation, , looked into Safe Kids in response to an inquiry by The Markup. Accustomed to pointing out how bad filters are, he offered surprised praise for Safe Kids, commending its focus on privacy, its open source code that offers transparency about its model, and its context-specific blocking.

鈥淭his is, really, I think, an improved option for all the things that we are generally concerned about,鈥� Kelley said.

So far, Safe Kids has not been able to break into the school market. Still, Aahil hopes to one day sign a contract with a school district, and he is marketing to parents in the meantime, offering them a way to put guardrails on their kids鈥� home internet use. While Safe Kids started out charging for its filter, Aahil said an open source, free version will be released next month.

One of the company patents is for a聽 鈥減ause, reflect, and redirect鈥� method that leans on child psychology to teach kids healthy browsing habits when they try to access an inappropriate website.

鈥淲hen kids go to a site the first time, we consider that a mistake,鈥� Aahil said. 鈥淲e tell kids why it鈥檚 not good for them and kids can make a choice.鈥�

For example, if a student tries to play games during a lesson, a pop-up would say, 鈥淭his isn鈥檛 schoolwork, is it?鈥� Students can click a 鈥渢ake me back鈥� button or 鈥渢ell me more鈥� link to get more information about why a given site is blocked. When students repeatedly try to access inappropriate content, their browsing is further restricted until they address the issue with an adult. If that content indicates a student might be in crisis, the user is advised to get help from an adult, and in a school setting, a staff member would get an automated alert.

The teen expects to keep building the company, even as he shifts his focus to college admissions this fall. A rising senior at the selective Thomas Jefferson High School for Science and Technology in Alexandria, Virginia, one of the nation鈥檚 best public high schools, Aahil plans to major in business or economics and make a career out of entrepreneurship.

Safe Kids stands out in a web filtering market where products鈥� blunt restrictions on the web have barely become more sophisticated over the last 25 years.

Nancy Willard, director of Embrace Civility LLC, has worked on issues of youth online safety since the mid-1990s. She submitted testimony for the congressional hearings that resulted in passage of the Children鈥檚 Internet Protection Act in 2000 and describes the filtering company representatives that showed up as snake oil salesmen, selling a technology that addresses a symptom, not the root of a problem.

鈥淲e need to prepare kids to manage themselves,鈥� Willard said. When traditional filters block certain websites with no explanation, kids don鈥檛 learn anything, and they鈥檙e often tempted to just circumvent the software.

鈥淭his approach helps increase student understanding, and hopefully there鈥檚 a way also in the instructional aspects (to increase) their skills,鈥� she said about Safe Kids.

Students on Chromebooks in particular can鈥檛 circumvent Safe Kids and its design aims to keep them from wanting to. Now Aahil and his family just need to find buyers.

Kelley said he鈥檚 not surprised Safe Kids hasn鈥檛 been able to yet, given the 鈥渉ardening鈥� of school security and student safety efforts over the last decade. 鈥淲e鈥檝e gone from having cameras and some pretty standard filters to having metal detectors, and locked doors, and biometrics, and vape detectors in the bathrooms, and these much more strict filters and content moderating control software,鈥� he said, 鈥渁nd all this is hard to undo.鈥�

This was originally published on .

Alabama State Schools Superintendent Eric Mackey said Wednesday that the Alabama State Department of Education鈥檚 computer systems had been breached last month, and that students and employees of the department may have been affected.

Speaking at a press conference in Montgomery, Mackey said  the breach took place on June 17. According to Mackey, the department鈥檚  staff interrupted and stopped the attack.

Mackey said that there 鈥渨as no question鈥� that it was a denial of service attack to encrypt and steal data so they need to be paid off, but said officials were 鈥渟till assessing exactly which data were taken.鈥�

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

鈥淲hat I would say is that to all parents, and all local and state education employees out there, they should monitor their credit, they should assume that there鈥檚 a possibility that some of their data were compromised,鈥� he said.

Mackey said that the department does not keep direct deposit information.

鈥淲e do have information about which data possibly could be taken because we鈥檙e able to look and see which servers they were not able to get to in the time they were in there,鈥� he said.

A foreign agent may have been involved, Mackey said, but he said that he could not provide more information.

鈥淚 shouldn鈥檛 say I鈥檓 not aware,鈥� he said. 鈥淚鈥檓 not able to answer that.鈥�

According to a statement from the department, the Alabama Attorney General, the Alabama Office of Information Technology and an independent contractor are working with the department to strengthen the cyber defenses and identify which data may have been compromised.

The statement said notification will be made to relevant parties in full compliance with laws and best practices.

The Department has launched a dedicated landing site 鈥� 鈥� and questions and comments can be sent to databreach@alsde.edu.

Mackey said that their websites will be down for 鈥渃ritical updates鈥� beginning at 5 p.m. Wednesday evening for several hours.

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Alabama Reflector maintains editorial independence. Contact Editor Brian Lyman for questions: info@alabamareflector.com. Follow Alabama Reflector on and .

A Los Angeles Unified School District spokesperson confirmed they鈥檙e investigating a listing on a notorious dark web marketplace, posted Thursday by a user named 鈥淭he Satanic Cloud,鈥� which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they鈥檝e become a growing scourge for districts of all sizes.

鈥淪chool districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,鈥� Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation鈥檚 schools and libraries are real and growing.鈥�

鈥淪o today, we鈥檙e going to do something about it,鈥� she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to 鈥減rovide funding to as many schools and school districts as possible,鈥� it . While the funding 鈥渨ill not, by itself, be sufficient to fund all of the school鈥檚 cybersecurity needs,鈥� the fact sheet notes, the commission seeks to ensure that 鈥渆ach participating school will receive funding to prioritize implementation of solutions within one major technological category.鈥�

The Satanic Cloud, which posted the most recent batch of LAUSD data, told 蜜桃影视 it鈥檚 entirely separate from what was stolen in the September 2022 ransomware attack on the nation鈥檚 second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor鈥檚 claims, a spokesperson told 蜜桃影视 in an email Thursday, and 鈥渋s investigating the claim and engaging with law enforcement to investigate and respond to the incident.鈥�

鈥業t鈥檚 definitely sensitive data鈥�

In an investigation last year, 蜜桃影视 found that thousands of L.A. students鈥� psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had.聽

Just last month, a joint investigation by 蜜桃影视 and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district鈥檚 assertion otherwise, and that St. Landry had likely violated the state鈥檚 breath notification law. Within hours of the first story publishing, the Louisiana Attorney General鈥檚 Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told 蜜桃影视 鈥渢here is no connections鈥� to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they鈥檝e sought to sell stolen data. Cyble鈥檚 research team, he told 蜜桃影视, sees 鈥渁 high likelihood鈥� that the data was sourced from files exposed in the earlier ransomware attack. 

鈥淗istorically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,鈥� Medhe said. Either way, Medhe said it鈥檚 incumbent on district officials to take urgent action. The files, he said, could be useful for 鈥渟ome kind of profiling or some kind of targeted phishing activity.

