The hackers’ new demands for bitcoin payments, emailed to school officials across the country seemingly at random over the last several days, undercut the ed  tech behemoth’s decision to in December to prevent the sensitive records from being shared publicly. In exchange for the payment, the company said hackers provided a video of them deleting some of the stolen files, which include records with some 62.4 million students’ and 9.5 million educators’ personal information.

It appears the cybercriminals — perhaps predictably — didn’t keep their end of the bargain. 

In North Carolina, employees of at least 20 school districts and the state Department of Public Instruction received dozens of extortion demand emails from the hackers, officials said during a Wednesday evening press conference. Superintendent of Public Instruction Maurice Green said information about the hackers’ demands to local educators will be shared with the state attorney general’s office, which is investigating the fallout from the December attack. 

“At the time of the original incident notification in January of this year, PowerSchool did assure its customers that the compromised data would not be shared and had been destroyed,” Green said. “Unfortunately, that, at least at this point, is proving to be incorrect.” 

The company, which Boston-based private equity firm Bain Capital acquired for $5.6 billion in October, has faced a barrage of lawsuits since it acknowledged the attack in January. The latest escalation could open it to greater legal exposure. 

In a statement Wednesday, PowerSchool acknowledged the threat actors’ direct outreach to schools “in an attempt to extort them using data” stolen during the December breach. Samples of data supplied to school leaders “match the data previously stolen in December,” the company said. 

It referred to a “difficult decision,” one its leadership team “did not make lightly,” to pay the ransom demand in the days after the attack, believing it was the best option to protect students’ records. Social Security numbers, special education records and detailed medical information.

“As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us,” the company said in a statement on Wednesday. “We sincerely regret these developments – it pains us that our customers are being threatened and re-victimized by bad actors.”

Vanessa Wrenn, the chief information officer at the North Carolina Department of Public Instruction, said school officials were contacted “through various emails,” including to both their work and personal email addresses, seemingly based on the hackers’ ability to find their contact information online. Wrenn said state officials had been in contact with educators in Oregon, who received similar demands. In Toronto, Canada, Wednesday they were “made aware that the data was not destroyed” when the threat actor contacted them directly. 

“We could not find any type of trend in who they picked to email. We tend to think it’s emails that they could publicly find and contacted that person,” Wrenn said. “This exact same communication has been sent to other school districts and other states across the United States today and yesterday and broadly across the globe two days earlier.” 

Though they confirmed just a subset of districts received the ransom demands, she said the situation puts the data of all students statewide at risk because all North Carolina public districts currently rely on PowerSchool’s student information system. 

That’s about to change. Green said the state’s contract with PowerSchool ends in July and officials have chosen to migrate to competitor Infinite Campus — in part because of its promise of better cybersecurity practices. 

“It is completely unfortunate that the perpetrators are preying on innocent children and dedicated public servants,” Green said. “we are, as I mentioned earlier, working closely with law enforcement to do everything we can do to ensure that the responsible parties are held accountable for their actions.”

PowerSchool said it reported the latest extortion attempt to law enforcement in the United States and Canada and is working “closely with our customers to support them.”

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by ����Ӱ�� shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations”, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools’ messaging is no coincidence. 

That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms —&�Բ�����;��ܲ������  by one law professor for their massive caseloads — hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools’ behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online — from their financial and medical information to traumatic events in young people’s lives — are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are “all but guaranteed.” 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 —  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers — often called breach coaches — arrive on the scene. 

“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told ����Ӱ��. “What breach coaches try to do is push right up to that line — and sometimes they cross it.”

When breaches go unspoken

����Ӱ��’s investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites. 

Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search — even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

����Ӱ�� tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials’ false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students’ detailed psychological records. 

In many instances, ����Ӱ�� relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, ����Ӱ�� could find no information at all about alleged school cyberattacks uncovered by its reporting — suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to ����Ӱ��’s investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond “to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.” Those at Florida’s River City Science Academy said the school “acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.” 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation’s seventh-largest district said they notified student breach victims “by email, mail and a telephone call” and “set up a special hotline for affected families to answer questions.”

Hackers have exploited officials’ public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

“But those negotiations do not go on forever,” said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'” the ransom.

“All right, well, negotiation is over,” Levin said. “You need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students “

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them.

The extent to which this involves keeping critical information out of the public’s hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico’s Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll’s findings from public view. 

