The Federal Trade Commission announced this month plans to  over a massive 2021 data breach. The move added to a long list of government actions against the firm since hackers broke into its systems and made off with the sensitive information of more than 10 million students.

Three state attorneys general have also now imposed fines and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach.

The in their efforts to hold Illuminate accountable are parents and students.

Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data — including grades, special education information and medical records — didn’t constitute a concrete harm.

In the news

The latest in President Donald Trump’s immigration crackdown: In many cities across the country, from New Orleans to Minneapolis, resisting federal immigration enforcement means keeping kids in school. | 

• Trump’s mass deportation effort has had a particularly damaging effect on the child care industry, which is heavily reliant on immigrant preschool teachers — most of them working in the U.S. legally — who have found themselves “wracked by anxiety over possible encounters with ICE.” | 
  
• ‘Culture of fear’: Immigrant students across the country have increasingly found themselves targets of bullying since the beginning of Trump’s second term, according to a new survey of high school principals. | 

A Kansas middle school will no longer assign Chromebooks to each student: Computers have had “a wonderful place in education,” the school’s principal said. But schools have “simply immersed students too much in technology.” | 

A Florida middle school went into lockdown after an automated threat detection system was triggered by a clarinet. A student was walking in the hallway “holding a musical instrument as if it were a weapon.” |

‘Got what he deserved’: A California teacher has filed a federal First Amendment lawsuit against her school after she was suspended for a Facebook post calling right-wing political activist and Turning Point USA founder Charlie Kirk a “propaganda-spewing racist misogynist” a day after he was murdered. | 

• In Florida, two teachers have filed separate First Amendment lawsuits after they were punished for social media posts critical of Kirk after his death. | 
  
• Texas Gov. Gregg Abbott announced a partnership with Turning Point USA to create local chapters of the group at every high school campus in the state, vowing “meaningful disciplinary action” against any educators who stand in the way. | 
  
• Kirk’s wife, Erika Kirk, will field questions from “young evangelicals, prominent religious leaders and figures across the political spectrum” during a live town hall Saturday on CBS News moderated by its new editor-in-chief, Bari Weiss. | 
  
• ICYMI: The Trump administration’s First Amendment crackdown in the wake of the activist’s violent death has left student free speech on even shakier ground. | 

Following a shakeup in its ranks by vaccine skeptic and Health and Human Services Secretary Robert F. Kennedy Jr., a Centers for Disease Control and Prevention advisory committee voted to overturn a decades-long recommendation that newborn babies be immunized for hepatitis B — a policy credited with decimating the highly contagious virus in infants. | 

• A measles outbreak in South Carolina schools is accelerating, with some unvaccinated students in a second 21-day quarantine since the beginning of the academic year. |   

A photo that circulated online depicted California high school students lying in the shape of a swastika on the grass of a football field. Chaos ensued. | 

‘It feels nasty. It’s gross.’: Controversy has come to a head at a California high school after an adult film producer rented out the campus gym for a raunchy livestream. “The first thing I see is a full-grown adult, an adult man wearing a baby costume and being fed milk from a baby bottle,” one student observer noted. | 

Two Texas teenagers allegedly conspired to carry out a school shooting at their high school but the plot was thwarted after classmates reported text messages with their plans to school police. “Don’t come to school on Monday,” one of the messages warned. | 

ICYMI @The74

Emotional Support

Three state attorneys general have also now imposed penalties and security mandates on the company following allegations it misled customers about its cybersecurity safeguards and waited nearly two years to notify some school districts of the widespread data breach. 

The ones that haven’t made progress in their efforts to hold Illuminate accountable are parents and students. Their pursuit hit a wall in September when the Ninth Circuit Court of Appeals dismissed a federal lawsuit filed by the breach victims. The court, ruling on a case filed in California, found that the theft of their personal data — including grades, special education information and medical records — didn’t constitute a concrete harm.

The federal appeals court of a proposed class-action lawsuit filed by families whose children’s information was compromised. The court concluded the plaintiffs lacked standing because they did not demonstrate actual damage from the breach or an “imminent and substantial” risk of future identity theft. In the years since the cyberattack was carried out, the court concluded, there was no evidence that the records, which did not include Social Security numbers, had been misused to commit identity theft. 

“It has been more than three years since the breach,” the court wrote, “and no fraud has occurred, nor is the kind of information at issue the kind that this court normally considers sufficient to find a credible threat of identity theft.” 

Under announced by the FTC this month, Illuminate will be required to create a “comprehensive information security program,” delete any student data it is no longer using and notify the commission of any future data breaches. Regulators allege a third-party company hired by Illuminate to assess its cybersecurity safeguards raised red flags but Illuminate failed to heed those warnings a year before it was hacked using the compromised credentials of a former employee.

“Illuminate pledged to secure and protect personal information about children and failed to do so,” Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said in a media release this month. The FTC action, Mufarrige continued, should serve as a warning to other companies that the commission “will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.”

After the data breach, which affected the country’s two largest school districts in New York City and Los Angeles among others, Illuminate was by another education technology company, in 2022. Since then, a Renaissance spokesperson said in a statement to ����Ӱ�� this week, Illuminate products have been incorporated into its “cybersecurity and data protection program.” 

“robust security protocols and controls used to safeguard the integrity and confidentiality of the data entrusted to us by schools, educators and families,” the spokesperson said.

The FTC action comes on the heels of last month, when state attorneys general in California, Connecticut and New York secured a combined $5.1 million in penalties from Illuminate, along with cybersecurity requirements that resemble the FTC’s demands. State investigators similarly alleged sweeping security flaws at the company, including the failure to monitor suspicious activity and deactivate the inactive user accounts of former employees. 

A California Department of Justice that Illuminate made “false and misleading statements” about its cybersecurity safeguards in its privacy policy and “deceptively advertised” to school districts that it was a signatory of the nonprofit Future of Privacy Forum’s now-defunct “Student Privacy Pledge.” 

The voluntary pledge, , sought to hold education technology companies accountable for maintaining “a comprehensive security program” to protect students’ personal information and to prevent the sale of student records for targeted advertising. 

Illuminate became the first ed tech company to get booted from the pledge after reporting by ����Ӱ�� called into question its utility in holding tech firms accountable for failing to meet its provisions. 

The multistate Connecticut regulators reached a settlement under its state student data privacy law — which was enacted nearly a decade ago. 

“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information,” Connecticut Attorney General William Tong said in a statement. The settlement “holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”

It’s another hot summer Friday and another day with  — this one jeopardizing both student health and campus safety data.

And once again, the development is unfolding in the country’s second-largest school district.

Kokomo Solutions, which the Los Angeles district contracts with , disclosed a data breach after it discovered an “unauthorized third party” on its computer network. The discovery happened in December 2024, but the notice to the California attorney general’s office wasn’t made until Aug. 5.  

It’s the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile 2022 ransomware attack exposing students’ sensitive mental health records and last year’s collapse of a much-lauded $6 million artificial intelligence chatbot project. 

In the news

Students at the center of Trump’s D.C. police takeover: In an unprecedented federal power grab, the Trump administration’s seizure of the D.C. police department and National Guard deployment is designed to target several vulnerable groups — including kids. | 

• The move comes at a time when crime in the nation’s capital is on the decline. But a deep-dive from June explores how the district’s failure to prevent student absences has contributed to “the biggest youth crime surge in a generation.” |��
  
• Here’s what young people have to say about Trump’s D.C. takeover. |��
  
• City police will roll out a youth-specific curfew Friday in the Navy Yard neighborhood. |��

A new Ohio law requires school districts to implement basic cybersecurity measures in response to heightened cyberattacks. What the law doesn’t do, however, is provide any money to carry out the new mandate. |  

News in Trump’s immigration crackdown: A federal judge in Minnesota has released from immigration detention a nursing 25-year-old mother, allowing her to return to her children as her case works its way through the court. | 

• The Trump administration has revived one of its most controversial immigration policies from the president’s first term: Separating families. |��
  
• Federal immigration officials quizzed an Idaho school resource officer about an unaccompanied migrant student, part of a broader national effort to conduct “welfare checks” on immigrant youth who came to the U.S. without their parents. |��
  
• Leading Oklahoma Republican lawmakers have partnered with the Trump administration in a lawsuit challenging a state law allowing undocumented students to receive in-state college tuition. |��
  
• Los Angeles community members have organized to create protective perimeters around the city’s campuses after immigration agents reportedly drew their guns on a student outside a high school. |��
  • The district announced new bus routes designed to improve student safety while commuting to school��during heightened immigration enforcement. |��

• The nonprofit Southwest Key, which for years has been the federal government’s largest provider of shelters for unaccompanied migrant children, has laid off thousands in Texas and Arizona after losing federal grants. The Trump administration dropped a lawsuit in March over allegations the nonprofit subjected migrant children to widespread sexual abuse. |��
  
• A Texas court blocked the state attorney general’s request to depose and question a nun who leads Catholic Charities of the Rio Grande Valley, one of the largest migrant aid groups in the region. |��

Microphone-equipped sensors installed in school bathrooms to crack down on student vaping could be hacked, researchers revealed, and turned into secret listening devices. |��

‘These are innocent children, sir’:��New video of the delayed police response to the 2022 mass school shooting in Uvalde, Texas, shows the campus police chief attempting to negotiate with the gunman for more than 30 minutes. |��

Kansas schools have become the latest target in the Trump administration’s campaign against districts that permit transgender students to participate in school athletics. | 

• The Loudoun County, Virginia, school board has refused to comply with an Education Department order to end a policy allowing transgender students to use restroom facilities that match their gender identity. |����
• The Education Department’s Office for Civil Rights has opened an investigation into allegations the Baltimore school district ignored antisemetic harassment by students and educators. |��

Lots of drills — little evidence: A congressionally mandated report finds that active shooter drills vary widely across the country — making it difficult to understand their effect on mental and emotional health. | 

A federal judge has blocked a new Arkansas law requiring that public schools display the Ten Commandments in all classrooms. It’s the second state Ten Commandments law to be halted this year. |  

ICYMI:��I did a deep-dive into the far-right Christian nationalists behind more than two dozen state Ten Commandments-in-schools bills nationally —��each of which are inherently identical. |��

Is Texas up next?��Civil rights groups will ask a judge on Friday to prevent a similar law from going into effect. |��

ICYMI @The74

Emotional Support

Don’t sleep on this����—��the billion-dollar industry for hypoallergenic (and floofy!) designer pups.

An education technology company that built an app for Los Angeles students to receive telehealth services during the school day has fallen victim to a data breach that puts students’ sensitive information in jeopardy, a disclosure to state regulators reveals. 

The company, Kokomo Solutions, also hosts an anonymous tip line where Los Angeles community members can , safety threats and mental health crises to the school district’s police department. In filed with the California attorney general’s office, the company disclosed that an unspecified number of individuals’ personal information was compromised after an “unauthorized third party” accessed its computer network and the exposed files pertained to the Los Angeles Unified School District. 

The company, also known as Kokomo24/7, says it discovered the unauthorized access on Dec. 11, 2024, nearly eight months before it disclosed what happened to victims. The district has not issued any public statements alerting students and families that their sensitive information may have been compromised. 

Kokomo24/7, which has apparently scrubbed its website over the last few days of references to its work with the nation’s second-largest district, did not respond to requests for comment.

A Los Angeles Unified spokesperson said the company notified the school system on Dec. 12, 2024, “that an unauthorized user gained access to certain files containing personal information, stored on behalf of the District.” The spokesperson said the breach was not connected to LAUSD’s telehealth program or its student patients, but did not say whose information was exposed. They said it was Kokomo’s responsibility to handle disclosure to all affected parties and that, as far as L.A. school officials know, “there has been no evidence of personal information being shared as a result of the breach.”

While many details about the breach remain unknown, including the specific types of information that were compromised and whether it was the result of a cyberattack, the incident raises red flags because “there’s no question that [Kokomo is] managing exceptionally sensitive information” about campus safety issues and students’ medical information, school cybersecurity expert Doug Levin said. 

“This is another example of schools outsourcing the collection and management of exceptionally sensitive data on school communities which, if abused, could affect the health and safety of the school community,” said Levin, the co-founder and national director of the K12 Security Information eXchange. “We definitely would benefit from knowing more about how they were compromised and how they’re going to fix it.”

District officials have touted the telehealth service to parents since the data breach was disclosed. In an Aug. 8 live video session over Facebook, a district student and community engagement specialist gave that laid out L.A.’s back-to-school offerings.

Parent advocate Evelyn Aleman, who facilitated the event, said she was pleased to learn about the telehealth service during the presentation. Parents grew accustomed to telehealth during the pandemic and the virtual service could benefit families who have been advocating for better health services in schools, she said. But she hadn’t heard about the data breach before being contacted by ����Ӱ��.