鈥淚t鈥檚 definitely sensitive data, for sure,鈥� he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. 鈥淭hey would need to do a thorough incident response and investigation to rule out the possibility of a new breach.鈥� 

鈥楢n important step forward鈥�

During Thursday鈥檚 FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is 鈥渆ssential for education in the 21st century.鈥�

鈥淭echnology and high-speed internet access opens doors and unbounded opportunity for those who have it,鈥� Gomez said. 鈥淯nfortunately, our increasingly digital world also creates opportunities for malicious actors.鈥� 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It鈥檚 a move that more than 1,100 school districts endorsed in a joint 2022 letter 鈥� but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate 鈥渢o ensure gains in enhanced cybersecurity do not undermine E-rate鈥檚 success in connecting schools and libraries and promoting digital equity.鈥� The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support.聽

鈥淭he FCC鈥檚 decision today to create a cybersecurity pilot is an important step forward for our nation鈥檚 libraries and library workers, too many of whom face escalating costs to secure their institution鈥檚 systems and data,鈥� President Emily Drabinski said in a statement. 鈥淲e remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.鈥�

Among the pilot program鈥檚 critics is school cybersecurity expert Doug Levin, who told 蜜桃影视 that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be 鈥渁 good fit for school systems with scarce capacity.鈥�

鈥淭here鈥檚 no argument that schools need support,鈥� said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC鈥檚 鈥渢echno-solutions point of view to the problem,鈥� he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that 鈥渕ay end up convincing some [schools] to buy solutions that, frankly, they don鈥檛 need.鈥� 

A U.S.-based tutoring company on Tuesday pushed back against a conservative campaign to 鈥渄estroy鈥� it due to security fears over its Chinese owner.

In a posted online, said the parents鈥� rights group in recent months has misrepresented its operations, falsely claiming it has ties to the Chinese government. The company, based in New York, said the parents鈥� group is trying to persuade lawmakers and others that Tutor.com 鈥渋s somehow a puppet of the Chinese government and a threat to national security,鈥� according to the letter. 

Founded two decades ago, Tutor.com was acquired in 2022 by , a Beijing-based investment firm in Hong Kong, Singapore and Palo Alto, Calif. In the letter to attorneys representing Parents Defending Education, the company said the parents鈥� group has chosen to portray Tutor.com 鈥渁s a stalking horse to advance the advocacy group鈥檚 broader political agenda.鈥�

The effort by Parents Defending Education both echoes and influences a larger one by lawmakers nationwide to raise security concerns about companies linked to China, including fears that they could be compelled to share student data with the Chinese government.

But John Calvello, Tutor.com鈥檚 spokesperson and chief institutional officer, said the fears are misplaced.

鈥淔irst and foremost, it’s important to say: We are an American company,鈥� he said in an interview. 鈥淚 want to be very clear about that. And again, as an American company, you have to abide by all U.S laws and regulations.鈥�

Tutor.com, Calvello said, 鈥渃annot be compelled to share data鈥� with anyone.

He noted that it had recently undergone a voluntary review by the federal , which found, in his words, 鈥渘o unresolved national security concerns.鈥�

He also said the company has a designated security officer approved by the U.S. government to ensure data security compliance. And he said all of Tutor.com鈥檚 data is housed in the United States. 

According to the watchdog site , states, school districts, colleges and even the Pentagon have spent more than $35 million on contracts with Tutor.com over the past decade. Among the largest: nearly $1.6 million in 2015 for online homework tutoring for the U.S. Defense Department and $1.1 million in 2022 for tutoring at California State East Bay.

Following the pandemic, state and school district spending on Tutor.com, as with other tutoring providers, skyrocketed. In December, the New Hampshire Department of Education said it would through Tutor.com to every student in fourth- through twelfth grades, as well as to those prepping for GED exams. 

But many lawmakers have also sought to minimize China鈥檚 influence in both K-12 and higher education.

After Congress in 2018 targeted the nearly 100 Confucius Institutes on U.S. college campuses, restricting federal funding at schools with programs, their number dropped to fewer than five, according to a 2023 U.S. Government Accountability Office . 

In 2024, lawmakers are seeking to ban TikTok due to the social media application鈥檚 Chinese ownership. Primavera is a minority investor in ByteDance, TikTok鈥檚 parent company. ByteDance also owns the AI-powered homework helper .

But Tutor.com has been the subject of much of the scrutiny around student data. In February, U.S. Sen. Tom Cotton, a Republican from Arkansas, Lloyd Austin, saying the Pentagon鈥檚 relationship with Tutor.com is 鈥渋ll-advised, reckless, and a danger to U.S. national security.鈥�

Cotton said the Pentagon should end its dealings with the company, suggesting that students鈥� personal data, such as location, IP addresses and the contents of tutoring sessions, could be released to the Chinese government. He said the U.S. is 鈥減aying to expose our military and their children鈥檚 private information to the Chinese Communist Party.鈥�

In March, Manny Diaz, Jr., Florida鈥檚 commissioner of education, to public K-12 and higher education leaders statewide, saying Tutor.com鈥檚 ties to 鈥渇oreign countries of concern鈥� may compromise student data privacy. Diaz said the State Board of Education had adopted rules to protect student data 鈥渢o keep it out of the hands of bad actors,鈥� adding that school districts, charter schools and state colleges 鈥渕ust take the necessary steps to protect their students from nefarious foreign actors such as the Chinese Communist Party.鈥�

And last month, 13 lawmakers, led by U.S. Rep. Tim Walberg, R-Michigan, to U.S. Education Secretary Miguel Cardona, saying Tutor.com 鈥減oses a significant national security threat.鈥� They asked what measures the department had taken to assess 鈥渢he potential national security risks associated with Tutor.com’s relationship.鈥�

A spokesperson for Cardona did not immediately respond to a request for comment.Neily recently that Tutor.com鈥檚 Chinese ties are 鈥渟omething that just seemed to have slipped past the goalies.鈥�

During a segment on the company, the show鈥檚 host alleged that providers like Tutor.com can gather data from even the youngest students and 鈥渁dapt what they need to teach these kids to make sure they’re good, functional little robots.鈥� He asked Neily, 鈥淚s that the plan?鈥� 

She replied, 鈥淭hat very much seems to be the plan,鈥� adding, 鈥淟et’s be honest, this data is not being secured by America’s best and brightest.鈥�

Neily did not immediately respond to a request for comment.

Tutor.com鈥檚 Calvello said much of the alarm around the company鈥檚 Chinese ties stems from the parents鈥� group, which he said has been 鈥減romoting falsehoods鈥� that lawmakers and others have amplified. As a result, he said, a few school districts have been under pressure to drop the service, with critics quoting the parents鈥� group鈥檚 materials. 

鈥淲e’re prepared to pursue legal avenues to protect our reputation and operations from false claims,鈥� he said.