“Without privacy counsel in place, public records would be accessible in the event of an information leak,” she wrote in an email to school leaders that was obtained by ����Ӱ�� through a public records request. School districts routinely denied ����Ӱ��’s requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by ����Ӱ�� reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California’s Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an “information technology system outage” — and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn’t stop the leak of data for more than 22,000 people, nor did the district’s initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

“What brainiac recommended this?” asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who “recommended the deceitful description.”

It wasn’t until June 2023 — four months after the attack — that Sweetwater their records were compromised. But the district’s breach notice never says what specific records had been taken, refers to files that “may have been taken” and tells those receiving the notice that their “personal information was included in the potentially taken files.”

“Well, was my information taken or not?” April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked ����Ӱ��. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks “to avoid exacerbating their liability, quite frankly,” in a way that prevents families from being able to “assert their rights more competently.” 

�پ����ٰ������ٲ�’ vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

“The wording in notices is disheartening,” Strauss told ����Ӱ��. “It’s almost like revictimization.”

Who’s in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they’ve been hacked. Cyberattacks were called an  “encryption event” in Minneapolis; a “network security incident” in Blaine County, Idaho; “temporary network disruptions” in Chambersburg, Pennsylvania, and “anomalous activity” in Camden, New Jersey. 

In several cases, consultants advised educators against using words like “breach” and “cyberattack” in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district’s computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

“ ‘Cyberattack’ is severe language that we prefer to avoid when possible,” the firm’s representative wrote .

The district called it “irregular activity” instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe’s most notorious cybergangs — many with known ties to Russia — officials have claimed in arresting and indicting some of the masterminds. Yet ����Ӱ�� identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only “in conjunction with qualified counsel.” 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized “payment of ransoms that fuel cyber crime ecosystems.” 

“This is a troubling practice that must end,” she wrote.

Records obtained by ����Ӱ�� show that in Somerset, Massachusetts, Beazley, the school district’s cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district’s incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district’s course of action, they didn’t express it. In fact, William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

But he was quick to defer to the district and its lawyers.

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote. “All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.”

While ransom payments are “ethically wrong because you’re funding criminal organizations,” insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

“The insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,” he told ����Ӱ��. “They see dollar signs — that everybody wants this protection — but they’re losing their butts on it.” 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told ����Ӱ�� that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by ����Ӱ�� — one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its “third-party forensic investigation firm” communicating with the gang “regarding the ransom.”

Mullen Coughlin then told the FBI that it was leading “a privileged investigation” into the attack and, at the school district’s request, “all questions, communication and requests in connection with this notification should be directed” to the law firm. Mullen Coughlin didn’t respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants’ discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn’t the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials’ knowledge. Taken by surprise, Camden schools were not “able to preemptively advise each of you about the notice and what it meant.”

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

“In terms of how law enforcement can help you out, there’s really not a whole lot that can be done to be honest with you,” said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn’t respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but “the problem is there’s not enough funding and personnel for them to be able to be responsive to incidents.” 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn’t know where to go to vet if they were any good or not.”

He said it had been a community member — not a paid consultant — who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes — or over 1,000 gigabytes — of stolen data.

“We were literally taking that right to the cyber companies and going, ‘Hey, they’re finding this, can you confirm this so that we can get a message out?’ ” he told ����Ӱ��. “That is what I probably would tell you is the most frustrating part is that you’re relying on them and you’re at the mercy of that a little bit.”

The breach coach

Breach notices and other incident response records obtained by ����Ӱ�� show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a “quarterback.” 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district’s cyber insurance policy —  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector — which, Paluzzi noted, isn’t “always the best when it comes to the latest protections."

When asked why districts’ initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

“It’s not a time to make assumptions, to say, ‘We think this data has been compromised,’ until we know that,” Paluzzi said. “If we start making assumptions and that starts our clock [on legally mandated disclosure notices], we’re going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.” 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

“While it often looks a bit canned and formulaic, it’s often because we just don’t know and we’re doing so many things,” Paluzzi said. “We’re trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.”

A data breach is confirmed, he said, only after “a full forensic review.” Paluzzi said that process can take up to a year, and often only after it’s completed are breaches disclosed and victims notified. 

“We run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,” he said. “We try, in most cases, to get to that level of specificity, and our letters are very specific.”

