When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate — unsuccessfully — with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by ĂŰĚŇÓ°ĘÓ through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn’t hand over 60 bitcoin which, at the time, was worth about $660,000. 

“If we don’t reach an agreement we will start leaking your private data,” the hacker wrote, noting that for bitcoin they would also offer “a list of security measures” to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by ĂŰĚŇÓ°ĘÓ describes the ransom payment as being for “technical consultant services and remediation.”

“Typically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,” Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn’t respond to requests for comment for this story. 

Records show that Beazley, the school district’s cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack’s impact and its data breach reporting obligations, but it wasn’t until November — four months later —that the firm told them a “programmatic review of the files” had been completed. 

“Baker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,” staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would “conduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.” 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

“All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,” said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district’s lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: “I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

Tedford asked if the accusation was legitimate and if the police had been notified.

“I need to cover these bases now that we have been made aware of this claim,” Tedford wrote in an Aug. 3 email. “It’s clear the attorneys don’t want law enforcement involved, and that’s fine, but this is a different issue.”

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is “well aware of that situation,” which was related to an incident during an out-of-town show choir event. 

“After a thorough investigation, no charges were filed,” Shoonover wrote, adding in a later email that an officer “interviewed dozens of kids” in response to “this entire unfortunate event.” 

In August 2020, the district was working on its talking points to the public and it’s clear the consultants weren’t far away. ĂŰĚŇÓ°ĘÓ obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would “have preferred to notify the public earlier” but couldn’t “to ensure the privacy of student records,” that they were unsure what, if any, records may have been compromised and that they were encouraged to “wait to release any information until the investigation” was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was “unable to provide any further information” about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized — but he didn’t divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 — five months after the incident — and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver’s license and credit card numbers. 

Information about a cyberattack at the district is limited — aside from data breach notices in several states. In to the Maine attorney general’s office, the district disclosed that it suffered a “hacking” incident. On Aug. 3, the district “experienced a network disruption” that rendered its systems inoperable due to “a sophisticated cyber-attack.” Nearly seven months later, on Feb. 29, 2024, school officials began informing individual victims that their Social Security numbers had been exposed in the breach. 

In to the Washington state attorney general’s office, the district acknowledged that 771 state residents had their information stolen, including their names, Social Security numbers, banking information, dates of birth and health insurance and medical information. The total number of affected individuals, according to the disclosure in Maine, was 30,373.

School officials couldn’t be reached for comment.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district’s computer network, accessing reams of students’ and educators’ sensitive information, officials contacted the FBI and laid out what happened. 

The district “immediately initiated an investigation” after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker’s demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an “encryption event” and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by ĂŰĚŇÓ°ĘÓ through public records requests, the district told families in a Feb. 24 email that its investigation “has found no evidence that personal information was compromised.” 

The statement was sent after cybersecurity experts advised district communications staff that “sharing the least amount of information” as possible was “in the best interest” of district security. 

Threat actors with the ransomware gang Medusa — known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what’s known as a “double-extortion” scheme — took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn’t acknowledge for nearly two weeks after the attack that sensitive records may have been compromised — and waited months to notify breach victims directly by letter. 

The district didn’t respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by ĂŰĚŇÓ°ĘÓ.  The cyber insurance provider will “facilitate breach counsel and forensic investigation teams,” the plan notes, and deploy “experienced negotiators” to communicate directly with the hackers. The policy also states it would cover the district’s liability for bad press, fines and “regulatory proceedings” related to a cyberattack. 

“The insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,” the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a “privileged investigation,” according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

“Per [Minneapolis Public Schools’] request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,” according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn’t respond to ĂŰĚŇÓ°ĘÓ’s request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed “the world’s most profitable spy organization.” The researchers prepared “a report detailing the forensic analysis process and analysis” at Mullen Coughlin’s direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went “through the list of what TA [the threat actor] might’ve accessed,” and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the “Medusa contact team,” urging the person to respond to the threat actors immediately or else “we will ensure your popularity.” 

In March, Medusa ransomware actors posted the district’s stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom — a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by ĂŰĚŇÓ°ĘÓ, include confidential and highly sensitive records about individual students and teachers. 

It wasn’t until September 2023 — seven months after the attack — that 105,617 people were notified the “hacking” incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general’s office. The notice states that the process to identify that information had been completed in July — a month and a half before officials notified victims.

“Although it has been difficult to not share more information with you sooner,” the letter to victims notes, “the accuracy and the integrity of the review were essential.”

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.