In a federal court motion filed Nov. 14 that cited 蜜桃影视鈥檚 exclusive reporting, attorney Andrew Brenner described the disclosure as 鈥渁t best, careless,鈥� particularly after the former student won a legal battle against the district for her right to remain anonymous. Brenner asked the U.S. District Court for the Eastern District of Virginia to compel Fairfax to explain how her name ended up in documents released as part of a records request that had nothing to do with her case.

A hearing on the motion is set for Dec. 15.

Known as B.R., the woman is as well as the former students she alleges sexually assaulted her in 2011, with a trial set to begin in March. The motion asks for the names of all district employees involved in producing the materials that identified her as well as the district鈥檚 steps 鈥渢o collect, review, compile and transmit the documents鈥� prior to their release.

The district鈥檚 response to the motion could provide insight into how unredacted records on tens of thousands of students were released to a parent and special education advocate. The documents included sensitive, confidential information such as grades, disability status and mental health conditions.

Following 蜜桃影视鈥檚 report, the district apologized and launched an investigation. A firm with expertise in cybersecurity 鈥� 鈥� is handling the probe, but some parents with children named in the disclosure said so far, no one has contacted them. Superintendent Michelle Reid said in she will share a summary of the investigation once it鈥檚 complete.

Callie Oettinger, the parent who received the records, went to her local high school in mid-October to examine what she thought were records pertaining to her own two children. Her son, who received special education services in the district, has since graduated, and her daughter is still in high school. She copied computer files onto thumb drives as a paralegal observed and helped her identify some of the records. 

While most of the documents set aside for her review included her children鈥檚 names, they also revealed information on what she estimates were at least 35,000 other students. B.R.鈥檚 full name was listed in a document labeled 鈥渁ttorney work product鈥� and marked 鈥減rivileged and confidential,鈥� as well as in an email to board members about litigation to discuss in a 2020 closed meeting.

The records also identified another former student with a separate Title IX case against the district. In reached last year, the district agreed to always redact the student鈥檚 real name from any copy of the document and only use a pseudonym when referring to the case. Her attorneys did not respond to a request for comment.

The day after issuing its apology, the district sent Oettinger a strongly worded email demanding that she 鈥渞eturn all files removed, including any and all physical media used for unauthorized extraction of information from FCPS.鈥� The letter referred to the documents as 鈥渨rongfully retained information.鈥�

To her attorney, the language suggested Oettinger was at fault. 

鈥淪he’s done nothing illegal, and they have no legal right to compel her to do anything,鈥� said Timothy Sandefur, vice president for legal affairs at the Goldwater Institute, a Phoenix-based libertarian think tank. Oettinger posted redacted documents from the recent trove on she runs on special education issues. 鈥淚f they want assurance that she is not going to publish any kind of confidential information about kids, she absolutely will not publish confidential information about children. She has assured everybody of that already.鈥�

Oettinger sent the thumb drives to Sandefur, who has since communicated with attorneys conducting the district鈥檚 investigation. But he declined to provide an update on the district鈥檚 progress. The attorneys conducting the investigation also didn鈥檛 respond to requests for comment.

A need for 鈥榬obust action鈥�

Oettinger didn鈥檛 initially alert the district to the disclosure because, she said, it has failed to make improvements after previous privacy violations. In fact, on Oct. 19 鈥� the third and final day that Oettinger reviewed files in person 鈥� the Virginia Department of Education responded to one of her earlier complaints, finding the Fairfax district out of compliance with the federal Family Educational Rights and Privacy Act, or FERPA.

The decision only pertained to her son and was not a statement about the district鈥檚 overall privacy record.

Patricia Haymes, who directs the state agency鈥檚 Office of Dispute Resolution and Administrative Services, noted that officials have had 鈥渙ngoing concerns鈥� regarding student confidentiality in Fairfax and 鈥渂elieved that there was a need for the school division to take more robust action to ensure sustainable compliance.鈥� But she also said the district assured her in September that it was taking steps 鈥渞egarding the confidentiality of and access to student records.鈥�

In that Sept. 27 letter, the district said it was training staff on their obligations under FERPA and the Freedom of Information Act, and was planning a 鈥渕andatory training鈥� for principals and other administrators in charge of student records and special education. Training was scheduled to begin Oct. 31 and employees have two months to complete it. 

On. Nov. 8, Oettinger appealed the state鈥檚 decision, citing 蜜桃影视鈥檚 reporting on the accidental records release. Both the district and the state have 鈥渇ailed to ensure compliance 鈥� and now here we are,鈥� she wrote. 鈥淵ou have enough for [the district] to be found at fault for systemic noncompliance.鈥� 

The district disputes that it has violated the law. In a Nov. 21 response to Oettinger鈥檚 appeal, it described the disclosure as a 鈥渟ingle instance of what appears to be human error鈥� and said that Oettinger鈥檚 in-person review of the documents, which FERPA allows, was 鈥渙utside the typical electronic document production that FCPS employs.鈥�

Oettinger said she has faith in Reid, who became superintendent last year, to push for tighter security.  The two have exchanged emails and met in person multiple times. Oettinger said she鈥檚 鈥渃hoosing to believe Reid鈥檚 trying to change the district鈥檚 culture and that she knows me enough to know I’d never do anything nefarious.鈥�

Some special education experts in the state are baffled by the district鈥檚 mistake. 

鈥淚t’s just the norm that when you do a document production, you are careful about what you shouldn’t be disclosing 鈥� whether it’s other students鈥� names or legal advice,鈥� said Jim Wheaton, a William and Mary Law School professor who runs a legal clinic for future attorneys that plan to work on special education issues. 鈥淚t just blows my mind that they would be so reckless.鈥�

But he said that there鈥檚 not much parents can do about such violations. They can file complaints, but there鈥檚 no right to sue under FERPA.

鈥淚n religious terms,鈥� he said, 鈥渋t鈥檚, ‘Go forth and sin no more.’鈥�

鈥淚鈥檓 so sorry to tell you this but unfortunately your private information has been leaked,鈥� read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they鈥檇 just spent the night asleep. 

鈥淏e careful out there,鈥� the cryptic message warned. 鈥淒on鈥檛 shoot the messenger!鈥�

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation鈥檚 fifth-largest district and where Hecht鈥檚 three daughters are enrolled. But the message, she鈥檇 soon learn, was not from a California student but from the student鈥檚 email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a 鈥渂urner鈥� account to brazenly extort Clark County schools by frightening district parents directly.