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase “the likelihood of a data breach class action [lawsuit] in the process.” Companies that under-notify “may reduce the likelihood of a data breach class action,” but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches’ chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to “retain their primacy” in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers’ emphasis on reducing payouts to parents who sue overstates schools’ actual exposure and is another way to promote themselves as “providing a tremendous amount of value by limiting the risk of liability by providing you with a shield.”

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine “the long-term cybersecurity of their clients and society more broadly.”

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by ����Ӱ�� show school cyberattacks carry particularly devastating consequences for the nation’s most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district “show choir” event. The accusations were investigated by local police and no charges were filed.

“I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,” the hacker alleges in records obtained by ����Ӱ��. “This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

The exposure of intimate records presents a situation where “vulnerable kids are being disadvantaged again by weak data security,” said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

“It’s not just that you have a leak of the information,” Citron told ����Ӱ��. “But the leak then leads to online abuse and torment.”

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students’ personal information, a parent reported being contacted by the hackers who placed a “strange call demanding money for ransoming their child.”

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are “unfunded mandates” and “there’s been no enforcement that we know of,” according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It’s a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls “the multiverse of madness.” 

“It's like you're living in different privacy realities based on the state that you live in,” Hendricks said. He said federal cybersecurity rules could provide a “level playing field” for data breach victims who have fewer protections “because they live in a certain state.” 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn’t require disclosure when outside forces cause those records to be exposed. Schools that have “a policy or practice” of routinely releasing students‘ records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they’ve grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told ����Ӱ�� he got the district’s September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are “mostly worthless.” 

It may be enforcement against districts’ misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to “communicate very carefully and very deliberately and very accurately” the known facts of cyberattacks and data breaches. 

“Communities smell blood in the water,” she said, “because we’ve got these mixed messages.”

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for ����Ӱ��.

This story was supported by a grant from the Fund for Investigative Journalism.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by ����Ӱ�� revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain — and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students’ sensitive records and, district spokesperson Jay Wégimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.”

An analysis by ����Ӱ�� of the stolen files — posted by the threat actors to the messaging platform Telegram  — indicates otherwise. Included in the 217 gigabyte data leak are students’ specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter’s underwear. After one incident, a boy uttered a threat: “Don’t tell nobody.” 

In a statement to ����Ӱ�� on Wednesday, Wégimont said the district has “been able to confirm that some files” stored on the district’s internal servers were accessed by an “unauthorized, third party,” and that “security consultants are going through a comprehensive review” to determine whether the leaked files contain personal information “for individuals beyond current and former staff members.” 

Wégimont’s statement doesn’t acknowledge that students’ records had been compromised. 

The district’s failure to acknowledge the breach affected students and parents — even after being informed otherwise — is “a massive violation of trust with communities,” student privacy expert Amelia Vance told ����Ӱ��.

“People should be aware — especially when particularly sensitive information is being released in ways that could make it findable and searchable later,” said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence “are likely to have a substantial impact on people’s future lives, whether it be their opportunities, their ability to get a job or their relationships with others.” 

The school district acknowledged in an Oct. 4 letter to the state attorney general’s office — and in letters to the individuals themselves — that the sensitive information of 12,000 current and former employees was “potentially impacted” in the attack. A spokesperson for the AG’s office shared the letter that Providence Superintendent Javier Montañez submitted “as required by statute,” but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days — but the breach “poses a significant risk of identity theft.” Covered records include individuals’ names, Social Security numbers, driver’s license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It’s unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department’s spokesperson, said in a phone call on Wednesday. 

“No one had actually gone in to see the files,” he told ����Ӱ��, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are “working closely with the district” on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had “significant difficulty sustaining attention to task” and who “wandered around the classroom setting without purpose.” Another special education plan notes a 3-year-old boy “randomly roamed the room humming the tune to ‘Wheels on the Bus,’ pushed chairs and threw objects.” 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents’ names. Another includes information about their race and the languages spoken at home.

A “termination list” included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who “retired in lieu” of being fired and a middle school English teacher who “resigned per agreement.” Another set of documents revealed a fifth-grade teacher’s request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her “less effective as an educator if I am not supported with the accommodations because I can not sleep at night.” 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they “have a safe at work as well as one at home.”