“I have a lot of questions: Was the person who was presenting to the group aware that [the breach] had happened?” asked Aleman, who founded the group Our Voice to advocate for low-income and Spanish-speaking L.A. families. “And how deep was the breach? Obviously that would be of concern to the parents.”

, the Los Angeles Schools Anonymous Reporting app allows students, parents and others in the community to report “suspicious activity, mental health incidents, drug consumption, drug trafficking, vandalism and safety issues” to the district’s . 

That same year, L.A. schools  — along with the Children’s Hospital Los Angeles and Hazel Health — to launch new . The $800,000 program, funded by , is designed to provide app-based mental and physical health care to students, including at school. Hazel Health provides virtual mental health services, according to the district’s website, while Kokomo24/7’s services focus on physical health issues, including minor injuries, allergies and headaches. 

In , the district describes its Kokomo24/7-managed telehealth program as an option for students “to access healthcare when not feeling well during school hours” with the supervision of a school nurse “while remaining in school and focusing on learning.” 

Kokomo founder and CEO Daniel Lee lauding the company’s ability to “transform” L.A. Unified’s COVID-tracking and health data system in a year after the school system’s previous tool became “clunky, difficult to customize and expensive to maintain.” The post notes the company’s role in creating the anonymous reporting application and the district’s Incident System Tracking Accountability Report, an internal tool to document injuries, medical emergencies and campus threats.

The Kokomo24/7 breach is the latest in a series of data privacy incidents affecting L.A. schools, including a high-profile ransomware attack in 2022 that led to the exposure of thousands of students’ mental health records. Schools Superintendent Alberto Carvalho at first categorically denied that students’ psychological evaluations had been exposed but then had to acknowledge that they were after ����Ӱ��’s investigation revealed the records’ existence on the dark web.

Meanwhile, the district’s rollout last year of a highly touted AI chatbot named “Ed” was derailed after AllHere, the ed tech company hired to develop the $6 million project, shuttered abruptly and filed for Chapter 7 bankruptcy. The company’s founder and CEO, Joanna Smith-Griffin, was then indicted on charges she defrauded investors of some $10 million. A company whistleblower told ����Ӱ�� AllHere’s student data security practices violated both industry standards and the district’s own policies. 

The L.A. district for the chatbot bid — including Kokomo24/7 — before awarding the contract to AllHere. Both the bankruptcy and criminal cases are pending. In July, a school district spokesperson told ����Ӱ�� that Ed “remains on hold.” 

The Kokomo24/7 website lists a wide suite of products, primarily in physical security including building access control systems, emergency alarms and visitor management tools. It also names large companies among its customers, including The Oscars — the company was the “health and safety software provider” — United Airlines’ subsidiary United Express and Fifth Third Bank. 

But the Illinois-based company has a relatively small footprint in the education sector, according to records in the GovSpend government procurement database. Among the handful of its school district clients is the Hartford, Connecticut, school system where educators spent more than $60,000 between 2020 and 2023 for licenses to to screen students’ temperatures, track infections and conduct contact tracing. Glendale Unified, a neighboring district to Los Angeles, is also listed as a client on the company’s website.

Kokomo24/7’s connections to the L.A. district were widely featured on the company’s website until this week. In fact, listed four foundational events, including the 2023 launch of the “anonymous reporting app for students and an emergency alert system for staff” for the L.A. district.

The reference to the school district was removed from the company timeline this week, as was a banner attributing a quote to Carvalho, a picture of district police officers and the district police department’s logo. Press releases announcing Kokomo’s work with the L.A. district appear to have also been scrubbed from the internet. 

The since-removed Carvalho quote called “critically important.” Though slightly misstated, the remark comes from a March 2023 school board meeting where Carvalho boasted of people’s ability to “relay in an anonymous way — or not — potential threats” to a student or a school. 

The Los Angeles Schools Anonymous Reporting app hasn’t been universally praised, and last year filed by anti-surveillance activists who alleged the tool created “a culture of mass suspicion” and bolstered police interactions between students of color and those with disabilities. 

The Stop LAPD Spying Coalition, which filed the lawsuit seeking records about the app, students, parents and community members “to surveil each other” on behalf of school police and to file reports that don’t require evidence. It also questioned why the community was being encouraged to file reports on people in mental health crises as part of a broader effort to investigate “suspicious activity.” 

“The app criminalizes mental health, perpetuating the idea that if someone has a mental illness they are inherently a threat to others,” the activist .

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by ����Ӱ�� confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs — or roughly 64,000 files — were exposed.

Company spokesperson Michele Steinmetz told ����Ӱ�� Diligent began notifying all BoardDocs customers — including those who were not directly affected  — on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by ����Ӱ�� and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with ����Ӱ��, one customer called the glitch “an improper misconfiguration of the vendor’s products.” An option to store records in “a private folder” within the district’s broader public library “could be misleading and people could think, and rightfully so, ‘Anything I put in there is not publicly available,’ when, in fact, it could be accessed by an unauthenticated user.”

The official, who spoke on the condition of anonymity because they weren’t authorized to discuss the BoardDocs situation or draw attention to their district’s cybersecurity practices, said their school system was not “notified proactively” about the fallibility that came to light in Lower Merion.

“It was something that should not have been in place,” the official said. “The vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.”

Nithya Das, Diligent’s chief legal and chief administrative officer, acknowledged the problem to ����Ӱ��, saying, “Documents that were supposed to be set to private access were made accessible.”  She declined to elaborate on the misconfiguration but said the company took “immediate action to resolve the issue” once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only “for a matter of a few months” and existed only on that platform, meaning that someone could not have “gone onto [their] web browser and pulled up Google or Yahoo or something like that” to find them. 

 “I don’t mean to downplay the situation, but I do think it’s important to just keep in mind that it was extremely limited in terms of scope, impact and duration,” Das said. “In order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.”

‘How am I reading this?’

It’s likely that some of the documents that may have been exposed would be those dealt with during school boards’ executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district’s lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt “weird;”  “I was like, ‘Wait, how am I reading this?’”

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was “a great concern” because school boards regularly discuss sensitive issues concerning these children. It’s unclear whether BoardDoc files related to special education services were compromised.

“We know of instances where families have been retaliated against because of information that’s been shared and made public through one means or another from board meetings,” she said. “It’s important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.” 

The vulnerability at BoardDocs is the latest example of how school districts’ reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn’t respond to requests for comment from ����Ӱ��. On , the trade group gave a “special shout out to BoardDocs” for their “generous support” of the nonprofit’s 85th anniversary celebration.

BoardDocs doesn’t list its fees on its website. The New York State School Boards Association that the tool is available “for as little as $3,000 per year and a one-time $1,000 start-up fee.” 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

“Any reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,” Levin said. “I certainly don’t fault anyone for taking a private setting at face value.”

Not trying ‘to hide the issue here’

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by ����Ӱ�� that the district’s private records “could have been returned as part of a public search result if specific search terms were used.”

“Our investigation determined that your organization’s BoardDocs site had documents” in the accessible private folder, MarKeith Allen, Diligent’s chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to ����Ӱ�� on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent’s chief legal and chief administrative officer, said that for “customers we believed could have been impacted,”  the company “sent them a different communication, obviously letting them know of that situation.” Das declined to provide copies of those communications to ����Ӱ�� and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

“We did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,” said Das, who noted the company does not plan to release a public statement about the breach. “The goal was not to try to hide the issue here.”

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent “admitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.” Still, Buckman said the district put Diligent on notice that it “would hold BoardDocs responsible for any damages resulting from the breach.”

This isn’t Diligent’s first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told ����Ӱ�� they hadn’t received notices about the incident. 

“At this point in time we have no information on this topic,” Barth Paine, the spokesperson for California’s Fremont Unified School District, wrote to ����Ӱ��. “Please email us back if you have more details about our specific District. We are now investigating this issue.”

The hackers’ new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth’s decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students’ and 9.5 million educators’ personal information.

It appears the cybercriminals — perhaps predictably — didn’t keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers’ demands to local educators will be shared with the state attorney general’s office, which is investigating the fallout from the December attack. 

“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said. “Unfortunately, that, at least at this point, is proving to be incorrect.” 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors’ direct outreach to schools “in an attempt to extort them using data” stolen during the December breach. Samples of data supplied to school leaders “match the data previously stolen in December,” the company said. 

It referred to a “difficult decision,” one its leadership team “did not make lightly,” to pay the ransom demand in the days after the attack, believing it was the best option to protect students’ records. Social Security numbers, special education records and detailed medical information.

“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said in a statement on Wednesday. “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted “through various emails,” including to both their work and personal email addresses, seemingly based on the hackers’ ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were “made aware that the data was not destroyed” when the threat actor contacted them directly. 

“We could not find any type of trend in who they picked to email. We tend to think it’s emails that they could publicly find and contacted that person,” Wrenn said. “This exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.” 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool’s student information system. 

That’s about to change. Green said the state’s contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus — in part because of its promise of better cybersecurity practices. 

“It is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,” Green said. “we are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.”

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working “closely with our customers to support them.”

Three union members filed suit in March, just days after the union announced a data breach had occurred on July 6, 2024.

A union investigation into the incident, completed Feb. 18, found that an “unauthorized actor” gained access to records like Social Security numbers, bank account numbers, birthdates and taxpayer identification information.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out the cyberattack.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the said 517,487 people were affected.

The suits allege the union failed “to properly secure and safeguard private information that was entrusted to them” and that those affected — including the relatives of members — will suffer financial losses and lost time detecting and preventing identity theft. 

Educators must provide personal information to the union to receive its benefits, according to the lawsuits. 

The plaintiffs also allege that the union waited too long to announce the data breach. were sent out on March 17, a month after the union’s investigation was finished.

“We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,” the union said in the notification letter.

The attack occurred on computer systems that needed security upgrades, the lawsuits allege. Two of the plaintiffs have reportedly experienced increased numbers of spam calls and emails.

“[The union] failed to properly monitor the computer network and systems that housed the private information,” one lawsuit says. “Had [the union] properly monitored its computer network and systems, it would have discovered the massive intrusion sooner rather than allowing cybercriminals almost a month of unimpeded access.”

The union, which represents 178,000 members, said in a previous statement that it isn’t aware of identity theft connected to the breach. It did not respond to a request for comment from ����Ӱ�� about the lawsuits.

The plaintiffs are seeking compensatory damages and want the court to order the union to pay for at least 10 years of credit monitoring services for those affected. Motions were filed in a Pennsylvania district court Tuesday to consolidate the lawsuits into one class-action case.

Six individuals joined the suit, filed by the nation’s second-largest teacher’s union, alongside a coalition of labor unions representing over 2 million workers. Those impacted include teachers, who relied on federal student loans to pay for their college tuition, and high school students, who recently filed their federal financial aid forms with the department.

“When I filled out the FAFSA, I gave my Social Security number and my parent’s income information as well as their investment information,” Maryland high school student Sara Porcari said at an AFT Wednesday. “I thought that information would be private and secure. Now I’m not sure what’s happening.”

“I’m only 17 years old,” she continued, “and I don’t know who has access to my personal information or how this data breach will affect my future in college and in general.”

AFT President Randi Weingarten questioned why Musk, a billionaire given free rein by the president to remake the federal government, and DOGE want access to that information, expressing doubts about their stated purpose of improving government efficiency. 

 An AFT press release Tuesday called for “Elon Musk and his minions to be immediately evicted from the U.S. Department of Education,” alleging they were feeding the data from millions of people’s private student loan accounts “into artificial intelligence in one of the biggest data hacks in U.S. history.”

Ernesh Stewart, a Washington, D.C., school counselor and mom, echoed those concerns Wednesday, “Why do you need to access my daughter’s scholarship information? Why do you even need my home address? I can’t help but wonder if there is a hidden agenda. If one of the country’s wealthiest men, who also happens to be deeply invested in AI, has access to all this information, whatever it is, I feel like it’s a gross violation of privacy.”

The Education Department, which oversees the private information of 43 million student borrowers who hold $1.6 trillion in student debt, did not immediately respond to a request for comment. A DOGE representative did not immediately respond to an email requesting comment.

Weingarten and other panelists at the conference expressed their hope that President Donald Trump’s nominee for education secretary, Linda McMahon, would join them in condemning this “data breach,” during her Thursday confirmation hearing.

“I would hope that what she would do is protect students and protect families from this kind of financial intrusion and invasion and … say to the millions of people that have been affected the steps she’s taking to stop it,” Weingarten said.

While the lawsuit contends government agencies have valid purposes for maintaining these record systems, the makes clear they can only provide access to them in very specific situations. Here, though, the filing argues, DOGE representatives have accessed the data to shut down payments “and in the case of the Education Department, the agency itself.”

After gaining access to the systems last week, Musk, who is not an elected official, turned to X, the social media platform he owns, to boast that the Department of Education no longer exists. 

What is this “Department of Education” you keep talking about?