鈥淚 put my child on the bus and then immediately called the district,鈥� Hecht told 蜜桃影视. 鈥淚 called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.鈥�

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords 鈥� in this case students鈥� dates of birth 鈥� and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students鈥� special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

鈥淭his is not going to qualify as sophisticated hacking,鈥� said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. 鈥淕iven that they reached out to the media鈥� and have demanded payments smaller than those typically leveraged by ransomware gangs, 鈥渋t seems they may be more interested in publicity and reputation than they are money.鈥�

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a 鈥渃ybersecurity incident鈥� on Oct. 5, noting in that it was 鈥渃ooperating with the FBI as they investigate the incident鈥� and that such attacks against schools have become routine. 鈥淩est assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.鈥�

When contacted by 蜜桃影视, a Clark County spokesperson declined to comment further and shared a copy of the district鈥檚 previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County鈥檚 computer systems. In two follow-up emails shared with 蜜桃影视, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student鈥檚 email address 鈥渢o show how much of a joke their IT security is and to show how seriously they are taking this.鈥� 

Beyond outreach to parents, the hacker 鈥� which could be one or multiple people 鈥� on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as 鈥淪ingularityMD (the hacker team),鈥� the threat actor disputed Clark County鈥檚 statement that it had detected 鈥渁 security issue鈥� on its own and that district leaders had only become aware after the hackers sent an email 鈥渢o tell them we had been in their network for a few months.鈥� 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward 鈥渄ouble-extortion ransomware鈥� schemes, where they gain access to a victim鈥檚 computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students鈥� sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students鈥� passwords to their birth date at the beginning of each academic year. Using a student鈥檚 date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student鈥檚 account, they claim to have exploited poor data-sharing practices in the district鈥檚 Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

鈥淕oogle groups and google drives, if not configured correctly will expose teachers and staff files and conversations,鈥� the hacker told DataBreaches.net. 鈥淚n rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.鈥�

Schools are particularly easy targets because so many students have access to a district鈥檚 computer network, the hacker noted, with a word of advice: 鈥淚 would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.鈥� 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker鈥檚 breach methods should set off alarm bells for educators nationwide, with 鈥渧irtually every school in the U.S.鈥� relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

鈥淚t鈥檚 very easy to overshare information and grant rights for people who shouldn’t be able to see this information,鈥� Levin said. 鈥淭hat鈥檚 what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.鈥� 

Google spokesperson Ross Richendrfer said in an email that as districts become 鈥渁 top target鈥� for cybercriminals, 鈥渢here鈥檚 not just one way that attackers attempt to infiltrate schools.鈥� This particular incident, he said, was 鈥渢he result of compromised passwords and configuration issues at the user/admin level.鈥� 

He pointed to the company鈥檚 , which notes that while Google products 鈥渁re built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.鈥� The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received 鈥渁larming email messages from an external cybersecurity threat actor.鈥� The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as 鈥渂urner accounts鈥� when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn鈥檛 become the victim of a data breach, Superintendent Lori Villanueva told 蜜桃影视. She said the student鈥檚 email address was used to send four emails, which were then deleted. 

鈥淲e canceled that email account, we set up a new one for the student, and we鈥檙e just running our own diagnostics to make sure there was no other unusual activity,鈥� Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. 鈥淢y people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we鈥檙e really limited to that one tiny piece of information.鈥� 

Never before had she experienced an incident where a student鈥檚 email address was compromised and exploited in such a major way, she said. 

鈥淣othing this widespread, nothing in another state, nothing this big,鈥� she said. 鈥淔or our little neck of the woods here, this was a little crazy.鈥� 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

鈥淭he only thing I can think of is somebody knows that I鈥檓 not quiet, that I will talk,鈥� she said. If the hacker鈥檚 goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn鈥檛 been able to get any answers from school administrators. 

鈥淚鈥檝e emailed the superintendent and I just continue to call that helpline,鈥� she said 鈥淣othing. Nobody has responded. I can鈥檛 even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.鈥�

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused 鈥渢o fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.鈥� 

鈥淲e think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,鈥� attorney Steve Hackett, who represents the families, told 蜜桃影视.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

鈥淎s the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,鈥� the statement said. 

The district also offered a sharp rebuttal to calls for Jara鈥檚 resignation, specifically referring to with the local teachers union: 鈥淪uperintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,鈥� the statement continued 鈥淣o bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.鈥� 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

鈥淚t worries me because this stuff is going to follow them for life,鈥� she said. 鈥淟ook, I know that our district is not great, but if you鈥檙e going to go against the district, don鈥檛 take our kids down with you. They did nothing wrong.鈥�

Des Moines Area Community College is a harder target for cyberattacks and scams than it used to be, President Rob Denson said, but it takes constant effort and vigilance to stay that way.

He and his staff will receive fake attachments, fraudulent messages from people claiming to be coworkers and applicants with intentions of taking financial aid and running rather than attending classes almost every day, despite best efforts to head them off.

鈥淭hreat actors are always looking for you to let down your guard,鈥� he said.

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

In efforts to keep campus safe, some Iowa community colleges are having to put increasingly more time, manpower and money toward cybersecurity efforts.

Aaron Warner, CEO of cybersecurity company ProCircular, said community colleges are targets for bad actors because they house a lot of sensitive information, their student populations see continuous turnover, and they鈥檙e made to be as accessible as possible.

The often-chaotic time just before school starts is also utilized by cybercriminals, as faculty and staff are busier and less likely to catch suspicious emails or other activities.

鈥淚t鈥檚 an unfortunate byproduct of the fact that they鈥檙e a community organization,鈥� Warner said. 鈥淭hey are designed to interact as best as possible with the community. Bad guys take advantage of that.鈥�

When the COVID-19 pandemic forced employees to work from home, Warner said the opportunities to conduct cyberattacks expanded. Gone was the castle-and-moat style of keeping sensitive information on one secure network as data was transferred onto home computers and laptops. The risk of a successful cyberattack or intrusion didn鈥檛 so much rise as become more distributed, he said.

DMACC and Iowa Central Community College have already faced in real time what ProCircular simulates for training 鈥� a breach in cybersecurity. Iowa Central Community College was hacked in 2018, and DMACC saw a breach in 2021.

Both colleges amped up security efforts in response, which they still keep up today.

Colleges work to stop 鈥榞host student鈥� scam

One problem DMACC has worked to curb is 鈥済host students,鈥� or applicants who use fake or stolen identities to seek financial aid. Denson said the college started seeing more fraudulent applications around two years ago, coming in groups from certain areas in different states and filing for loans without any intent of actually attending classes.

For around a year, DMACC staff have been calling every applicant to confirm their identity before putting their information into the system, Denson said. While this practice has cut down on ghost student applications, it鈥檚 not the easiest task to undertake.

In fall 2022, DMACC admitted more than 1,600 full-time, first-time students. Admissions staff and recruiters called each applicant and recorded the confirmation of their identity in the DMACC system 鈥� a time-consuming process, Denson said, as many students aren鈥檛 easy to reach over phone or email.

鈥淚t鈥檚 a terrible use of time, it鈥檚 not the best use of their skills, but it鈥檚 something we鈥檝e got to do,鈥� Denson said. 鈥淲hat we don鈥檛 want to do is get a fraudulent app inside of our learning management system.鈥�

At its peak in late July 2022, Denson said the college was receiving around 15 fraudulent applications a day. Since implementing this practice, Denson said that number has decreased significantly, but one or two a day still pop up.