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web “name and shame blog,” it then previews the victim’s stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa’s many tentacles 

The Medusa attack and Providence’s response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district — what officials there vaguely called an “encryption event” — the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack — and only after a joint investigation by ����Ӱ�� and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General’s Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records — like those pertaining to student civil rights investigations, security plans and financial records — a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher’s German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what “irregular activity” on its computer network but on whether they’d been the target of ransomware. In — and the same day that Medusa’s ransom deadline expired — Superintendent Montañez acknowledged that “an unverified, anonymous group” had gained “unauthorized access” to its computer network and claimed to have stolen sensitive records. 

“While we cannot confirm the authenticity of these files and verify their claims,” Montañez wrote, “there could be concerns that these alleged documents could contain personal information.”

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

A Los Angeles Unified School District spokesperson confirmed they’re investigating a listing on a notorious dark web marketplace, posted Thursday by a user named “The Satanic Cloud,” which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they’ve become a growing scourge for districts of all sizes.

“School districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,” Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation’s schools and libraries are real and growing.”

“So today, we’re going to do something about it,” she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to “provide funding to as many schools and school districts as possible,” it . While the funding “will not, by itself, be sufficient to fund all of the school’s cybersecurity needs,” the fact sheet notes, the commission seeks to ensure that “each participating school will receive funding to prioritize implementation of solutions within one major technological category.”

The Satanic Cloud, which posted the most recent batch of LAUSD data, told ����Ӱ�� it’s entirely separate from what was stolen in the September 2022 ransomware attack on the nation’s second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor’s claims, a spokesperson told ����Ӱ�� in an email Thursday, and “is investigating the claim and engaging with law enforcement to investigate and respond to the incident.”

‘It’s definitely sensitive data’

In an investigation last year, ����Ӱ�� found that thousands of L.A. students’ psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had. 

Just last month, a joint investigation by ����Ӱ�� and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district’s assertion otherwise, and that St. Landry had likely violated the state’s breath notification law. Within hours of the first story publishing, the Louisiana Attorney General’s Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told ����Ӱ�� “there is no connections” to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they’ve sought to sell stolen data. Cyble’s research team, he told ����Ӱ��, sees “a high likelihood” that the data was sourced from files exposed in the earlier ransomware attack. 

“Historically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,” Medhe said. Either way, Medhe said it’s incumbent on district officials to take urgent action. The files, he said, could be useful for “some kind of profiling or some kind of targeted phishing activity.

“It’s definitely sensitive data, for sure,” he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. “They would need to do a thorough incident response and investigation to rule out the possibility of a new breach.” 

‘An important step forward’

During Thursday’s FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is “essential for education in the 21st century.”

“Technology and high-speed internet access opens doors and unbounded opportunity for those who have it,” Gomez said. “Unfortunately, our increasingly digital world also creates opportunities for malicious actors.” 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It’s a move that more than 1,100 school districts endorsed in a joint 2022 letter — but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate “to ensure gains in enhanced cybersecurity do not undermine E-rate’s success in connecting schools and libraries and promoting digital equity.” The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support. 

“The FCC’s decision today to create a cybersecurity pilot is an important step forward for our nation’s libraries and library workers, too many of whom face escalating costs to secure their institution’s systems and data,” President Emily Drabinski said in a statement. “We remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.”

Among the pilot program’s critics is school cybersecurity expert Doug Levin, who told ����Ӱ�� that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be “a good fit for school systems with scarce capacity.”

“There’s no argument that schools need support,” said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC’s “techno-solutions point of view to the problem,” he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that “may end up convincing some [schools] to buy solutions that, frankly, they don’t need.” 

In response to an inquiry by ����Ӱ��, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ����Ӱ��. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ����Ӱ�� the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ����Ӱ�� uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ����Ӱ��, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ����Ӱ�� at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ����Ӱ�� didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ����Ӱ��.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by ����Ӱ�� and The Acadiana Advocate revealed. The reporting included a data analysis by ����Ӱ�� of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

and other entities notify affected individuals “without unreasonable delay,” 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.” 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.” 

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It’s also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.” 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel … and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.” 

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told ����Ӱ��. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by ����Ӱ��, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with ����Ӱ��, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.” 

Beyond outreach to parents, the hacker — which could be one or multiple people — on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.” 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.” 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.” 

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.” 

He pointed to the company’s , which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told ����Ӱ��. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.” 

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.” 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.” 

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told ����Ӱ��.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.” 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”

Yet even before the first class started, the 133,000-student district in Prince George’s County, Maryland, faced an assault on its security — one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system — among the nation’s 20 largest — joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

“Schools have this delicious trove of data and do not have the same protections” as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George’s County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by ����Ӱ�� of the cyber group’s dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

“Your confidential documents, personal data and sensitive info has been downloaded,” the group wrote in a ransom note obtained by ����Ӱ��. “Published information will be seen by your colleagues, competitors, lawyers, media and the whole world.” 