I just checked and it doesn’t exist.

— Elon Musk (@elonmusk)

In another DOGE-led effort, the Trump administration moved Monday to gut the Institute of Education Sciences, temporarily disabling an essential source of data on a host of basic information, ranging from high school graduation rates to school safety. 

DOGE was created by a Trump executive order in January. Supporters argue Musk is working to cut federal bloat and streamline systems. But critics say Musk, whose companies, including SpaceX, receive billions in government contracts, lacks transparency and has immense conflicts of interest.  

The suit, filed Monday in U.S. District Court in Maryland, also alleges that the U.S. Department of Education, along with the Office of Personnel Management and the Department of Treasury, has exposed millions of Americans to “the risk of identity theft, harassment, intimidation, and embarrassment” by improperly disclosing their sensitive records to DOGE employees who lack appropriate security clearances. The staff includes a 19-year-old who has previously leaked proprietary information, according to the suit.

WIRED magazine broke the story earlier this month that at the center of DOGE’s effort to take over various federal departments and agencies are six male engineers, with ties to Musk.

In particular, plaintiffs claim that the Department of Education and its acting head, Denise Carter, have released data from the National Student Loan Data System, a financial aid-related database housed within the Education Department that contains information on almost 34 million borrowers and their families. It includes a plethora of sensitive information, including Social Security numbers, bank records, home addresses and immigration status. 

About 20 people with DOGE have begun working inside the education department, looking to cut According to reporting from some of these representatives have fed sensitive and personally identifiable data from across the department into artificial intelligence software to look into the agency’s programs and spending.

Plaintiffs are asking the court to end the data disclosure immediately by restoring Privacy Act protections and are demanding that any data currently in DOGE’s possession be deleted and destroyed. The act, put in place in the wake of the Watergate scandal, regulates the circumstances in which agency records about individuals can be shared; disclosing anything beyond this is illegal.��

On Tuesday, a federal judge in a against the Education Department blocked Musk’s team from accessing several systems that store sensitive data including student loans, but only temporarily. In a hearing for that case, Musk said he did not see how DOGE’s access to student loan data caused harm.

While it has previously been reported that DOGE representatives are political appointees, it now appears that some have received official government credentials, including email addresses, at multiple agencies, including at the Department of Education, leading to confusion about who actually employs them.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by ����Ӱ�� shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations”, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools’ messaging is no coincidence. 

That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms —&�Բ�����;��ܲ������  by one law professor for their massive caseloads — hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools’ behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online — from their financial and medical information to traumatic events in young people’s lives — are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are “all but guaranteed.” 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 —  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers — often called breach coaches — arrive on the scene. 

“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told ����Ӱ��. “What breach coaches try to do is push right up to that line — and sometimes they cross it.”

When breaches go unspoken

����Ӱ��’s investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites. 

Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search — even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

����Ӱ�� tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials’ false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students’ detailed psychological records. 

In many instances, ����Ӱ�� relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, ����Ӱ�� could find no information at all about alleged school cyberattacks uncovered by its reporting — suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to ����Ӱ��’s investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond “to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.” Those at Florida’s River City Science Academy said the school “acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.” 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation’s seventh-largest district said they notified student breach victims “by email, mail and a telephone call” and “set up a special hotline for affected families to answer questions.”

Hackers have exploited officials’ public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

“But those negotiations do not go on forever,” said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'” the ransom.

“All right, well, negotiation is over,” Levin said. “You need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students “

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them.

The extent to which this involves keeping critical information out of the public’s hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico’s Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll’s findings from public view. 

“Without privacy counsel in place, public records would be accessible in the event of an information leak,” she wrote in an email to school leaders that was obtained by ����Ӱ�� through a public records request. School districts routinely denied ����Ӱ��’s requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by ����Ӱ�� reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California’s Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an “information technology system outage” — and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn’t stop the leak of data for more than 22,000 people, nor did the district’s initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

“What brainiac recommended this?” asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who “recommended the deceitful description.”

It wasn’t until June 2023 — four months after the attack — that Sweetwater their records were compromised. But the district’s breach notice never says what specific records had been taken, refers to files that “may have been taken” and tells those receiving the notice that their “personal information was included in the potentially taken files.”

“Well, was my information taken or not?” April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked ����Ӱ��. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks “to avoid exacerbating their liability, quite frankly,” in a way that prevents families from being able to “assert their rights more competently.” 

�پ����ٰ������ٲ�’ vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

“The wording in notices is disheartening,” Strauss told ����Ӱ��. “It’s almost like revictimization.”

Who’s in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they’ve been hacked. Cyberattacks were called an  “encryption event” in Minneapolis; a “network security incident” in Blaine County, Idaho; “temporary network disruptions” in Chambersburg, Pennsylvania, and “anomalous activity” in Camden, New Jersey. 

In several cases, consultants advised educators against using words like “breach” and “cyberattack” in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district’s computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

“ ‘Cyberattack’ is severe language that we prefer to avoid when possible,” the firm’s representative wrote .

The district called it “irregular activity” instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe’s most notorious cybergangs — many with known ties to Russia — officials have claimed in arresting and indicting some of the masterminds. Yet ����Ӱ�� identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only “in conjunction with qualified counsel.” 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized “payment of ransoms that fuel cyber crime ecosystems.” 

“This is a troubling practice that must end,” she wrote.

Records obtained by ����Ӱ�� show that in Somerset, Massachusetts, Beazley, the school district’s cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district’s incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district’s course of action, they didn’t express it. In fact, William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

But he was quick to defer to the district and its lawyers.

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote. “All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.”

While ransom payments are “ethically wrong because you’re funding criminal organizations,” insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

“The insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,” he told ����Ӱ��. “They see dollar signs — that everybody wants this protection — but they’re losing their butts on it.” 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told ����Ӱ�� that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by ����Ӱ�� — one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its “third-party forensic investigation firm” communicating with the gang “regarding the ransom.”

Mullen Coughlin then told the FBI that it was leading “a privileged investigation” into the attack and, at the school district’s request, “all questions, communication and requests in connection with this notification should be directed” to the law firm. Mullen Coughlin didn’t respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants’ discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn’t the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials’ knowledge. Taken by surprise, Camden schools were not “able to preemptively advise each of you about the notice and what it meant.”

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

“In terms of how law enforcement can help you out, there’s really not a whole lot that can be done to be honest with you,” said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn’t respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but “the problem is there’s not enough funding and personnel for them to be able to be responsive to incidents.” 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn’t know where to go to vet if they were any good or not.”

He said it had been a community member — not a paid consultant — who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes — or over 1,000 gigabytes — of stolen data.

“We were literally taking that right to the cyber companies and going, ‘Hey, they’re finding this, can you confirm this so that we can get a message out?’ ” he told ����Ӱ��. “That is what I probably would tell you is the most frustrating part is that you’re relying on them and you’re at the mercy of that a little bit.”

The breach coach

Breach notices and other incident response records obtained by ����Ӱ�� show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a “quarterback.” 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district’s cyber insurance policy —  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector — which, Paluzzi noted, isn’t “always the best when it comes to the latest protections."

When asked why districts’ initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

“It’s not a time to make assumptions, to say, ‘We think this data has been compromised,’ until we know that,” Paluzzi said. “If we start making assumptions and that starts our clock [on legally mandated disclosure notices], we’re going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.” 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

“While it often looks a bit canned and formulaic, it’s often because we just don’t know and we’re doing so many things,” Paluzzi said. “We’re trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.”

A data breach is confirmed, he said, only after “a full forensic review.” Paluzzi said that process can take up to a year, and often only after it’s completed are breaches disclosed and victims notified. 

“We run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,” he said. “We try, in most cases, to get to that level of specificity, and our letters are very specific.”

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase “the likelihood of a data breach class action [lawsuit] in the process.” Companies that under-notify “may reduce the likelihood of a data breach class action,” but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches’ chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to “retain their primacy” in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers’ emphasis on reducing payouts to parents who sue overstates schools’ actual exposure and is another way to promote themselves as “providing a tremendous amount of value by limiting the risk of liability by providing you with a shield.”

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine “the long-term cybersecurity of their clients and society more broadly.”

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by ����Ӱ�� show school cyberattacks carry particularly devastating consequences for the nation’s most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district “show choir” event. The accusations were investigated by local police and no charges were filed.

“I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,” the hacker alleges in records obtained by ����Ӱ��. “This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

The exposure of intimate records presents a situation where “vulnerable kids are being disadvantaged again by weak data security,” said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

“It’s not just that you have a leak of the information,” Citron told ����Ӱ��. “But the leak then leads to online abuse and torment.”

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students’ personal information, a parent reported being contacted by the hackers who placed a “strange call demanding money for ransoming their child.”

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are “unfunded mandates” and “there’s been no enforcement that we know of,” according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It’s a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls “the multiverse of madness.” 

“It's like you're living in different privacy realities based on the state that you live in,” Hendricks said. He said federal cybersecurity rules could provide a “level playing field” for data breach victims who have fewer protections “because they live in a certain state.” 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn’t require disclosure when outside forces cause those records to be exposed. Schools that have “a policy or practice” of routinely releasing students‘ records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they’ve grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told ����Ӱ�� he got the district’s September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are “mostly worthless.” 

It may be enforcement against districts’ misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to “communicate very carefully and very deliberately and very accurately” the known facts of cyberattacks and data breaches. 

“Communities smell blood in the water,” she said, “because we’ve got these mixed messages.”

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for ����Ӱ��.

This story was supported by a grant from the Fund for Investigative Journalism.

Aleeza Siddique, 15, was in a Spanish class earlier this year in her Northern California high school when a lesson about newscasts got derailed by her school’s internet filter. Her teacher told the class to open up their school-issued Chromebooks and explore a list of links he had curated from the Spanish language broadcast news giant Telemundo. The students tried, but every single link turned up the same page: a picture of a padlock. 

“None of it was available to us,” Aleeza said. “The site was completely blocked.” 

She said her teacher scrambled to pivot and fill the 90-minute class with other activities. From what she recalls, they went over vocabulary lists and independently clicked through online quizzes from Quizlet — a decidedly less dynamic use of time. 

 by the D.C.-based Center for Democracy & Technology shows just how often some of that blocking happens nationwide. The nonprofit digital rights advocacy organization conducted its fifth annual survey of middle and high school teachers and parents as well as high school students about a range of tech issues. About 70% of both teachers and students this year said web filters get in the way of students’ ability to complete their assignments. 

Virtually all schools use some type of web filter to comply with the Children’s Internet Protection Act, which requires districts taking advantage of the federal E-rate program for discounted internet and telecommunications equipment to keep kids from seeing graphic and obscene images online. A , which is now a part of CalMatters, discovered far more expansive blocking by school districts than federal law requires, some of it political, mirroring culture war battles over what students have access to in school libraries. That investigation found school districts blocking access to sex education and LGBTQ+ resources, including suicide prevention. It also found routine blocking of websites students seek out for academic research. And because school districts tend to set different restrictions for students and staff, teachers can be  because of how they complicate lesson planning.

Web filtering is  ‘subjective and unchecked’

Elizabeth Laird, director of equity in civic technology for the center and lead author of the report, said The Markup’s reporting helped inspire additional survey questions to better understand how schools are using filters as a “subjective and unchecked” method of restricting students’ access to information. 

“The scope of what is blocked is more pervasive and value-laden than I think we initially even knew to ask last year,” Laird said. 

While past surveys have revealed how often students and teachers report disproportionate filtering of content related to reproductive health, LGBTQ+ issues and content about people of color, the center asked respondents this year if they thought content associated with or about immigrants was more likely to be blocked. About one-third of students said yes. 

Aleeza would have said yes, after her experience with Telemundo. The California teen said how often she runs into blocks depends on how much research she’s trying to do and how much of it she has to do on her school computer. When she was taking a debate class, she ran into the blocks regularly while researching controversial topics. An article in Slate magazine about LGBTQ+ rights gave her a block screen, for example, because the entire news website is blocked. She said she avoids her school Chromebook as much as possible, doing homework on her personal laptop away from school Wi-Fi whenever she can. 

Nearly one-third of teachers surveyed by the Center for Democracy & Technology said their schools block content related to the LGBTQ+ community. About half said information about sexual orientation and reproductive health is blocked. And Black and Latino students were more likely to say content related to people of color is disproportionately blocked on their school devices.

For students like Aleeza, the blocking is frustrating in practice as well as principle. 

“The amount that they’re policing is actively interfering with our ability to have an education,” she said. Often, she has no idea why a website triggers the block page. Aleeza said it feels arbitrary and thinks her school should be more transparent about what it’s blocking and why. 

“We should have a right to know what we’re being protected from,” she said.