Denson said the amount of time and manpower needed to verify so many applicants pulls people away from their other work.

鈥淲e would rather have recruiters out recruiting and advisors talking to students about their career, rather than verifying somebody鈥檚 identity,鈥� he said.

In order to lower the risk of a fake student infiltrating Iowa Central Community College鈥檚 systems, President Jesse Ulrich said staff purges all records of inactive students 鈥� those who applied but never signed up for classes or interacted with the college in any way 鈥� every semester.

Cybersecurity is costly

Staff and faculty at both community colleges receive training on how to spot and report phishing, and receive random test phishing emails. Iowa Central Community College has members of its IT team dedicated to servers and infrastructure, and DMACC has a cybersecurity expert on retainer.

Security software, training and insurance all require funds, Ulrich said, which could be used in other areas of the college.

鈥淎nytime you are putting more resources into cybersecurity, whether that鈥檚 through people, software, paying more for insurance; all of those things pull from the general fund or other areas of our funds to be able to really meet the core purpose of community colleges,鈥� Ulrich said.

Both colleges have cyber insurance; Denson said the college鈥檚 annual insurance cost is five times what it was, and the deductible has doubled.

Even divulging details on its cybersecurity insurance could put the college at risk, Ulrich said, as threat actors will look through public records to determine how well-insured schools are and use that in attacks.

鈥淚t鈥檚 kind of a lose-lose situation for higher ed when we鈥檙e put in that situation,鈥� he said.

However, having these safeguards isn鈥檛 really a choice, Denson said 鈥� it鈥檚 a necessity, and one that isn鈥檛 going away soon.

According to SonicWall鈥檚 2023 , educational institutions were cyber criminal鈥檚 top targets for malware attacks. At the recent annual Community Colleges for Iowa conference, Ulrich said cybersecurity was among the top 10 challenges facing higher education today.

ProCircular works with more than just community colleges to evaluate cybersecurity efforts, but the leaders at colleges Warner has met are among the most understanding of the issues and how to tackle them, he said. Much of the company鈥檚 training involves ensuring people know what to look for, how to respond in the event of a breach and helping them allocate resources in the right areas.

U.S. Rep. Zach Nunn introduced in April to help curb cyber attacks against K-12 schools by increasing available resources, expanding cyber attack prevention information sharing and improve national tracking of cyber attacks. While no bills targeting cybersecurity in higher education have been introduced, a spokesperson for Nunn鈥檚 office said they are working with as many entities as possible to help tighten cybersecurity across the board.

Community Colleges for Iowa Executive Director Emily Shields said there has been interest in the state Legislature in working to curb cybersecurity breaches in higher education, but many of the best practices suggested in discussions are already being practiced by community colleges.

When it comes to funding, Shields said colleges would rather see more dollars go into general funds than specific silos like cybersecurity, as it allows them to be more flexible in allocating resources.

The organization has worked to help keep colleges informed about cybersecurity threats and avenues to help fend off attacks, in the event one does occur, she said.

鈥淭he conversation always is not if this is going to happen in your college, it鈥檚 when,鈥� Shields said. 鈥淓verybody鈥檚 anticipating. You will have cyberattacks, probably plural 鈥� it鈥檚 making sure you鈥檙e ready for that.”

is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on and .

First Lady Jill Biden, senior administration officials, school district heads and technology company executives will convene at the White House Monday to kick off a new cybersecurity defense initiative as schools increasingly fall victim to crippling ransomware attacks. 

The Education Department will launch a coordinating council to provide formal collaboration between government officials and district leaders to help schools strengthen their cybersecurity capabilities in the face of attacks that have closed campuses and exposed highly sensitive student and educator information online. The effort was announced by senior Biden administration officials on a press call Sunday evening. 

The council is being billed as the department鈥檚 鈥渒ey first step鈥� in a renewed focus on cybersecurity after multiple districts 鈥� including in Los Angeles and Minneapolis 鈥� were targeted by cyber gangs. 

At the White House event, federal officials will hear from school district leaders who navigated attacks, including Los Angeles Unified School District Superintendent Alberto Carvalho, who led America鈥檚 second-largest school system through a hack last September. That breach, an investigation by 蜜桃影视 revealed, exposed thousands of current and former students鈥� highly sensitive psychological evaluations on the dark web.

In addition to the first lady, others expected to attend the 4 p.m. White House summit include Education Secretary Miguel Cardona, Homeland Security Secretary Alejandro Mayorkas and Federal Communications Commission Chairwoman Jessica Rosenworcel. 

Anne Neuberger, the deputy national security advisor for cyber and emerging technologies, said the administration seeks to help school districts protect sensitive information about students, parents and educators. In March, a ransomware attack against Minneapolis Public Schools led to a data breach that exposed more than 189,000 files, including records related to sexual misconduct investigations, child abuse reports and district physical security information that鈥檚 typically kept private. 

Neuberger called the Minneapolis breach 鈥渁 particularly vicious example,鈥� citing the disclosure of closely held school security information, which was first revealed in an investigation by 蜜桃影视. 

Teams of federal cybersecurity experts will visit schools and help them create incident response plans, said Neuberger, adding that districts 鈥� particularly small ones 鈥� often lack the money and resources to adequately prepare for attacks. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

Cindy Marten, the deputy secretary of education, said that government officials and school leaders must make school cybersecurity a priority at the same level as physical infrastructure. She said she experienced firsthand how districts and the federal government can work together to mitigate the harm from attacks. Carvalho reached out to the Education Department after the Los Angeles district was hacked, Marten said, making clear the importance of partnerships.

It can take as long as nine months for districts to recover from cyberattacks, , and can cost them as much as $1 million to respond. 

Several technology companies have also committed to offer schools 鈥渇ree and low-cost resources.鈥� Amazon Web Services pledged to provide $20 million for a K-12 cyber grant program, free security training and incident response help. Meanwhile, will offer free cybersecurity tools to small districts with 2,500 or fewer students. 

Other federal commitments announced Monday include a guide from the Federal Bureau of Investigation and the National Guard Bureau to help schools report cybersecurity incidents and tap into federal cyber defense expertise. 

Last month, the Federal Communications Commission proposed a $200 million grant program to help districts bolster cybersecurity. 

A three-year pilot program announced by Rosenworcel earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn鈥檛 been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months 鈥� if not more than a year 鈥� before the help makes its way to schools as education groups demand a more urgent federal response. 

As districts become 鈥渁 prime target for cyberattacks,鈥� the proposed pilot 鈥渨ill give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,鈥� Rosenworcel said in a July 12 speech before AASA, The School Superintendents Association and the Association of School Business Officers International. 

Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested. The allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year. 

Yet officials at the national superintendents鈥� association worried that using E-Rate funds was a diversion from the program鈥檚 mission of helping schools and libraries connect to the internet, said Noelle Ellerson Ng, the group鈥檚 associate executive director of advocacy and governance. She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data. 