Ultimately, the district refused to pay the group’s $300,000 ransom demand, leading to a small data breach that doesn’t appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told ����Ӱ�� the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

“It was an inconvenience for sure, but I’ve seen a lot of data breaches over the years and ours is nothing comparable,” Walton said. “I couldn’t imagine that happening when school starts because we’re all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.” 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn’t limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth “Social Security numbers and medical records stolen and shared online,” such attacks have left “classroom technology paralyzed and lessons ended,” First Lady Jill Biden said. “So if we want to safeguard our children’s futures, we must protect their personal data.”

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it’s also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students’ hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

“With all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,” Levin said. “It’s definitely a time where you know people are more likely to make mistakes.”

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

“Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,” the warning notes. “Within the last few weeks, publicly announced ransomware attacks sharply increased.”

‘Exclusive, unique and impressive’

Following a common ransomware playbook in Prince George’s County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the “exclusive, unique and impressive” data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group’s leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang’s leak site, meant to signify the district’s approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, “will be contacted in the coming days.” 

The school system is “offering free credit monitoring and identity protections to all staff,” district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack “may result in unauthorized disclosure of personal information.” 

“We are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,” the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George’s district hasn’t done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told ����Ӱ��, “has not been clearly communicated.” Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George’s County, she fears.

“There have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?” said Stanley, founder of the special education advocacy group “Not knowing what was leaked and who was affected, it’s difficult to say what the ramifications will be.” 

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

“This is only going to get worse,” he said, “until we give schools the resources they need to up their defensive game.” 

Ransomware’s long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington — a development that for locals may feel like déjà vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a “data event” was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to ����Ӱ��. 

It’s unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions — especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became “aware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,” Weinberg said. 

“We reviewed the district’s network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,” Weinberg continued. “Further, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.” 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation’s second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an “encryption event,” tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. “I had my bank account drained last week and had $3 to my name,” one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children’s college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a “time-intensive” review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

“Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,” the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools’s first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

“Disclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,” Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it’s more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

“A lot of times schools are reactive rather than proactive,” she said.  If district leaders aren’t doing enough to protect the data from being stolen in the first place, “then it’s almost too late.”

Such unrelenting attacks — this time against a Bergen County, New Jersey, district —are what brought the first lady as well as some 200 federal cybersecurity officials, school district leaders and tech company executives together for a first-ever White House summit on strengthening school district defenses.

“It’s going to take all of us,” Biden said. 

The breaches have grinded school technology systems nationwide “to a halt,” the first lady said at the East Room gathering, forcing some districts to cancel classes as reams of sensitive student, parent and educator data were stolen and leaked online. In March, a Medusa attack on Minneapolis Public Schools exposed records about child abuse inquiries, student mental health crises and campus physical security details. 

“If we want to safeguard our children’s futures, we must protect their personal data,” she said. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Among the new strategies announced Tuesday is the creation of a Government Coordinating Council that will provide “formal, ongoing collaboration” between all levels of government and school districts to prepare for and respond to data breaches. Officials with the Cybersecurity and Infrastructure Security Agency said the agency would provide individualized assessments and cybersecurity training to 300 K-12 education entities over the next year. 

Tuesday’s cybersecurity event didn’t come with the announcement of any new federal regulations but was instead positioned as the first step in a new-found federal urgency around cybersecurity in schools. The Federal Communications Commission in late July proposed a $200 million pilot program to enhance cybersecurity in schools and libraries that still needs to be approved.

“When schools face cyber attacks, the impacts can be huge,” Education Secretary Miguel Cardona said. “Let’s be clear, we need to be taking these cyber attacks on schools as seriously as we do the physical attacks on critical infrastructure.”

In released by the Education Department and the Cybersecurity and Infrastructure Security Agency, the agencies recommended that school districts implement multi-factor authentication, enforce minimum password strength standards and ensure software is kept up to date. They should also consider moving on-premises information technology services to cloud-based systems. 

“Do not underestimate the ruthlessness of those who wish to do us harm,” Homeland Security Secretary Alejandro Mayorkas said. “They have proven their willingness to steal and leak such private student information as psychiatric hospitalizations, home struggles and suicide attempts. Do not wait until the crisis comes to start preparing.” 