Audrey Baime, Olivia Brandeis, and Samantha Yee, all members of the CalMatters Youth Journalism Initiative, contributed reporting for this story.

This was originally published on .

Medusa’s back at it. 

The cybergang, which has become notorious for devastating ransomware attacks on K-12 school systems, has claimed the Providence, Rhode Island, district as its latest victim, leaking tens of thousands of sensitive student records on its Telegram channel. 

Yet the district remains unaware — or is perhaps unwilling to admit — that students’ private affairs have entered the public domain. Sexual misconduct reports. Special education records. Medical records. Vaccine histories. All are available with a Google search and a few mouse clicks. 

So why won’t the district acknowledge to parents and students that their information was stolen? It’s a refusal I’ve seen repeated again and again while reporting on school cyberattacks over the last few years. 

Earlier this month, the Providence district spokesman told reporters that an ongoing investigation had uncovered that any personal information for students has been impacted.” Yet when ����Ӱ�� presented the district this week with evidence to the contrary, he doubled down. Third-party consultants are conducting “a comprehensive review” to determine what files were stolen, he told ����Ӱ�� without uttering the word “student.” 

The files have been available for download for nearly a month. The state education department spokesperson told me — in an unsolicited phone call this week after catching wind of my latest investigation — that nobody (except me, apparently) was previously able to access the breached records. 

“No one had actually gone in to see the files,” he said. 

Click here to read my latest story on the K-12 ransomware beat. And thank you to our partners at The Boston Globe our story Friday.

In the news

As Eric Adams, the mayor of New York City and a former police officer, faces not one but four (!) criminal investigations, federal agents searched the offices of the city police department’s school safety division. The raid was part of an inquiry into a possible bribery scheme involving a company that sells panic buttons to districts nationwide. |

‘Black girls were always the ones who got disciplined’: Black girls face harsher and more frequent disciplinary actions than their white female classmates — in the same schools and for similar behaviors — according to a new Government Accountability Office report on racial disparities in student suspensions. | ����Ӱ��

Kids who are removed from their homes for abuse or neglect routinely find themselves sleeping in the offices of child protective services. Here’s how often it happens in Indiana. |

‘I’ve got to finish up my school shooter outfit, just kidding’: Prosecutors say the father of a teenager accused of unleashing a deadly mass shooting at his Georgia high school knew the boy was obsessed with previous gunmen — and had a shrine above his bed to the school shooter in Parkland, Florida. |

Specialized schools in Michigan that serve students with complex behavioral issues routinely call the cops for backup. The frequent calls, critics argue, offer evidence the schools are failing the kids they’re designed to help. |

How DACA helps everyone: Deferred Action for Childhood Arrivals — the Obama-era policy that provides deportation relief to undocumented immigrants who entered the country as young children — is a boon for U.S.-born kids, a new study suggests. The program “improves test scores and educational attainment not only for those directly eligible, but also for their peers.” |

How a 15-word statement led to the arrest of a 10-year-old boy with autism at his Texas elementary school. |

The Massachusetts attorney general’s office has sued TikTok, alleging the social media company knew its service was addictive to teens and was associated with sleep disruption, depression and anxiety. |

Nov. 5 is approaching … And schools worry about the safety of their students when their campuses are used as polling locations. |

Utah lawmakers earmarked $100 million for schools to meet new security requirements, including panic buttons, locks and armed guards. The actual price tag? $800 million. |

ICYMI @The74

1st Federal Survey of Trans Students: 72% Feel ‘Hopeless,’ 1 in 4 Tried Suicide

L.A. Housing Crisis Hits LAUSD as Number of Homeless Students Continues to Grow

NYC Schools Launch Anti-Hate Hotline as Antisemitism and Islamophobia Reports Rise

Banned Books Find Shelter in Maryland ‘Sanctuary Library’

Emotional Support

Leo, who lives with my colleague Jo Napolitano, came prepared for school photo day.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by ����Ӱ�� revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain — and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students’ sensitive records and, district spokesperson Jay Wégimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.”

An analysis by ����Ӱ�� of the stolen files — posted by the threat actors to the messaging platform Telegram  — indicates otherwise. Included in the 217 gigabyte data leak are students’ specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter’s underwear. After one incident, a boy uttered a threat: “Don’t tell nobody.” 

In a statement to ����Ӱ�� on Wednesday, Wégimont said the district has “been able to confirm that some files” stored on the district’s internal servers were accessed by an “unauthorized, third party,” and that “security consultants are going through a comprehensive review” to determine whether the leaked files contain personal information “for individuals beyond current and former staff members.” 

Wégimont’s statement doesn’t acknowledge that students’ records had been compromised. 

The district’s failure to acknowledge the breach affected students and parents — even after being informed otherwise — is “a massive violation of trust with communities,” student privacy expert Amelia Vance told ����Ӱ��.

“People should be aware — especially when particularly sensitive information is being released in ways that could make it findable and searchable later,” said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence “are likely to have a substantial impact on people’s future lives, whether it be their opportunities, their ability to get a job or their relationships with others.” 

The school district acknowledged in an Oct. 4 letter to the state attorney general’s office — and in letters to the individuals themselves — that the sensitive information of 12,000 current and former employees was “potentially impacted” in the attack. A spokesperson for the AG’s office shared the letter that Providence Superintendent Javier Montañez submitted “as required by statute,” but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days — but the breach “poses a significant risk of identity theft.” Covered records include individuals’ names, Social Security numbers, driver’s license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It’s unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department’s spokesperson, said in a phone call on Wednesday. 

“No one had actually gone in to see the files,” he told ����Ӱ��, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are “working closely with the district” on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had “significant difficulty sustaining attention to task” and who “wandered around the classroom setting without purpose.” Another special education plan notes a 3-year-old boy “randomly roamed the room humming the tune to ‘Wheels on the Bus,’ pushed chairs and threw objects.” 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents’ names. Another includes information about their race and the languages spoken at home.

A “termination list” included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who “retired in lieu” of being fired and a middle school English teacher who “resigned per agreement.” Another set of documents revealed a fifth-grade teacher’s request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her “less effective as an educator if I am not supported with the accommodations because I can not sleep at night.” 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they “have a safe at work as well as one at home.”

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web “name and shame blog,” it then previews the victim’s stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa’s many tentacles 

The Medusa attack and Providence’s response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district — what officials there vaguely called an “encryption event” — the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack — and only after a joint investigation by ����Ӱ�� and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General’s Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records — like those pertaining to student civil rights investigations, security plans and financial records — a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher’s German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what “irregular activity” on its computer network but on whether they’d been the target of ransomware. In — and the same day that Medusa’s ransom deadline expired — Superintendent Montañez acknowledged that “an unverified, anonymous group” had gained “unauthorized access” to its computer network and claimed to have stolen sensitive records. 

“While we cannot confirm the authenticity of these files and verify their claims,” Montañez wrote, “there could be concerns that these alleged documents could contain personal information.”

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Providence public school officials last Friday were about to finalize a credit monitoring agreement to provide protection for district teachers and staff after a recent ransomware attack on the district’s network.

Then over the weekend, a video preview of selected data allegedly stolen from the Providence Public School Department (PPSD) showed up on a regular website. The site is accessible via any internet browser — what’s sometimes called the “clearnet” — unlike the dark web ransom page where cybercriminal group Medusa first alleged to .

While a forensic analysis of the breach continues, the credit monitoring agreement with an unspecified vendor was finalized as of Thursday and the district was drafting a letter to go out to the staff “very soon” with information on how to access those services, spokesperson Jay G. Wégimont said in an email.

Get stories like this delivered straight to your inbox. Sign up for ����Ӱ�� Newsletter

“First and foremost, the safety and security of our staff members is of utmost importance, and the District continues to make decisions with that in mind,” Wégimont said.

“We will also continue to explore any additional services we can offer to protect the security of our staff members and students.”

Meanwhile, the data breach has yet to be formally reported to the Rhode Island Attorney General’s office, said spokesperson Brian Hodge. requires any municipal or government agency to inform the AG’s office, credit reporting agencies, and people affected by a breach within 30 days of the breach’s confirmation.

PPSD first used the wording “unauthorized access” to describe the breach in a Sept. 25 letter from Superintendent Javier Montañez, although the Providence School Board had used the term “breach” in a public statement on Sept. 18.

Providence Mayor Brett Smiley was “encouraged” the district was advising potentially affected staff and finalizing the credit monitoring agreement, spokesperson Anthony Vega said in a statement emailed Tuesday to Rhode Island Current.

The Providence City Council declined to comment, said spokesperson Roxie Richner in an email. Gov. Dan Mckee’s office did not respond to a request for comment.

‘Robert’ makes a video

Ransomware group Medusa first took public credit for the pirated PPSD data on Sept. 16, when it demanded a $1 million ransom to be paid by the morning of Sept. 25.

Rhode Island Current previously reported that the alleged ransom landing page did not provide access to files, but did show file and folder names, as well as partially obscured screenshots of the allegedly stolen data.

The clearnet-hosted leak includes a 24-minute screen recording in which someone clicks through an assortment of the allegedly leaked files and folders on an otherwise empty Windows desktop. The post sports a disclaimer that its author is “not engaged in illegal activities” and showcases leaks only for “possible information security problems.”

The author signs off: “Traditional thanks to The Providence Public School Department for the provided data. Do not skimp on information security. Always yours. Robert.”

While the uploader does not explicitly brand themself as affiliated with Medusa, the “Robert” source appears to share all the same leaks Medusa does, and both sources use the same encrypted messaging address, according to threat researchers at Bitdefender.

Ransomware attacks, and Medusa’s methodology as well, have long been associated with social engineering — like getting people to click phishing links in emails. But it’s becoming more common that outdated hardware or software are to blame, said Bill Garneau, vice president of operations at CMIT Solutions in Cranston.

“What we’ve started to see in terms of ransomware is, it’s not only business email compromise,” Garneau said. “Threat actors out there are really pursuing systems that are out of compliance.”

That could mean equipment at the end of its manufacturer-supported lifespan, or software that needs to be patched. Garneau’s company uses a crafted by the National Institute of Standards and Technology. One of its standards is to patch devices within 30 days of the patch release, before threat actors can exploit the vulnerabilities patches are meant to fix.

“If there’s a patch available, it’s because there’s a bad guy out there that knows that there’s a vulnerability, and there’s somebody that’s knocking on doors trying to find it,” Garneau said.

To insure or not to insure?

Cyber insurance policies can cover some costs incurred by attacks. But they can’t prevent future threats or suddenly make insecure networks better, Garneau noted.

“Insurance is great, right? But that’s not going to solve any problem,” Garneau said.

PPSD has not responded to requests about whether the district has cyber insurance. According to Lauren Greene, a spokesperson for the Rhode Island League of Cities and Towns, no public entity would disclose that information anyway. “As you can understand, it poses a security risk for municipalities to disclose if and what type of cybersecurity insurance that they have,” Greene said in an email.

“Municipalities continue to prioritize training for their staff in order to mitigate risk and draw awareness to the constantly evolving threats,” Greene added, and noted that a community’s IT staff may work across multiple areas or departments like public safety and schools.

A released Monday, however, showed that states-level IT officials and security officers are not feeling confident about the budgets for their states’ IT infrastructure.

“The attack surface is expanding as state leaders’ reliance on information becomes increasingly central to the operation of government itself,” Srini Subramanian, principal of Deloitte & Touche LLP, said in an with States Newsroom. “And CISOs (chief information security officers) have an increasingly challenging mission to make the technology infrastructure resilient against ever-increasing cyber threats.”

Those challenges were reflected in the survey numbers, which found almost half of respondents did not know their state’s budget for cybersecurity. Roughly 40% of state IT officers said they did not have enough funds to comply with regulations or other legal requirements.

That finding echoes a , which scores and analyzes municipal bonds. “While robust cybersecurity practices can help reduce exposure, initiatives that are costly and require a shift in resources away from core services are a credit challenge,” wrote Gregory Sobel, a Moody’s analyst and assistant vice president, in the report.

Moody’s also noted that one survey showed 92% of local governments had cyber insurance, a twofold increase over five years. But that popularity came with higher rates: One county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022. Those higher costs are also in addition to stricter stipulations on risk management practices before a policy will pay out, like better firewalls, consistent data backups and multi-factor authentication.

Douglas W. Hubbard, the CEO of consulting firm Hubbard Decision Research and coauthor of “How to Measure Anything in Cybersecurity Risk,” told Rhode Island Current in an email that schools should exhaust the low-cost, shared or free resources available to help them manage cyber risk. Examples include (CISA) or a by the Federal Communications Commission for K-12 schools.

“For specific cybersecurity recommendations…there are a few things that are so fundamental that administrators don’t really even need a risk analysis to get started,” Hubbard said. They include training staff and students on best practices including strong passwords or avoiding mysterious links. Multi-factor authentication is “probably the single most effective technology a school could implement,” even if it involves an upfront cost, Hubbard said.