鈥淎ll signs point towards we鈥檙e going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,鈥� Ellerson Ng said. 鈥淭hat way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.鈥�

A found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks 鈥� a marked 43% increase from 2021. The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs. 

Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country鈥檚 second-largest school system, that resulted in the public release of students鈥� highly sensitive psychological records. An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

Last month, New York City Public Schools, the country鈥檚 largest district, in a massive cyber attack on the file-sharing software MOVEit. The MOVEit attack has resulted in and organizations, including universities in at least a dozen states. The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many 鈥� if not most 鈥� students nationally. 

鈥淐ybersecurity is definitely something that has just stormed into the forefront鈥� as districts nationwide grow increasingly alarmed by attacks, Rosenworcel said. The federal government hasn鈥檛 previously provided money to schools for cybersecurity but the pilot program, she said, offers a first step. 

The five-member FCC commission must vote on the proposal before its full details are made public, the agency said, and it must go through a formal public comment and rulemaking process. Education experts predict it could be a year or more before the money is available to districts. 

鈥淚鈥檝e told our superintendents that it鈥檚 realistic that it could take 10 months 鈥� best case scenario 鈥� before they鈥檙e able to apply,鈥� Ellerson Ng said. 

School cybersecurity expert Doug Levin said the communications commission 鈥渉as been slow-pedaling鈥� on the issue for years and that the $200 million proposal is just 鈥渁 drop in the bucket鈥� of what districts nationwide would need to counter this online enemy. The pilot could be used to generate lessons learned and to set the stage for more robust federal investments, he said, but only a small number of districts are likely to receive grants under it. 

But the threat that districts face from cyber attacks is so great, Levin said, that even a much more significant investment in digital safeguards is unlikely to thwart the problem.

鈥淚t鈥檚 hard for me to imagine that, even if they were wildly successful and every school district was able to put in place a next-generation firewall, that that鈥檚 going to make a meaningful difference in the number of successful attacks against school districts,鈥� he said. 鈥淵ou know, maybe they shouldn鈥檛 be collecting all this data that鈥檚 so sensitive in the first place.鈥�

A download link was published Tuesday night on a website designed to resemble a technology news blog 鈥� an apparent front 鈥� and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that鈥檚 been and . 蜜桃影视 is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes 鈥� there are 1,000 gigabytes in one terabyte 鈥� the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group鈥檚 dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

鈥淭oday, the hacker group 鈥楳edusa鈥� gave me data for publication that will become a hit,鈥� notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

鈥淪omeone will tell me that this cannot be published. I will answer this simply 鈥� the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don鈥檛 focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.鈥� 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

鈥淚f I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,鈥� said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and 鈥渁t the very least, being extra vigilant and looking more closely at your transactions than you normally would.鈥� 

It鈥檚 also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

鈥淥nce that genie is out of the bottle, it is very difficult to get it back in,鈥� Levin said. 鈥淚 don鈥檛 know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.鈥� 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an 鈥渆ncryption event,鈥� that the ransomware group had released the stolen records on the dark web, 鈥渁 part of the internet accessible only with special software that allows users to remain untraceable.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa鈥檚 dark web blog Friday, the files weren鈥檛 readily available for download. Instead, a 鈥淒ownload data now!鈥� button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn鈥檛 respond to requests for comment from 蜜桃影视 Wednesday. Attempts by 蜜桃影视 to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang鈥檚 possession. 

In posting the download link to the 鈥渃learnet鈥� 鈥� a publicly accessible website that鈥檚 indexed by search engines 鈥� Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file鈥檚 size may serve as a barrier to access to cyber criminals interested in exploiting the information 鈥� and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn鈥檛 necessarily mean the data was downloaded.

鈥淗ey, how can I see the mps stuff,鈥� one Telegram user asked in the ransomware group鈥檚 channel. 鈥淚鈥漨 hoping I鈥檓 not on there. I attend school and work at this district.鈥� 

The Telegram user, who identified themselves to 蜜桃影视 as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so 鈥減lays into the cybercriminals鈥� hands by drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that 鈥渨ill take some time.鈥� 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

鈥淚 would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,鈥� Callow said. 鈥淚f my personal information may have been compromised, I would want to know straight away.鈥�

Early Friday morning, after the Medusa gang鈥檚 countdown clock on the ransom deadline struck zero, the files weren鈥檛 readily available for download on its dark web leak site. Instead, a 鈥淒ownload data now!鈥� button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by 蜜桃影视 to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog 鈥� a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that鈥檚 been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it 鈥渋s aware that the threat actor has released certain MPS data on the dark web today.鈥� 

鈥淲e are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,鈥� the district continued. 鈥淭his will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.鈥� 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it鈥檚 unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

鈥淵ikes, that鈥檚 a lot,鈥� said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. 鈥淚t鈥檚 a very significant exfiltration.鈥� 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files 鈥� including thousands of current and former students鈥� sensitive mental health records 鈥� were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to 鈥渆ntire IT systems,鈥� said Levin, who was especially concerned about the breach of district backup files. 鈥淵ou鈥檙e probably looking at some of the more sensitive data that the district maintains 鈥� sensitive enough that they are backing it up and maintaining those files.鈥� 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an 鈥渆ncryption event.” That euphemistic characterization left the public in the dark about the incident鈥檚 severity, cybersecurity analysts and community members said.

Such experts said Medusa鈥檚 pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa鈥檚 decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa鈥檚 extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  鈥渦nusually uncommunicative,鈥� since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn鈥檛 receive a response. 

People who don鈥檛 work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites 鈥渨ould concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It鈥檚 much easier for people to access.鈥�

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks 鈥� but he offered a caution. 

鈥淛ust because they published a file tree doesn鈥檛 mean they necessarily obtained all of the data it shows in that tree,鈥� he said, noting that organizations like school districts can shut hackers out of their systems if they鈥檙e caught in the act. 

In a March 9 statement, the district said it had 鈥渢aken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.鈥� 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district鈥檚 computer network 鈥渨as infected with an encryption virus that was first discovered鈥� Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district鈥檚 technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks 鈥� if not months. 

鈥淓xfiltrating this amount of data without detection certainly is concerning,鈥� Levin said. 鈥淭his sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.鈥�

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands 鈥渂y drawing attention to the information and increasing our community鈥檚 fear and panic.鈥� 

Its admission on Wednesday, which included the news that 60 current students鈥� records had been compromised, comes five months after the nation鈥檚 second-largest school district was the victim of a ransomware attack and four months after schools Superintendent Alberto Carvalho categorically denied that students鈥� psychological records were part of that breach.