School cybersecurity expert Doug Levin, who attended the summit, said it was a positive development to see the federal government, and the Education Department in particular, focus on the effects of ransomware on schools. The Education Department has been “mostly absent from these conversations” in the past, said the national director of The K12 Security Information eXchange.

Meanwhile, several companies, including education technology vendors, unveiled new commitments to help facilitate digital security in schools. Amazon Web Services announced a new $20 million grant program to bolster K-12 school cybersecurity while Cloudflare committed to providing free cybersecurity tools to small districts with 2,500 or fewer students. 

Schools are now the single leading target for hackers, outpacing health care, technology, financial services and manufacturing industries, according to a global survey of IT professionals released last month by the British cybersecurity company Sophos.

In the U.S. school district cyber attacks reached a record high of 37 in the month of June alone, , but Tuesday’s event centered largely on a crisis that unfolded in Los Angeles nearly a year ago. 

Last September, a notorious ransomware group carried out an attack on the Los Angeles Unified School District, the nation’s second largest, that resulted in some 500 gigabytes of district data being published to the Russian-speaking group’s dark-web leak site. 

A major theme of the White House summit was the politically connected superintendent’s swift outreach to federal agencies, including the U.S. Department of Education and the Federal Bureau of Investigation. That collaboration, Superintendent Alberto Carvalho and federal education officials said, set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, called it “the Harvard Business School case study on how to get this right.” 

Other school districts should respond similarly, said FBI Deputy Director Paul Abbate. When school leaders suspect they’ve been the target of an attack, he said, it’s incumbent that they “please call us immediately.” In L.A.’s case, the FBI was able to have a team of agents on the ground in less than 24 hours, he said, enabling them to freeze vulnerable accounts and secure sensitive information that had been sought out by the threat actors. 

That coordinated response didn’t prevent some 2,000 current and former students’ highly sensitive psychological evaluations from being leaked on the dark web, an investigation by ����Ӱ�� revealed. Carvalho initially denied that such records were exposed in the attack, but the district acknowledged they were after the story was published. The district also initially said the attack began and ended on Sept. 3 — the Saturday of Labor Day weekend — but a follow-up investigation determined that an intrusion began as early as July 31, the .

While Carvalho didn’t comment Tuesday on the leak of sensitive psychological information, he said the number of stolen files “could have been much worse,” adding that the hackers “encrypted and exfiltrated very little thanks to our actions.” Among the actions they didn’t take, the schools chief said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”

Last year, a startling 80% of schools suffered ransomware attacks, according to and released last month. That’s a surge from 2021, when 56% claimed they were victims. The rate has doubled over two years, making ransomware “arguably the biggest cyber risk facing education providers today,” researchers found.

 The victimization rate against schools was higher than all other surveyed industries, including health care, technology, financial services and manufacturing. 

While the Sophos survey included responses from 400 IT professionals working in education globally, U.S. institutions are “the prime target for many of these gangs,” particularly since Russia invaded Ukraine, said Chester Wisniewski, field chief technology officer of applied research at Sophos. 

Yet even among American institutions, he said two factors have made schools particularly vulnerable to threat actors. Costly cybersecurity safeguards in schools often fail to rival those in place at major businesses like banks and technology companies. And schools aren’t just easy to hack, they’re also easy to exploit for profit, he said. Nearly half of attacks against schools last year — 47% — led to ransom payments, researchers found, and their willingness to shell out cryptocurrencies to retrieve stolen files may have backfired. 

“If a given sector pays more often than another sector, then they get targeted more often and if a given sector is really insecure and it’s super easy to break in, they’ll also get targeted more,” he said. “In the case of education, unfortunately, it’s a double whammy because they do pay very often and they also are really easy to break into.”

The rise in ransomware attacks on schools coincides with the growth in double-extortion schemes, researchers found. In double-extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. If victims don’t pay, the criminals sell the data or publish it to a leak site. 

Files contained in those data breaches routinely contain sensitive and confidential information about students, their parents and educators. After an attack last year against the Los Angeles Unified School District, threat actors published highly sensitive psychological evaluations of some 2,000 current and former students. Following a computer breach this spring at Minneapolis Public Schools, a cyber gang uploaded to the internet a trove of stolen files including ones detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

While both incidents were large-scale attacks, many others likely unfold on a much smaller scale, Wisniewski said. Of the 80% of districts reporting attacks, he said the figure likely includes instances of a single student’s or educator’s computer being compromised. 