“The fundamental responsibilities of the schools should include at least using the resources which have been made available to them through the programs I mentioned,” Hubbard said. “If they aren’t doing at least that, there is room for blame.”

This article was corrected to show that Rhode Island state law requires municipal agencies to notify affected parties and the state Attorney General within 30 days of a data breach. The article originally stated 45 days, which is the timeframe required for individuals to report a breach. 

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com. Follow Rhode Island Current on and .

The Providence School Board typically broadcasts its meetings to .

But Wednesday evening’s board meeting would not be televised.

Less than five minutes before the scheduled start time, school board President Erlin Rogel to express his regret that a weeklong internet outage at Providence schools would also affect the board’s regularly scheduled programming. But the portion of the meeting most germane to the network issues wouldn’t have been broadcast anyway, since it met in executive session.

Get stories like this delivered straight to your inbox. Sign up for ����Ӱ�� Newsletter

In a statement issued Thursday, Rogel described the executive session as “regarding the recent breach of the district’s network.” It included a presentation from the Rhode Island Department of Education (RIDE) and the Providence Public School Department (PPSD).

“While I cannot disclose the specific contents of our discussion, I can state that the district is awaiting an analysis of this breach to learn more about its severity and the degree to which any information was exposed,” Rogel wrote. “While we await the results of that analysis, PPSD continues to mobilize every resource available to ensure that learning proceeds with as little disruption as possible.”

Rogel did not respond to multiple requests for comment from Rhode Island Current.

The school board president’s use of the term “breach” differs from the district’s official language, which has tiptoed around the problem’s exact nature. A to the PPSD community described “irregular activity” on the district network, which ultimately led IT staff to shut down internet access across district offices and schools. Internet remains largely absent in Providence schools, aside from a fleet of enlisted to provide connectivity in the main network’s absence.

A sent from PPSD to community members said a forensic analysis was still ongoing and that “there is no evidence that PPSD data has been affected.”

But on Monday, for the “irregular activity” with a post to its publicly accessible ransom blog that purported to include 41 watermarked, sometimes partially obscured, screenshots that preview the contents of the 201 gigabytes of data the hackers claim to have stolen, with identifying information — like alleged serial numbers for employee cell phones and parents’ contact information — included.

After penetrating a system, Medusa ransomware and amasses exploitable data. Once the bounty is big enough, it will encrypt files and make them inaccessible to users. A ransom note is then delivered to victims, with files held hostage unless a ransom is paid. Medusa hackers also employ a “” method, meaning they not only steal files, but will sell or release the data publicly if payment is not received.

The ransom page suggests PPSD can recover or delete its data by paying $1 million. A $100,000 payment would extend the timer by one day. The deadline is the morning of Sept. 25, according to the hackers’ countdown timer.

Specifics about district kept secure

Jay G. Wégimont, PPSD spokesperson, did not respond to numerous requests for clarification or comment on Friday.

Forensic analyses , meaning those answers won’t be available immediately. But it’s still unknown whether the school department has a cyber insurance policy, or the possible costs associated with the usage of hotspots that are currently substituting for a dedicated network. Also up in the air is whether the district successfully awarded a 2024 contract that would for copies of security software Cortex XDR Pro, a product from Palo Alto Networks that promises with proper installation.

Wégimont did not provide information as to the status of the district’s senior director of information technology, for which a has been online since May. The role is also vacant according to a Jan. 2024 . The contains 13 full-time information services roles for PPSD, down three from the previous year.

“We also want to note that our student and staff information systems are also separate from our network,” Superintendent Javier Montañez wrote in a Sept. 16 letter to the PPSD community.

Wégimont did not clarify what this means. Typically, large networks called domains offer varying levels of access for different types of users across IT services for big organizations like school districts.

Back-to-school for threat actors, too

Perennially underfunded school districts nationwide are a favorite among ransomware actors. A report published in Oct. 2022 cited research that over 647,000 K-12 students were potential victims of ransomware attacks as of 2021. Resulting learning loss ranged from days to weeks, while it took districts’ infrastructure anywhere from two to nine months to recover.

Providence officials have not confirmed ransomware as the source of their network woes. The alleged hack comes at an inopportune time for PPSD, which has been under state control since 2019 and will remain so for , state education officials announced last month.

If Medusa leaks the PPSD data it claims to have, and it contains private student information, the leakage could be in, a federal law meant to shield confidential student data. Best practices determine that affected school districts contact authorities once a breach is suspected. (Schools do not, however, have to contact the U.S. Department of Education about ransomware, although it is so they can receive federal resources.)

“As is standard operating procedure, the District and their professional third-party IT agency contacted RI State Police, Federal Bureau of Investigation (FBI), and Department of Homeland Security (DHS) last Wednesday,” Wégimont said in a Sept. 18 email.

Kristen Setera, a spokesperson for the FBI Boston Division, declined to comment.

“Generally speaking, we do not comment on specific incidents because victims should feel confident that, when reporting a crime to the FBI, their status as ‘victim’ is paramount to the investigation and that their identity will not be disclosed,” Setera said in a Thursday morning email to Rhode Island Current. “If a victim wants to disclose our involvement, we leave it up to them to do so.”

In the meantime, Providence schools have made do with older technologies. Maribeth Calabro, president of the Providence Teachers Union, did not acknowledge requests for comment from Rhode Island Current, but did previously speak with multiple news outlets about the effects on the district’s teachers. Some are confused about which devices they can or can’t use, Calabro told the , and have opted to teach the old-school way instead, without computers.

A Tuesday on a social media post about the potential Providence hack seems to voice one student’s concern: “Bro.. I just want the school wifi back.”

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Rhode Island Current maintains editorial independence. Contact Editor Janine L. Weisman for questions: info@rhodeislandcurrent.com. Follow Rhode Island Current on and .

New York City’s free online therapy platform for teens may violate state and federal laws protecting student data privacy, lawyers from the New York Civil Liberties Union and advocates charged in a letter Tuesday to the city’s Education and Health Departments.

, a $26 million partnership between the city Health Department and teletherapy giant Talkspace launched in late 2023, connects city residents between ages 13 and 17 with free therapists by text, phone, or video chat.

In less than a year, roughly 16,000 students have signed up, Health Department officials said. Sign-ups disproportionately came from youth who identified as Black, Latino, Asian American and female and live in some of the city’s lowest-income neighborhoods, .

Get stories like this delivered straight to your inbox. Sign up for ����Ӱ�� Newsletter

Information shared with a therapist is subject to stringent protections under the federal Health Insurance Portability and Accountability Act, or HIPAA. But before connecting with a therapist through Teenspace, teens go through a registration process that asks for personal information like their name, school, mental health history, and gender identity. Advocates are concerned such information is being improperly collected and could be misused.

For one, teens enter the registration information before securing parental consent – a possible violation of federal student privacy laws, the letter contends.

And families don’t get a chance to review the privacy policy – which discloses that registration information can be used to “tailor advertising” and for marketing purposes – before entering the registration information, advocates allege. There’s an option for teens to request that their data be deleted from the company’s platform, but it’s hard to find, according to advocates.

“It’s all very invasive,” said Shannon Edwards, a parent and founder of AI For Families, an organization that seeks to help families navigate artificial intelligence, who co-authored the letter along with NYCLU and the Parent Coalition for Student Privacy. “It’s also very unclear that parents understand what they’re getting themselves into.”

Advocates also pointed to the risk of a potential data breach – something the city has in recent years.

Advocates say similar about have been circulating for years and questioned whether city officials did sufficient due diligence or built in enough additional privacy safeguards before inking the contract.

“It’s the opacity of the relationship here, and the failure to make manifest what the city is doing to ensure there isn’t this data accumulation and sharing for inappropriate purposes,” said Beth Haroules, a senior attorney at the NYCLU who co-authored the letter.

Health Department spokesperson Rachel Vick said the agency has “taken additional steps to protect the data of Teenspace users and ensure information is not collected for personal gain, including stipulations that require all client data to remain confidential during and after the completion of the city’s contract and barring use of data for any purpose other than providing the services included in the contract.”

Client data is destroyed after 30 days if a teen doesn’t connect with a therapist, officials said.

A spokesperson for Talkspace referred questions to the Health Department.

The extent to which Teenspace is subject to state and federal laws governing student privacy in educational settings is somewhat murky, given that the contract is with the city’s Health Department, not its Education Department.

But NYCLU attorneys contend “the City cannot absolve itself of its responsibility to provide the protections inherent in federal and state laws…simply because the contract sits with DOHMH instead of DOE. The service is promoted on public school websites, and it is DOE’s responsibility to ensure that student data is protected, regardless of which City agency signs the contract.”

Parents may be more inclined to trust the platform because it has a “stamp of approval” from the school system, Edwards added.

A Health Department spokesperson didn’t specify whether the program is subject to education privacy laws, but said it’s “not a school based service.”

Teenspace has been the city’s highest-profile effort to address the ongoing youth mental health crisis.

“We are meeting people where they are with a front door to the mental health system that for too long has been too hard to find,” said Ashwin Vasan, the city’s health commissioner, in May.

Some teens have praised the program, noting it’s a way to bring mental health care to young people who may not otherwise have access.

But some mental health providers have argued it can’t replace the kind of intensive care a clinician provides, especially for kids with severe mental health challenges.

Company officials shared in May that they had helped 36 teens navigate serious incidents including reports of suicide attempts and abuse – cases they referred to child protective services, in-person therapists, or hospitals.

Talkspace CEO Jon Cohen previously told Chalkbeat the company uses an artificial intelligence algorithm to scan transcripts of therapy sessions to help identify teens at risk of suicide.

Even advocates critical of Teenspace’s privacy protections acknowledge the severe shortage of mental health providers and say teletherapy can play a role in filling the gap.

“We know you cannot find providers … there is such a need,” said Haroules. But advocates said the city can do more to ensure its vendors are meeting strict standards for data privacy, especially with such sensitive information.

“Everyone thinks, well, mental health is important for kids, these kids of services are required … when on the other side is: ‘How are they getting to it?’” said Edwards. “It doesn’t matter what the app is, there has to be a standard.”

This was originally published by Chalkbeat. Chalkbeat is a nonprofit news site covering educational change in public schools. Sign up for their newsletters at .

A Los Angeles Unified School District spokesperson confirmed they’re investigating a listing on a notorious dark web marketplace, posted Thursday by a user named “The Satanic Cloud,” which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they’ve become a growing scourge for districts of all sizes.

“School districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,” Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation’s schools and libraries are real and growing.”

“So today, we’re going to do something about it,” she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to “provide funding to as many schools and school districts as possible,” it . While the funding “will not, by itself, be sufficient to fund all of the school’s cybersecurity needs,” the fact sheet notes, the commission seeks to ensure that “each participating school will receive funding to prioritize implementation of solutions within one major technological category.”

The Satanic Cloud, which posted the most recent batch of LAUSD data, told ����Ӱ�� it’s entirely separate from what was stolen in the September 2022 ransomware attack on the nation’s second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor’s claims, a spokesperson told ����Ӱ�� in an email Thursday, and “is investigating the claim and engaging with law enforcement to investigate and respond to the incident.”

‘It’s definitely sensitive data’

In an investigation last year, ����Ӱ�� found that thousands of L.A. students’ psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had.��

Just last month, a joint investigation by ����Ӱ�� and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district’s assertion otherwise, and that St. Landry had likely violated the state’s breath notification law. Within hours of the first story publishing, the Louisiana Attorney General’s Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told ����Ӱ�� “there is no connections” to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they’ve sought to sell stolen data. Cyble’s research team, he told ����Ӱ��, sees “a high likelihood” that the data was sourced from files exposed in the earlier ransomware attack. 

“Historically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,” Medhe said. Either way, Medhe said it’s incumbent on district officials to take urgent action. The files, he said, could be useful for “some kind of profiling or some kind of targeted phishing activity.

“It’s definitely sensitive data, for sure,” he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. “They would need to do a thorough incident response and investigation to rule out the possibility of a new breach.” 

‘An important step forward’

During Thursday’s FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is “essential for education in the 21st century.”

“Technology and high-speed internet access opens doors and unbounded opportunity for those who have it,” Gomez said. “Unfortunately, our increasingly digital world also creates opportunities for malicious actors.” 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It’s a move that more than 1,100 school districts endorsed in a joint 2022 letter — but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate “to ensure gains in enhanced cybersecurity do not undermine E-rate’s success in connecting schools and libraries and promoting digital equity.” The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support.��

“The FCC’s decision today to create a cybersecurity pilot is an important step forward for our nation’s libraries and library workers, too many of whom face escalating costs to secure their institution’s systems and data,” President Emily Drabinski said in a statement. “We remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.”

Among the pilot program’s critics is school cybersecurity expert Doug Levin, who told ����Ӱ�� that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be “a good fit for school systems with scarce capacity.”