鈥淎s the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed,鈥� Jack Kelanic, the district鈥檚 senior administrator of IT infrastructure, said in a statement. 鈥淎pproximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as Driver鈥檚 License numbers and Social Security numbers.鈥�

蜜桃影视 published an extensive investigation by reporter Mark Keierleber Wednesday revealing that the records 鈥� among the most sensitive information school districts maintain on students 鈥� could be uploaded from a dark web leak site of the Russian-speaking ransomware gang Vice Society. The cyber criminal gang infiltrated LAUSD鈥檚 computer system last year and then released the records when the school district refused to pay an undisclosed ransom demand.

When presented with the results of 蜜桃影视鈥檚 investigation Tuesday, district officials did not retract or correct Carvalho鈥檚 earlier statements, which a district spokesperson said 鈥渨ere based on the information that had been developed at that time.鈥� The comments were made in early October, about a month after the cyber attack was first reported, and at a point where school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web, according to the schools chief.

The district is now saying that notification to individuals whose information was posted has been slowed by the painstaking nature of the process and the fact that some of the records date back nearly 30 years. To comply with state privacy rules, the district posted to the California state attorney general鈥檚 office website in January disclosing that district contractors鈥� certified payroll records and their names, addresses and Social Security numbers were leaked.

School officials have not said anything publicly about notifying current or former students or district employees that their information has been compromised, but said Wednesday their investigation is ongoing and they 鈥渨ill continue notifying individuals as they are determined.鈥� A day earlier, a district spokesperson told 蜜桃影视 that no current or former students had been informed that their psychological records were posted online.

The records identified by 蜜桃影视 were at least a decade old and involve special education students. They include a comprehensive background on the student鈥檚 medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

鈥淚t could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,鈥� a cyber security expert told the Los Angeles Daily News it published on the district鈥檚 response to 蜜桃影视鈥檚 investigation. 

Hundreds 鈥� and likely thousands 鈥� of sensitive files were leaked online

People are likely unaware their health records were stolen

Because the district hasn鈥檛 disclosed the trove of records exists

And federal privacy laws don鈥檛 require schools to go public

Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations 鈥� including those of 60 current students 鈥� had been uploaded to the dark web.

Detailed and highly sensitive mental health records of hundreds 鈥� and likely thousands 鈥� of former Los Angeles students were published online after the city鈥檚 school district fell victim to a massive ransomware attack last year, an investigation by 蜜桃影视 has revealed. 

The student psychological evaluations, published to a 鈥渄ark web鈥� leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records. 

But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn鈥檛 alerted them, a district spokesperson confirmed, and leaders haven鈥檛 acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked. 

Cybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools 鈥� even when the files themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students鈥� personal information, including medical records, is exposed. 

But keeping the extent of data breaches under wraps runs counter to schools鈥� mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. 

鈥淚t鈥檚 deeply disturbing that an organization that you鈥檝e entrusted with such sensitive information is either significantly delaying 鈥� or even hiding 鈥� the fact that individuals had very sensitive information exposed,鈥� Levin told 蜜桃影视. 鈥淔or a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can鈥檛 take steps to protect themselves.鈥� 

In , the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs 鈥渨ith potentially catastrophic impacts on students, their families, teachers and administrators.鈥� Threats became particularly acute during the pandemic as schools grew more reliant on technology.  The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency. 

When L.A. schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. An early news report said the leaked files contained some students鈥� psychological assessments, citing 鈥渁 law enforcement source familiar with the investigation.鈥� Carvalho called that revelation 鈥渁bsolutely incorrect.鈥� 

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system and had exposed a limited collection of students鈥� records, including their names and addresses. 

The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults鈥� Social Security cards, passports, financial records and other personnel files. 

The systemic release of students鈥� psychological assessments stolen from the Los Angeles district and published to the dark web hasn鈥檛 been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing 蜜桃影视 to isolate them from other types of district records that appear on the ransomware gang鈥檚 leak site, including those related to district contractors and files that are benign and do not contain confidential information. 蜜桃影视 has independently verified that 500 students鈥� sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that would require health care providers to publicly disclose such a data breach if it involved patient health records. 

More than 2,200 PDFs 鈥� and a large swath of other document types 鈥� follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. The records are at least a decade old and while they don鈥檛 appear to contain information about current students, they do contain highly personal information about former LAUSD students who are now in their 20s and 30s. 

In early October, Carvalho said that if their information got exposed in the data breach, assuring them, 鈥淣o news is good news.鈥� By that point, Carvalho said, school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web. 

Now, more than four months after the schools chief denied that psychological evaluations were exposed, the nation鈥檚 second-largest school district has not changed its position publicly. A district spokesperson said that Carvalho鈥檚 statements in October 鈥渨ere based on the information that had been developed at that time鈥� and that the review was still ongoing.

鈥淟os Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,鈥� the district told 蜜桃影视 in a statement. 鈥淥nce Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update,鈥� to affected individuals and the public.  

鈥楬uge emotional strain for the family鈥�

The particular files posted online 鈥� students鈥� psycho-educational case studies 鈥� are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in special education disputes with their children鈥檚 school district.

The evaluations are how a student鈥檚 disabilities and other factors affect their learning. They include a comprehensive background on the child鈥檚 medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

One of the reports notes that a student was placed in foster care 鈥渄ue to domestic violence in the home.鈥� The student struggled with 鈥渁 limited attention span鈥� and often refused to complete his work, the report notes, and 鈥渋s easily angered when he does not get his way.鈥� Another states a student鈥檚 desire to 鈥渂ecome a police officer so that he can 鈥榓rrest people because they do drugs.鈥欌�� A student鈥檚 father 鈥渨orks in a plant that makes airplane parts and speaks no English,鈥� one report notes. 鈥淗is mother is a librarian assistant and speaks a 鈥榣ittle English.鈥欌�� 

In general, Catron said, such reports can include details about a family鈥檚 immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has 鈥渂een hitting other children or adults in a school environment.鈥� Yet it鈥檚 often difficult for families to get sensitive information removed from the files, he said, even if it isn鈥檛 accurate. Now, with breached student records of this nature in the public domain, 鈥渨ho knows what is going to happen.鈥�

鈥淭he sheer scope of information, like you鈥檝e seen, it鈥檚 darn broad and pretty hurtful for people,鈥� Catron said. 鈥淚f those records include those types of notes, whether correct or not, it can just cause a huge emotional strain for the family.鈥� 

The files themselves note that the assessment reports 鈥渕ay contain sensitive information subject to misinterpretation by untrained individuals鈥� and that the 鈥渘onconsensual re-disclosure by unauthorized individuals is prohibited鈥� by state law. 

Available files appear to be limited to former Los Angeles students born primarily in the late 1980s and 1990s. The age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert, said. Students鈥� sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards.  

The timeline could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.

鈥淪ometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,鈥� Levin said. 鈥淔or a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that鈥檚 a daunting task and clearly is very likely to be imperfect.鈥�

The disclosure gap

Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services 鈥渨ithout unreasonable delay and in no case later than 60 days following a breach.鈥� 

The Broward County, Florida, school district recently got caught in after the country鈥檚 sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on maintained by the Department of Health and Human Services. The breach portal  鈥� often referred to as the 鈥淲all of Shame鈥� 鈥� includes all data breaches affecting 500 or more people that were reported to the federal agency in the last 24 months. 