“The sophistication is very low, it’s smash-and-grab stuff,” he said. “They literally are just encrypting a laptop and saying, ‘Pay us $500 for the keys,’ and they don’t have the time nor the skills to bother exfiltrating data and stuff like the big groups do.” 

Scott Elder, the superintendent of Albuquerque Public Schools, knows firsthand the challenges that education leaders face when their districts become the targets of cyber criminals. A r last year, forcing the district to cancel classes. Ultimately, the district and law enforcement were able to resolve the attack without paying a ransom. He told ����Ӱ�� he was surprised that schools have become the top ransomware target because “we don’t have any money.” But he’s well aware that districts are vulnerable. 

“The reality is, we have incredibly dedicated people who are working incredibly hard to keep our data safe, but we  just can’t pay as much as the private sector,” Elder said. “I’d imagine there are a lot of districts that are struggling to attract top-tier talent to do this type of work.” 

Last year, stolen data was encrypted in 81% of cases against schools and attacks were stopped in just 18% of cases before district information was locked, according to the Sophos report. Of schools that had their documents locked behind an encryption key, threat actors made their own copies of the information in 27% of cases. 

While schools may be tempted to pay ransoms to retrieve stolen data quickly and minimize harm, the Sophos report offers counterintuitive findings. Recovery costs were higher in districts that shelled out ransoms, even before factoring in the cyber gang’s financial demands. It also took those districts longer to get back up and running, according to the report. While 35% of districts that relied on file backups for their data recovered within a week, the same was true for 32% of those that paid ransoms. The report doesn’t explore the number of school districts which didn’t pay ransom demands and then had their confidential data leaked online. 

The confidential nature of compromised data, and the potential damage of its public release, influence districts’ decisions to pay ransom, Elder said. 

“This is highly confidential information, some of it can be harmful, and we’re educators: We like to take care of people,” Elder said. “But I do think sometimes we have to draw a hard line to manage our property. It’s a hard decision. I doubt there’s any single answer for anyone.”

Insurance appears to be a motivating factor in districts’ decisions to pay ransoms, Wisniewski said. In school systems with standalone cyber insurance, 56% of victims paid the ransom compared to 43% with broad insurance policies that included cybersecurity coverage. Ransom demands are often covered by insurance, Wisniewski said, and companies who have to pay off the claims are likely to have significant influence over which districts come across with the money.

“The only conclusion I can draw from that is the insurance companies think that paying the ransom is going to save them money because in the end the insurance company is on the hook for helping you recover,” he said, despite emerging data to suggest the contrary. “The insurance companies are constantly playing catchup trying to figure out how they can offer this protection because they see dollar signs while everybody wants this protection, but they’re losing their butts on it.”

A three-year pilot program announced by Rosenworcel earlier this month could invest up to $200 million to enhance cybersecurity in schools and libraries, yet the full proposal hasn’t been released publicly and education experts said far more would be needed to make a meaningful difference. And it could be months — if not more than a year — before the help makes its way to schools as education groups demand a more urgent federal response. 

As districts become “a prime target for cyberattacks,” the proposed pilot “will give us valuable insight about whether and how the FCC can leverage its resources to help address the cybersecurity threats that schools and libraries face,” Rosenworcel said in a July 12 speech before AASA, The School Superintendents Association and the Association of School Business Officers International. 

Education groups and school leaders have been calling for several years on the federal government to help schools bolster their cyber defenses and the pilot deviates from what many had suggested. The allowing districts to spend federal E-Rate funding on cybersecurity, a move that more than 1,100 school districts endorsed in a joint letter last year. 

Yet officials at the national superintendents’ association worried that using E-Rate funds was a diversion from the program’s mission of helping schools and libraries connect to the internet, said Noelle Ellerson Ng, the group’s associate executive director of advocacy and governance. She said the group supports the pilot because it remains separate from E-rate while still giving districts more money to protect their data. 

“All signs point towards we’re going to need a federal response so hopefully we can get some congressional acknowledgement of that during the same three-year timespan to start thinking about what something more sustainable might look like,” Ellerson Ng said. “That way when this three-year pilot is up and we can get some of the evaluated data, we can move forward.”