“There’s no argument that schools need support,” said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC’s “techno-solutions point of view to the problem,” he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that “may end up convincing some [schools] to buy solutions that, frankly, they don’t need.” 

Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months — long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General’s Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general’s office was on the phone to the school district. The attorney, focused on consumer protection, questioned them “directly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and ����Ӱ��, contradicted school district assertions that no sensitive student, employee or business owners’ information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general’s office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry’s data breach response obligations under state law — rules that school officials had failed to follow. 

Under Louisiana’s breach notification law, schools and other entities are required to notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It’s unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board’s attorney Courtney Joiner wrote in a response email to Styron a day later that he was “working with the School Board to address the notice issue without further delay.” 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that “sensitive information may have been obtained by an unknown malicious third-party,” according to the records. Officials didn’t send a formal notice to the attorney general’s office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail “well after the fact” that she had been victimized. 

“I really thought it was too little, too late,” she said. “This should have happened much earlier.”

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they “may have been impacted by the incident” and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general’s office didn’t respond to interview requests. 

St. Landry’s response resembles that of school districts across the country, investigative reporting by ����Ӱ�� has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat’s impact on students and teachers, education leaders nationwide have sought to downplay the attacks’ severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based said the delay by St. Landry officials is “reflective of a problem we have” nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

“In many instances, it’s because the decision to issue a notice resides 100% with the organization that loses control of the information,” Lee said. “Highlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they’re at risk.” 

‘For reasons that are unknown’

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn’t contain any sensitive employee or student information.

But ����Ӱ��’s data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG’s office, the district stated that the stolen files had been “recovered.” However, a check by ����Ӱ�� last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don’t pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district’s computer network had been encrypted by “a malicious person or group” in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled “LOOK!!!!,” which includes a link to Medusa’s dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa’s Telegram channel and to a website designed to resemble a technology news blog — a front of sorts — with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that “an unknown number of files containing sensitive information” had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site “were recovered by the Cyber Crime Unit” with the state police, Batiste’s letter continues, “but, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6” — two days after the newspaper investigation published. 

‘How do you recover it?’

The cybercriminals behind the St. Landry breach employed “double extortion,” a growing ransomware strategy where hackers break into a victim’s computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn’t lead to a breach of sensitive information — despite overwhelming evidence that it had — district officials acknowledged they hadn’t taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district’s computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools — even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district’s supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

“We never received reports of the actual information that was obtained,” Fontenot said. “All of that is under investigation. We have not received anything in regard to that investigation.”

Fontenot’s statement contradicts Batiste’s timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by “an unknown malicious” threat actor but isn’t explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets’ investigation — including teachers, staff, students and sales tax filers from across the country — received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because “the process of obtaining and then reviewing the acquired files took several months.”

“We are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,” the letter states, acknowledging that stolen information contains individuals’ names, addresses, birth dates, Social Security numbers and driver’s licenses. 

Louisiana’s data breach notification law doesn’t apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn’t exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

“In fact, I don’t think I’ve ever heard of that kind of arrangement,” he said. “Most organizations do hire their own cybersecurity experts whether it’s a school district or it’s a nonprofit or a commercial entity.” 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring — a common practice after entities suffer data breaches — Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

“How do you recover it once it’s out there?” she said. “Do you tell the people who got it illegally that you have to take it down and hope they do?”

This story was supported by a grant from the Fund for Investigative Journalism

In response to an inquiry by ����Ӱ��, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ����Ӱ��. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ����Ӱ�� the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ����Ӱ�� uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ����Ӱ��, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ����Ӱ�� at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ����Ӱ�� didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ����Ӱ��.

It took two years of middle school girls accusing their Minneapolis English teacher of eyeballing their bodies in a “weird creepy way,” for district investigators to substantiate their complaints.

Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public Schools investigative records that are now readily available online — just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

The files, purportedly stolen from the Minneapolis school district, first appeared online in March, just days after a ransomware gang named Medusa announced the school system failed to pay $1 million to keep its information from getting posted to the web. 

In a leaked 2018 email, a district official seems to make light of the frequency of civil rights complaints after several girls accused their high school Arabic teacher of inappropriate touching. 

“When it rains, it pours, I guess!” the district official wrote. In other documents, an educator was accused of buying a colleague a lap dance during an afterwork outing to a strip club and, in a separate incident, a district technology specialist was accused of hacking into a girl’s social media to stalk her on a date. The veracity of the files hasn’t been confirmed by Minneapolis schools but by all appearances, they expose a shocking degree of information about current students and staff. 

The information is so searingly personal that attorney and student privacy consultant Amelia Vance said she would have a hard time strategizing a mitigation response. 

“I’m an expert in this and I have no idea,” Vance, president of the Public Interest Privacy Center, told ����Ӱ��. 

The records were uncovered in an analysis by ����Ӱ�� of a cache of files reportedly stolen from Minneapolis schools and uploaded to the internet after the district fell victim to what it euphemistically described as an “encryption event.” The Medusa gang, a that adopts a clumsy, perhaps youthful online persona, ultimately took credit for the February breach that led to . 

The vast records — more than 189,000 individual files totaling 143 gigabytes — also offer a remarkable level of raw insight into the district’s civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack’s severity and the extent to which students’ and employees’ sensitive information is vulnerable to abuse. 

Minnesota-based student privacy advocate Marika Pfefferkorn said she’s already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns. 

“One of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,” Pfefferkorn said. “It’s like it was an afterthought.” 

She’s also struggled to give meaningful advice to anxious parents who need help. 

“The conversation that we’re having is like, ‘Your information is going to be out there forever, and the impression of you is also going to be out there forever,’” she said. “I don’t know the advice that I need to be giving them other than, ‘You need to be aware of what’s happening and communicate with the district what your expectations are.” 

‘A rock over their head’

While the oldest breached records span back to at least 2018, the most recent files, including several related to confidential civil rights cases, are from earlier this year. Some of the files — which were previewed in a 50-minute video — can be read with little more than a Google search. 

The way the files were uploaded is “part of what makes this incident so heartbreaking and extraordinary,” Vance said. 

Breaking from standard procedure for data leaks, the stolen Minneapolis records weren’t published to the dark web. Instead, as ����Ӱ�� first revealed, download links were published to Telegram, the encrypted instant messaging service, and a faux technology news blog that appears to have direct ties to the ransomware attackers. Unlike breaches posted to the dark web, which require special tools and some know-how to access, Vance said “this information is easier to access and potentially easier for people to have follow them around for the rest of their lives.”

The files include district financial records, educators’ Social Security numbers and other documents that have long been targets for cyber criminals looking to facilitate identity theft. Yet Vance said the real harm — and a distinguishing feature — of the Minneapolis breach is the sheer volume of compromising information about students and staff that has been exposed. 

The district didn’t respond to a list of questions from ����Ӱ��. In its , from April 11, interim Superintendent Rochelle Cox said it has completed a review of data “posted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.” While a small subset of the data was previewed in a video in early March, a download link for the complete archive of stolen district records didn’t become available until late March. Cox said the district is working with “external specialists and law enforcement” to review data posted after March 7, but does “not have the results of that investigation.” 

Because the harm from ransomware attacks have long been framed through the lens of identity theft and fraud, robust protections are now in place to help the victims of financial crimes, Vance noted. Parents can freeze their children’s credit. People can also cancel any credit cards that get caught up in a breach, and districts regularly provide identity theft protection to data breach victims. 

After the release of highly sensitive information, she said there are no clear remedies for something that could be potentially life altering for victims.

“This becomes a rock over their head for their entire life: ‘When is someone going to find out about the worst thing that ever happened to me?’” Vance said. “If I were a parent dealing with this, what on earth do you do next?” 

‘Potentially catastrophic’ 

Federal law enforcement officials have long advised school districts and other cybercrime victims against paying ransom demands, but the sheer volume and sensitive nature of the breached Minneapolis files has left some experts questioning whether the district made the right call by refusing to pay up. 

“There are circumstances where — if you’re looking at it from a question of, ‘How do you reduce potential harm and risk and danger to your school community,’ — then doing the unsavory is perhaps the correct choice,” said Doug Levin, the national director of the K12 Security Information Exchange.

Officials generally warn against paying ransoms for several reasons: Negotiating with known criminals may not produce the desired outcome, and offering payments helps finance future crimes. But in this case, Levin said the Minneapolis district was presented with a difficult choice. Even before the records were posted online, the group took extraordinary steps — including uploading a video to Vimeo — to publicize sensitive records in what appeared to be a particularly aggressive bid to coerce payment. 

Given how current and diverse the stolen records are, Levin and other experts suspect Medusa infiltrated multiple live computer systems. The freshness of the files, Levin said, means their content may still be accurate and, for bad actors, actionable. 

Calling the Minneapolis breach a “worst-case scenario,” he said, “The amount of information that was taken and the recency and the scope of it is certainly deeply troubling.”

Minneapolis may be a cautionary tale for districts nationwide who have fallen prey to money-hungry ransomware gangs leveraging “double-extortion” attacks against schools, hospitals and businesses. In such incidents, which present an alarming evolution from previous strategies, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if the money doesn’t materialize, they sell the data or publish it to a leak site. 

Ransomware attacks on U.S. schools have become a primary concern for federal law enforcement officials this year. In January, the federal Cybersecurity and Infrastructure Security Agency in attacks with “potentially catastrophic impacts on students, their families, teachers and administrators.” Since the pandemic forced students into remote learning, district cyber attacks have been particularly acute. The number of publicly disclosed cybersecurity incidents affecting schools grew from 400 in 2018 to more than 1,300 in 2021, according to that relies on data from Levin’s group. 

Federal law enforcement officials have had several recent victories in tracking down cybercriminals. BreachForums, a popular dark web marketplace where people could buy stolen data, was shuttered after Federal Bureau of Investigation agents in March. The capture of the 20-year-old, who authorities allege operated the forum from his parents’ Peekskill, New York, house, sent shock waves through the cybersecurity community and disrupted the global cybercrime ecosystem. In January, federal authorities took control of a prolific ransomware gang’s leak site and against seven men connected to a Russian-based ransomware group known to target schools. 

In Washington, pending introduced last month seeks to better track cyber incidents in schools and would provide $20 million over two years to help affected systems recover. 

Last year, the school district in Los Angeles, the country’s second largest, suffered a massive ransomware attack that exposed a trove of compromising information about educators, students and district contractors. In response to investigative reporting by ����Ӱ��, the Los Angeles district acknowledged the breach included the sensitive mental health records of at least 2,000 current and former students after publicly denying those records were exposed. Last month, data from the Rochester, Minnesota school district was breached after it that forced leaders to cancel classes. shuttered Des Moines, Iowa, schools in January. 

Swift action needed

Taken together, the leaked Minneapolis records offer a startling quantity of compromising information about students and teachers. They also include detailed records about campus security systems that school officials said could place children and educators at a heightened risk of physical danger. 

A single spreadsheet details 699 disciplinary incidents from the 2015-16 school year, listing students’ names and a brief description of incidents. One entry claimed a student was “threatening other students’ mothers,” and another claimed a student put his hands together in the shape of a gun and said “I’m bringing a gun to school tomorrow and shoot.” 

Each of the spreadsheet entries contain pinpoint demographic information about individual students, including their race, gender, whether they’re in special education, if they’re homeless or are learning English as a second language. 

One group of files include letters informing disciplined students they could face trespassing charges if they show up on campus, while another includes reports of student maltreatment, including allegations a bus driver hit a student and that a teacher used excessive force. 

Such records could be valuable for blackmail — and for the police. In 2020, for example, a Florida county sheriff’s office used sensitive student records to predict which ones were likely to “fall into a life of crime.” In other cases, police agencies have leaked in data breaches to conduct investigations. 

A separate group of Minneapolis records, purportedly from 2015 to earlier this year, outline nearly 300 individual district equity and civil rights investigations. 

In one case, district investigators found that over the course of several years, a boy coerced a classmate into sexual encounters in exchange for $5 and, in another case, a high school girl reported getting raped in a campus bathroom. In a detailed 2018 complaint, a high school girl accused a male classmate of raping her in a car after a home football game. Yet a district investigator ultimately dropped the complaint because the girl declined an interview and the official was “unable to ascertain her credibility based only on her written statement,” according to breached files. 

In multiple complaints, educators were accused of being racist. Just last year, an English as a second language teacher at a Minneapolis high school was accused of racial harassment when she reportedly used the name of a Somali student and a cartoon of a woman wearing a hijab in a class presentation. The slide defined the idiom “to have a bone to pick” and the teacher reportedly asked the student to read to the class a description of the term with her name attached: “(redacted) never comes to class on time; she leaves class without permission, is affecting her peers, her grades and is disrespectful to her peers.” 