District officials in Florida ultimately 鈥� three months longer than federal rules allow 鈥� to disclose the breach鈥檚 full extent on its website, according to the South Florida Sun-Sentinel. In a statement, a district spokesperson told 蜜桃影视 the school system 鈥渨orked diligently to investigate the incident.鈥� Once officials realized that records related to the district鈥檚 self-insured health plan were breached, notifications to affected personnel and the federal health administration 鈥渞equired the gathering and sorting of significant amounts of data in order to determine the individuals to be notified.鈥� 

鈥淭hat process was complex and took substantial hours,鈥� the spokesperson said. 鈥淯nder the circumstances, notification was made in an expeditious manner.鈥� 

The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools under the health privacy law. And even when they are, students鈥� education records 鈥�  鈥� are exempt. by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but, unlike HIPAA, schools to disclose when such breaches occur.

鈥淭he same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,鈥� said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools 鈥渓ive in separate universes. If it鈥檚 maintained by the school, it鈥檚 FERPA. If it鈥檚 maintained by your doctor, the same information is HIPAA protected.鈥� 

A are covered by HIPAA, the LAUSD district spokesperson said, but the psychological assessments are not. A data breach involving student鈥檚 records 鈥� like the one in Los Angeles 鈥� , according to the U.S. Department of Education. 

鈥淔ERPA requires the school to maintain direct control over the records,鈥� Siegl said. 鈥淭here is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.鈥� 

Yet, consequences for violating FERPA are next to nonexistent. Districts if they have 鈥渁 policy or practice鈥� of releasing students鈥� records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it鈥檚 from a district that broke the rules. 

鈥楢 psychological torment鈥�

To , the Los Angeles district has been about the systemic breach of sensitive records about distinct construction contractors. In posted to the California state attorney general鈥檚 office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social Security numbers of district contractors. 

The data breach notice also made clear that cyber criminals had infiltrated the district鈥檚 computer network than initially disclosed. Carvalho said in October that district cybersecurity officials were quick to detect the unauthorized access and, 鈥渋n a very, very unique way, we stopped the attack midstream.鈥� 

The district spokesperson said LAUSD is working to determine whether any of the breached files are considered 鈥渕edical information鈥� under state law and whether a notification is required. Any data breach alert to the state attorney general鈥檚 office would coincide with notifications to affected individuals, the spokesperson said. 

Asked about the school district鈥檚 notification obligations for the trove of leaked student psychological records and whether it鈥檚 investigating the matter, an AG鈥檚 office spokesperson said in an email 鈥渨e can鈥檛 comment on, even to confirm or deny, a potential or ongoing investigation,鈥� and didn鈥檛 offer any other information. Reached for comment about the data breaches in Los Angeles and Broward County, a federal Department of Health and Human Services spokesperson said its civil rights division 鈥渄oes not typically comment on open or potential investigations,鈥� and declined to say anything further. 

The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached to provide compensatory services to children with disabilities after an investigation by the U.S. Education Department鈥檚 civil rights office found it had failed to provide them during the pandemic. Parents and advocates said last month many children are still waiting for those services.

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she鈥檚 worried the data breach could further divert funds from those much-needed special education services. 

鈥淚 would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,鈥� said Harman-Holmes, who serves as vice chair of the district鈥檚 Community Advisory Committee for Special Education. But she acknowledged it 鈥渨ould be very disturbing鈥� if her own child鈥檚 psychological evaluations were leaked online. 

鈥淥ur middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,鈥� she said. 鈥淭hat would be very devastating to him.鈥�

As a number of attacks against school systems across the country demonstrate, schools are relatively low-hanging fruit for those who steal data and sell it or hold it for ransom. While corporations have been able to harden their defenses, boost spending on resilience measures, enhance their cybersecurity programs and evaluate risks, school systems 鈥� K-12 and higher education alike 鈥� haven鈥檛 been able to keep up. 

In part, their vulnerability stems from the fact that school boards don鈥檛 tend to allocate funding to these risks. Focused on pressing priorities 鈥� everything from closing achievement gaps and catching kids up from COVID-related learning setbacks to ensuring schools’ physical safety 鈥� cybersecurity isn鈥檛 at the top of most school agendas. 

When ransomware is discussed, it鈥檚 considered an IT issue 鈥� something that only the information technology department needs to worry about. Yet, in many instances, these departments are scarce in funding and staffing, so the initiatives are outsourced to third-party contractors without considering what internal staffing is needed to assign and oversee their work.

School boards fail to see cybersecurity investment as risk mitigation and often do not prioritize allocating budget dollars to beef up IT resources. 

That said, school officials should not throw up their hands in despair and figure that they鈥檙e doomed when it comes to ransomware attacks. While no one can avoid being a target, a few crucial steps can go a long way toward minimizing the potential impact. 

As a first step, school leaders should ask themselves: What data are we trying to protect? Schools maintain student records, personnel records, health care information and more. They have a variety of systems, from email to attendance tracking to e-learning, that contribute to daily operations. Wrapping their arms around what needs to be protected is the first piece of the puzzle. 

Then, schools should take a 鈥減eople, process and technology鈥� approach to securing their infrastructure and building up resiliency. 

From a people perspective, everyone in a school district 鈥� the superintendent, principals, teachers, students and parents 鈥� should know they鈥檙e responsible for helping to maintain good cyber hygiene. Then comes process: District policies should require things like end-user cybersecurity education and awareness, the use of strong passwords and mandates for regular anti-virus scanning. Technology is the third leg of the approach. It should be used to automate certain things like password length and reset periods, as well as keeping software and systems up to date to eliminate vulnerabilities in district computers, tablets, network devices and even learning management tools.

The final step is to have a plan for what to do if any of the school鈥檚 information or systems are attacked. Schools should have a crisis management plan for any kind of disruption, whether it鈥檚 an earthquake, a pandemic, a hurricane, a power outage or, yes, a ransomware attack. Surprisingly, few school systems actually do. They should have cyber incident response plans and test them 鈥� just as they conduct fire drills. 

Without a well-rehearsed playbook for responding to a ransomware attack, the odds increase dramatically that getting back to normal will require paying ransom. Well-prepared, resilient organizations, by contrast, will have contingency plans that allow them to quickly revert to data backups and resume operations with minimal disruption. 

A bit of good news for schools looking to reach that level of resiliency: In addition to the $190 billion in Elementary and Secondary School Emergency Relief (ESSER) funds that were issued last year for schools to use as they see fit, there鈥檚 a $1 billion in the pipeline specifically earmarked to help state and local institutions upgrade their cyber protection. 

No school district enjoys spending time or money on cybersecurity, but the consequences of a ransomware attack are too dire to ignore.聽By giving this threat the attention it deserves, schools will better be able to focus on their real priorities of teaching and learning.