In January, a complaint accused a high school coach of making a transphobic joke and openly discussed his genitals. While he was stretching in front of a group of female athletes, the complaint alleges, he warned them that he was wearing “very short shorts” and instructed them to “let me know if my junk falls out.” 

In a case from January, the middle school English teacher accused of gazing at students’ bodies and touching them inappropriately was placed on paid administrative leave while district investigators conducted their inquiry. Investigators determined the complaint was substantiated, but the middle school’s website still lists the teacher in its staff directory. A district spokesperson did not respond to questions about whether the teacher faced disciplinary action or his current status.

Given the many ramifications, Levin said the breach demands swift action to ensure the safety of the school community and to prevent something like this from happening again. He said the Minneapolis school board — or even state authorities — need to launch a prompt investigation. 

“States do intervene in school systems when they’re being financially irresponsible or even academically irresponsible,” Levin said. “It may be that Minneapolis is not equipped to deal with the fallout from an incident like this.” 

A download link was published Tuesday night on a website designed to resemble a technology news blog — an apparent front — and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that’s been and . ����Ӱ�� is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes — there are 1,000 gigabytes in one terabyte — the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group’s dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

“Today, the hacker group ‘Medusa’ gave me data for publication that will become a hit,” notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

“Someone will tell me that this cannot be published. I will answer this simply — the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don’t focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.” 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

“If I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and “at the very least, being extra vigilant and looking more closely at your transactions than you normally would.” 

It’s also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

“Once that genie is out of the bottle, it is very difficult to get it back in,” Levin said. “I don’t know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.” 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an “encryption event,” that the ransomware group had released the stolen records on the dark web, “a part of the internet accessible only with special software that allows users to remain untraceable.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa’s dark web blog Friday, the files weren’t readily available for download. Instead, a “Download data now!” button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn’t respond to requests for comment from ����Ӱ�� Wednesday. Attempts by ����Ӱ�� to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang’s possession. 

In posting the download link to the “clearnet” — a publicly accessible website that’s indexed by search engines — Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file’s size may serve as a barrier to access to cyber criminals interested in exploiting the information — and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn’t necessarily mean the data was downloaded.

“Hey, how can I see the mps stuff,” one Telegram user asked in the ransomware group’s channel. “I”m hoping I’m not on there. I attend school and work at this district.” 

The Telegram user, who identified themselves to ����Ӱ�� as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so “plays into the cybercriminals’ hands by drawing attention to the information and increasing our community’s fear and panic.” 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that “will take some time.” 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

“I would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,” Callow said. “If my personal information may have been compromised, I would want to know straight away.”

Early Friday morning, after the Medusa gang’s countdown clock on the ransom deadline struck zero, the files weren’t readily available for download on its dark web leak site. Instead, a “Download data now!” button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by ����Ӱ�� to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog — a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that’s been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it “is aware that the threat actor has released certain MPS data on the dark web today.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district continued. “This will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.” 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it’s unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

“Yikes, that’s a lot,” said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. “It’s a very significant exfiltration.” 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files — including thousands of current and former students’ sensitive mental health records — were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to “entire IT systems,” said Levin, who was especially concerned about the breach of district backup files. “You’re probably looking at some of the more sensitive data that the district maintains — sensitive enough that they are backing it up and maintaining those files.” 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an “encryption event.” That euphemistic characterization left the public in the dark about the incident’s severity, cybersecurity analysts and community members said.

Such experts said Medusa’s pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa’s decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa’s extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  “unusually uncommunicative,” since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn’t receive a response. 

People who don’t work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites “would concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It’s much easier for people to access.”

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks — but he offered a caution. 

“Just because they published a file tree doesn’t mean they necessarily obtained all of the data it shows in that tree,” he said, noting that organizations like school districts can shut hackers out of their systems if they’re caught in the act. 

In a March 9 statement, the district said it had “taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.” 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district’s computer network “was infected with an encryption virus that was first discovered” Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district’s technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks — if not months. 

“Exfiltrating this amount of data without detection certainly is concerning,” Levin said. “This sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.”

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands “by drawing attention to the information and increasing our community’s fear and panic.” 

The will air after a countdown clock on the Medusa cyber gang’s dark web leak site strikes zero at about 4 a.m. ET Friday. The leak site suggests the Minneapolis school district’s window to meet a $1 million ransom demand will then close and a trove of district data, which appears to include a significant volume of sensitive student and educator records, will become available online.

����Ӱ��’s earlier reporting documented that Medusa’s tactics, which included posting a since-removed video previewing what appeared to be the stolen documents in its possession, were more aggressive and more marketing-savvy than those generally seen in other school district cyber attacks. 

A preliminary review of the gang’s dark web leak site by ����Ӱ�� suggest the compromised files include a sizable volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.

The Minneapolis Public Schools, which came under fire for referring to the February breach as an “encryption event,” has not released any additional information since a March 9 statement posted on its web site. In it, school leaders indicate they don’t intend to deal with Medusa to get their now-encrypted data back.

“We have taken a stance against these criminals and are restoring our systems without the need to cooperate with them. As our response continues, we continue to work with and align with the best practices provided by federal law enforcement.”

Medusa is apparently a popular name among threat actors. The group that struck Minneapolis schools, according to , Bleeping Computer,  got its start in June 2021, but upped its profile this year by increasing its ransomware activity and launching its ‘Medusa Blog’ leak site to publish victims’ data.

A ransomware gang called Vice Society attempted to extort the Los Angeles Unified School District last year after it broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials sought to downplay the attack’s effects on students. But an investigation by ����Ӱ�� found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.

During in 2014, Pesicka was one of thousands of Sony Pictures employees that had their private information exposed in the midst of aggressive attacks by a North Korean hacker group.

Now, as a mom, Pesicka worries about protecting her son Jackson, a 1st grade Playa Vista Elementary School student, so history doesn’t repeat itself.

“When you’re a kid, you won’t ever see a credit report and find out that there’s something on there until you go off to college,” Pesicka said in an interview. “By that time, somebody has had 15 years to rack up a bunch of different credit cards or properties or whatever else on your kid’s account…so that’s very concerning.”

Like Pesicka, LAUSD parents have raised concerns about the district’s response to the cyberattack, ranging from long term data protection to how well a hotline — created to answer parents and staff questions — is working. 

The public release of about 500 gigabytes of stolen district data was posted on the dark web Saturday by Vice Society, a Russian-speaking ransomware gang known to target school districts.

After the district and law enforcement analysts reviewed about two-thirds of the data, LAUSD Superintendent Alberto Carvalho assured students, parents and employees that there is no reason for widespread concern.

“The release was actually more limited than what we had originally anticipated,” Carvalho said in a Monday downplaying the damage done.

Carvalho said any exposed student data – including names, academic information and personal addresses – was between 2013 and 2016, insisting most middle and high school students during that period already graduated.

For now, Carvalho confirmed students who did have their data breached will be contacted and offered credit monitoring services.

But many parents were not convinced the superintendent’s response was enough to ease their concerns about the cyberattack.

When Pesicka’s private information was exposed, Sony offered her one year of credit monitoring. But she found out years later she had a stolen identity and social security number.

“I had three people working under my social security number and I had my identity compromised,” Pesicka said in an interview. “Anybody who’s been through identity theft knows how difficult it is and how there’s not really a streamlined process or way to scrub your information.”

Teresa Gaines, the mom of 2nd and 3rd grade students at Grand View Boulevard Elementary School, was troubled by Carvalho’s response because it didn’t provide the urgency she was hoping for.

“Some people don’t realize how serious this can be because what if five or ten years from now our kids go to college and all of a sudden they get denied entrance because of something that is not their fault…or somebody uses that data to cause issues that prevent them from getting into certain programs or denied work,” Gaines said in an interview.

Gaines also said LAUSD should provide more targeted outreach to families through “town halls” and “informational webinars” so parents could ask questions about the cyberattack.

She is particularly concerned by the release of psychological assessments, which Carvalho insisted did not happen during his press conference. However, the Los Angeles Times did find .

For Jenna Schwartz, the mom of a 7th grade student in North Hollywood, Carvalho’s response left her cautiously optimistic.

“If I find out I was impacted…but it was just my child’s school photograph from 2013 and his attendance record, I don’t care as much,” Schwartz said in an interview. “If it was my social security number and bank information, those are two very different scenarios.”

Carvalho pointed parents to the district’s hotline, available Monday through Friday and this weekend for additional questions or support on the cyberattack.

But parents reported long wait times, and limited hours and information when the hotline began earlier this week.  

“Unless you ask a question that fits into their script, they don’t really have a response,” Pesicka said in an interview. “And even if you do, you’re getting a very robotic response.”

In addition, Schwartz noted that she’s “not sure what good the hotline is at this point other than sort of just to make people feel better.”

After a request for comment, a spokesperson from LAUSD referred back to Carvalho’s statement on the cyberattack: 

The hotline hours have been updated to weekdays from 8 a.m. to 8 p.m. and this weekend from 6 a.m. to 3:30 p.m.

The Vice Society ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang’s dark-web “leak site,” after education leaders refused to pay — and at first even acknowledge — a ransom. 

Yet in a press conference Monday, Superintendent Alberto Carvalho sought to downplay the damage done, particularly as it relates to records about children. An said that student psychiatric evaluation records had been published online, citing a confidential law enforcement source. That reporting, Carvalho said, is “absolutely incorrect.”

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system. The “vast majority” of exposed student data, including names, academic information and personal addresses, was from a period between 2013 and 2016. “That is the extent of the student information data that we have seen.”

Roughly 500 gigabytes of district data was made public on Sunday by the Russian-speaking ransomware gang, which took credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear, yet after reviewing about two-thirds of the data, Carvalho said that “so far, based on what we’ve seen, critical health information or Social Security numbers for students,” is not included.

Carvalho confirmed on Sunday that LAUSD’s data had been published on the dark web, but did not verify the type of data that was leaked. On Monday, he said that information from private-sector contractors, particularly those in construction, appeared most impacted. Breached records include contracts, financial information and personally identifiable data, Carvalho said.

Cybersecurity experts have warned that the release of district data could come with significant risks for current and former students. Children’s Social Security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.

James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it’s particularly important for officials to protect the sensitive data of children, who may “find out they own a condo in Bora Bora under their name 15 years from now” because their information was exploited. 

Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision to withhold payment.

“There’s no upside to ever paying a ransom,” said Turgal, “More likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information” on their leak site. 

Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America’s second-largest school district, had initially . 

“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.” 

In a statement, the district acknowledged that paying a ransom wouldn’t ensure the recovery of data and asserted that “public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.” 

The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society’s demand.

In an email to ����Ӱ��, Vice Society said they published the district data because “they didn’t pay,” and acknowledged the “ransom demand was big” without providing a specific figure. Asked what makes school districts attractive victims for such attacks, the group offered a brief explanation: “Maybe news? Don’t know … We just attack it =).”

Over the weekend, they that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, “let’s say that it was big =).”

Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has “wasted our time,” in an email that federal authorities were “wrong” to advise the district against paying. 

“We always delete documents and help to restore network [sic], we don’t talk about companies that paid us,” the group told the news outlet. “Now LAUSD has lost 500GB of files.”

����Ӱ�� has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it’s impossible to rein it back in.

“You have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,” Levin said. 

For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like Social Security numbers to sell on a dark web marketplace, often for identity theft.

Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 million in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.

He said it’s important that affected educators, parents and students . The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit. 

“The school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,” Levin said. “Ultimately, they’re going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.” 

Now it appears that district technology leaders have applied that logic to computer hacks. That’s according to Doug Levin, the national director of The , who has spent years chronicling computer hacks on school districts and education technology vendors. Data breaches are a significant and growing threat to schools, he said, yet many district IT officials are hesitant to discuss them. 

“Quietly they might confess that this is an issue they lose a lot of sleep over, but they never talk about it publicly, often for fear of looking bad,” said Levin, whose nonprofit group provides threat intelligence to school districts to protect them from emerging cybersecurity risks. 

Now, an increasing number of school districts have been forced to notify students and parents that they’ve been duped. In March, New York City Public Schools, the country’s largest district, disclosed that the had been exposed online. The data breach, the largest such incident against a single school district in U.S. history, has since reached far beyond the five boroughs. Other school districts — California, Colorado, Connecticut, Oklahoma and New York — have since acknowledged being victims. 

At the center of the debacle is that helps more than 5,200 school districts track student attendance and grades, among other metrics. Students’ personal information, some of it sensitive, was exposed when hackers breached Illuminate’s servers in January. students’ names, birth dates, class schedules, behavioral records and whether they qualify for special education or free or reduced-price lunches. 

Yet months later, many key details — including the number of districts affected — remain unknown. The company did not respond to requests for comment from ����Ӱ��. 

In New York, state education officials into Illuminate, which city officials accused of misrepresenting its security safeguards. 

To gain a better understanding of the hack, ����Ӱ�� caught up with Levin to discuss how the high-profile data breach occurred, why many critical pieces of information remain elusive and strategies that parents and students can use to protect themselves online. 

The interview, which has been edited for length and clarity, was conducted prior to the latest development on the school cybersecurity beat: Friday that the personal information of more than half a million students and staff was compromised in a ransomware attack on education technology vendor Battelle for Kids. The data breach was carried out on December 1 and Battelle notified Chicago officials about the attack about a month ago, on April 26. 

����Ӱ��: The Illuminate Education data breach is the largest known hack of K-12 student records in history? 

Doug Levin: The Illuminate Education security incident — we actually don’t know much about what happened — was the single-largest data breach incident affecting a single school district. We still have to see what the numbers bear out for Illuminate Education, and it could still grow significantly in size.  

But a couple of years ago of their AIMSweb product. They never disclosed the total number of districts that were affected, but they said that 13,000 of their customers were affected. In fact, the Securities and Exchange Commission about the scope of the incident. A number of years ago, the education company Edmodo also endured a massive breach. 

So there are some large incidents that have happened but the more we learn about the Illuminate Education breach, the worse it does appear to be.

What sets this hack apart from previous incidents? 

Some education vendors don’t know a whole lot about the students they’re serving. They may have a student ID, they may know their grades or academic performance in one subject, but not a lot else about that student or their context. The Illuminate Education breach did involve a pretty large swath of sensitive information about students that could be used by criminals to commit identity theft and credit fraud against students. 

So that sets it apart. 

Unfortunately, it’s the latest and the most high-profile student data breach that is occurring not directly by school districts but by their vendors and partners. A lot of times the security conversation has been focused on the practices of schools themselves and attacks that have targeted schools. There have been a number of high-profile ransomware attacks that have brought school districts to a halt, , and . Those are very eye-opening incidents and they draw a lot of attention, but they are localized in their impact. They are very significant for those communities, but they only affect those communities. 

When a vendor experiences an incident, the impact and the scope of that breach can be massive. If you think about the vendors and suppliers that school districts work with, whether they’re for-profit, nonprofit, or even the state education agencies themselves, if they experience an incident, the scope and magnitude of that incident is likely to be significantly larger. 

There’s sort of this idiosyncratic issue in K-12 education where we have been laser focused on issues of student data privacy and a majority of states have now passed new student data privacy regulations in the last five to 10 years largely because the federal law, the Family Educational Rights and Privacy Act, has not been updated since 1974.

But if we only look at this issue through the lens of student data privacy, it is like we have horse blinders on, we are not seeing the full picture. And while ensuring student data privacy is critically important, these are not security laws and they do not adequately address the various ways that unauthorized users can gain access to student data. 

In fact, vendors and partners are the most frequent cause of school district data breaches. 

This is an era where we need to broaden our lens from student data privacy exclusively to also include security. School districts themselves need to do more due diligence with respect to vendors’ security practices and in making sure they have contractual requirements in place that require the prompt notification and remediation of issues. 

With Illuminate Education, it has taken several months for individuals who were affected to find that out. The gap between when the company first learned about the incident and when parents are informed of the incident so they can take steps to protect their children is really too long. We really need to work on tightening that timeframe to protect students from the risks that we are introducing to them. 

We don’t know a lot about the scope of the Illuminate Education data breach. How would you describe the company’s overall response? Why does so much remain unclear? 

Frankly, it comes down to the state of policy and regulations. In the vast majority of cases, when an incident is experienced by an organization, whether it be by a school district or a partner, one of the first things they will do is look to see what they’re obligated to report under the law. 

So setting aside the ethical or moral desire and need to help individuals take steps to protect themselves when you have been at fault in causing an incident, many will look to what they are strictly required to do. And the fact of the matter is that there are many, many loopholes in existing notification laws. 

Organizations do not want to share bad news with their customers and stakeholders, and so there are reasons that people don’t like to disclose these things. But there’s also a compelling number of reasons why stakeholders deserve and need to know.

If hacks are not publicly disclosed, policymakers won’t understand the scope of the issue and they can’t take steps to provide more resources to protect against these sorts of threats. That’s exactly the sort of issue we’ve had in K-12. For years, no one talked about the incidents that schools were experiencing, so people thought that schools really weren’t experiencing incidents. That was simply not the case. 

Secondly, threat actors that attack schools and their vendors repeat their tactics in predictable ways. If they’re successful at attacking one school district, they will use those exact same tools and techniques against other school districts. So it’s important that organizations share with them a heads-up so that they can take the steps to protect themselves from being compromised in the same ways. 

With hacks, there is the potential for people to experience real harms. They can have their identity stolen, tax fraud, credit fraud, they could be embarrassed. They could have things disclosed about them — whether it’s their health status, their legal status, their immigration status — that were never supposed to be public and that may lead to very serious repercussions. 

There really is a moral obligation for people to disclose these incidents. 

You’ve observed a recent uptick in ransomware attacks. How do districts generally respond to these incidents? 

How school districts respond really depends on how proactive they have been in defending against cybersecurity risks. In the best cases, school districts have segmented their networks and made it difficult for that ransomware to spread throughout the district. In those cases, school districts are often able to restore their systems from backups, avoid paying extortion demands, investigate how the ransomware got into their system and plug those holes. 

In recent years, ransomware actors have also exfiltrated large amounts of student and staff data before they encrypt and lock those school district computers and demand a ransom. And I should note those ransom demands have been increasing dramatically for K-12 schools. In 2015 or 2016, you might have seen a ransomware demand of $5,000 to $10,000, payable in a cryptocurrency, of course. Today, it wouldn’t be surprising to see a ransomware demand of a million dollars or more being made to a school district.

When school districts are in that place, they’re really between a rock and a hard place at that point. If ransomware spreads across their system, those are the sorts of incidents that close schools for days and kids are sent home. 

In those cases, they rely on experts to come in and assess how to rebuild their systems., how to evict ransomware actors from their networks, how to handle the fact that ransomware actors have exfiltrated data already, and to reduce instances where schools have to pay those extortion demands. 

Law enforcement will never encourage a victim to pay that extortion demand. Every time a school district does so, they are really just encouraging future threat actors to target school districts with the same sort of techniques. 

Even school districts that don’t pay extortion demand face remediation and recovery costs. In Baltimore County, the recovery and remediation costs have been estimated in the millions of dollars, so you’re paying for the cost of ransomware incidents whether you pay that extortion demand or not. 

School districts are not exactly flush with cash. Why are schools a good target for hackers? Why are they particularly vulnerable?

I have often heard schools be very surprised when they’re attacked. They’re morally outraged because they’re an institution that is just trying to help kids and they’re being targeted by these criminals. 

But you made the statement that schools don’t have a lot of money and I actually want to push back on that. School districts actually manage quite a bit of money every year. They maintain facilities, transportation and food services. They may be the largest employer in many communities. 

It is correct, of course, that school districts don’t have enough money to do all the things they would like to do and need to do for kids. I’m not arguing that they are sufficiently funded. But it is not unusual for a school district of medium or large size to have an annual budget in the hundred of millions, and some of the largest districts in the country have annual budgets in the billions. That’s plenty of money to attract the attention of threat actors. 

Other than money, school districts and other government agencies have been disproportionately attacked largely because they tend to run IT systems that are older and they also tend to be under-resourced with respect to cybersecurity. They just don’t have the money and the capacity to hire experts in the way that we would hope and certainly not in the way that some private sector organizations do. 

And given that public sector organizations like school districts provide essential services and people get very upset if they’re disrupted, they may be susceptible to extortion tactics like ransomware. They also hold a lot of valuable information about those stakeholders that can be repurposed for criminal purposes. It really is a perfect storm here of school districts being, unfortunately, low-hanging fruit for criminals at a time where, as a policy issue, cybersecurity really has not been a priority. 

I think this is changing. There are conversations underway in both state legislatures and in Congress looking to provide more resources to school districts for cybersecurity. But this is a marathon not a sprint and, you know, that help has not yet arrived. 

What needs to happen legislatively in regards to school district hacks? 

There is a need for mandatory reporting. It is very difficult for anyone to get a handle on this issue and how to help schools protect themselves if we don’t know the scope of the issues that schools are facing. 

We certainly can’t bring those parties who are responsible to bear unless we get details about those sorts of incidents. 

Secondly, there is no floor, there is no minimum cybersecurity risk management practice in a school district. Parents, employees and taxpayers have reasonable assumptions about how school districts protect themselves from ransomware, data breaches and targeted phishing attacks. Yet I think they may be surprised that their expectations are not being met. Setting a minimum cybersecurity expectation on school districts is a common sense step that we can take, and those protections should also be extended to vendors. 

You built a map to track every K-12 data breach since 2016. What key trends and takeaways have you observed? 

The majority of those incidents involve student data but a significant minority involve school employee data, including teachers.

A variety of actors are responsible for these incidents. About a quarter are carried out by online criminals targeting school districts, but many are actually the result of the actions of insiders to the schools themselves. Like any large organization, employees make mistakes. School districts may email sensitive data to the wrong people, and very occasionally, school districts have disgruntled employees who do things on their way out the door. 

The last group of insiders are the students themselves. An IT leader joked with me once that every school district serving middle and high school students is getting free penetration testing whether they like it or not. The fact of the matter is that a proportion of students are very tech savvy and they do get bored. Kids being kids, they turn their attention to school districts themselves and, in fact, there have been some very large and significant data breaches because students themselves have compromised school district IT systems. 

What do students typically do when they compromise school technology? 

It depends on the incident. In some cases, they’re seeking to change their grades or their attendance records in a very similar vein to the . Some kids have even been enterprising and charged their fellow students for the privilege of changing their grades. 

But in other cases, they’re simply curious or are interested in making some kind of a statement and are interested in defacing a school website, a school social media account, blasting out emails that they think are funny. 

We don’t have any evidence that kids are monetizing their attacks on school districts on the dark web in the way that online criminals do. But having said that, there are a number of cases where students have crossed the line and have gotten entangled with law enforcement because the attacks they’ve carried out against school districts have been so disruptive. 

What do we know about the online criminals who target school districts? Who are they, in what cases have they been caught and in what cases have they faced any repercussions? 

Cybersecurity attacks have a unique characteristic to them because they can be carried out by individuals anywhere in the world at any time. By and large, the online criminals that are targeting school districts are based overseas and they are based in countries that make it difficult for U.S. law enforcement to reach. As a result, many of these actors are not brought to justice. 

A minority of these incidents occur from within the country and in those cases the ability of law enforcement, the FBI in particular, in bringing judgments against those folks is actually pretty good. There was a Texas school district a couple of years ago that was scammed out of several million dollars by a sophisticated phishing attack. It turned out that it was carried out by an individual in Florida who was caught and prosecuted. That person bought Rolexes and sports cars with the money that he stole from that district. But I suspect he is sitting in a jail right now or certainly awaiting the sentencing for that crime.

What lessons does the Illuminate Education breach hold for school districts and education technology vendors?

The story is still being told here, but this is going to be a very cautionary tale both for school districts and for vendors. This is going to evolve depending on the outcome of the investigations in New York. The state of New York has a fairly strict student data privacy regulation and it appears that Illuminate Education was in violation of the rules despite assurances that they were in compliance. So the state of New York has an opportunity to set an example here. Many ed tech companies will be watching very closely. 

We’re watching very closely as well. What may happen to renewals from school districts that use products from Illuminate Education? How many customers might they lose? 

It would be wise for vendors and suppliers to understand that it is only a matter of time before new regulations require more cybersecurity protections on the data that they hold about school children and school employees. 

From a school district perspective, it just underscores the importance of due diligence when they are selecting vendors and the need to consider the security practices of their vendors. This is not a one-time evaluation. Threats and vulnerabilities evolve so we need a continuous evaluation process. 

What lessons does this hack hold for parents and students, and what should they do to protect their information online?  

It should highlight for parents and students that there are risks in sharing information with schools and their partners. That risk can be managed, but I think it is beholden on parents to ask good questions of their school district about their cybersecurity risk management practices. These don’t have to be very technical questions, but I do think they deserve assurances from the school board and the superintendent that this is an issue that they’re taking seriously and a school district should be able to explain the steps that they’re taking and how they are continuously managing these risks. 

If you’re worried about being a potential victim — and I think it is always worth worrying about being a potential victim — there’s a couple of steps that I would encourage both parents and students to take. I would advise parents to freeze their children’s credit record. This is available for free at all of the major credit reporting agencies and it will prohibit an online criminal from stealing the identity of their children and opening credit accounts in their names. 

I would also underscore that good password management practices are always useful. I’m talking about not reusing the same username and password that you use for your school accounts for any of your personal accounts. to the greatest extent possible, you want to separate your school life from your private life and the best way to do that is to use a password manager. There are many free password manager applications that are available as well as a number of good paid options.