A found that K-12 education was the most popular target for ransomware gangs last year, with 8 in 10 districts reporting getting hit with attacks — a marked 43% increase from 2021. The average recovery cost for victim districts, which agreed to pay ransoms in nearly half of incidents, exceeded $1.5 million, excluding financial demands from cyber gangs. 

Recent high-profile ransomware incidents include an attack last year on the Los Angeles Unified School District, the country’s second-largest school system, that resulted in the public release of students’ highly sensitive psychological records. An attack on Minneapolis Public Schools this spring led to the public release of a trove of sensitive district documents, including files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

Last month, New York City Public Schools, the country’s largest district, in a massive cyber attack on the file-sharing software MOVEit. The MOVEit attack has resulted in and organizations, including universities in at least a dozen states. The National School Clearinghouse has acknowledged it was caught up in the breach, a development that school cybersecurity experts said could affect many — if not most — students nationally. 

“Cybersecurity is definitely something that has just stormed into the forefront” as districts nationwide grow increasingly alarmed by attacks, Rosenworcel said. The federal government hasn’t previously provided money to schools for cybersecurity but the pilot program, she said, offers a first step. 

The five-member FCC commission must vote on the proposal before its full details are made public, the agency said, and it must go through a formal public comment and rulemaking process. Education experts predict it could be a year or more before the money is available to districts. 

“I’ve told our superintendents that it’s realistic that it could take 10 months — best case scenario — before they’re able to apply,” Ellerson Ng said. 

School cybersecurity expert Doug Levin said the communications commission “has been slow-pedaling” on the issue for years and that the $200 million proposal is just “a drop in the bucket” of what districts nationwide would need to counter this online enemy. The pilot could be used to generate lessons learned and to set the stage for more robust federal investments, he said, but only a small number of districts are likely to receive grants under it. 

But the threat that districts face from cyber attacks is so great, Levin said, that even a much more significant investment in digital safeguards is unlikely to thwart the problem.

“It’s hard for me to imagine that, even if they were wildly successful and every school district was able to put in place a next-generation firewall, that that’s going to make a meaningful difference in the number of successful attacks against school districts,” he said. “You know, maybe they shouldn’t be collecting all this data that’s so sensitive in the first place.”

A download link was published Tuesday night on a website designed to resemble a technology news blog — an apparent front — and, by Wednesday morning, download links began to appear on Telegram, the encrypted instant messaging service that’s been and . ����Ӱ�� is still working to confirm the contents of the large, roughly 92-gigabyte file.

Still, the available download is significantly smaller than the 157 terabytes — there are 1,000 gigabytes in one terabyte — the Medusa ransomware gang claims it stole from the district, according to a file tree posted this month to the criminal group’s dark web blog. That file tree suggests the records contain a significant amount of sensitive information, including student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

“Today, the hacker group ‘Medusa’ gave me data for publication that will become a hit,” notes a post on the faux technology news blog, which appears to have a direct tie to the ransomware group. The author offered a rant accusing district leaders of failing to maintain sufficient data security procedures while attempting to distance himself from illegal activities.

“Someone will tell me that this cannot be published. I will answer this simply — the only way to change rotten systems is to publicly show that they are extremely unsuitable for further use. If you don’t focus on the problems, they accumulate. I hope that the board of trustees of this organization will make the right decision on the current management of the organization.” 

Though the full scope of the breach remains unclear, current and former Minneapolis families and district employees should take immediate steps to protect themselves, cybersecurity experts said. 

“If I was a parent at this school district, or a teacher, I would assume that my data and information had been compromised and act accordingly,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. Identity theft is a primary risk that data breach victims face, Callow said, so people should consider freezing their credit and “at the very least, being extra vigilant and looking more closely at your transactions than you normally would.” 

It’s also a good time for people to implement two-factor authentication on accounts when possible and avoid reusing passwords across multiple services, said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange

Yet for people whose sensitive personal records are now available, including those related to student sexual misconduct incidents, experts said, there are no easy remedies. Potential victims should consider seeking mental health counseling, Levin said, or to create an action plan if they become the target of harassment. 

“Once that genie is out of the bottle, it is very difficult to get it back in,” Levin said. “I don’t know what the school district could do to comfort those individuals or even provide them a recourse. Credit monitoring is not going to be helpful. What is at risk is their well-being, their reputation.” 

The Minneapolis district, which has been criticized for how it publicly communicated information about a ransomware attack it first referred to as an “encryption event,” that the ransomware group had released the stolen records on the dark web, “a part of the internet accessible only with special software that allows users to remain untraceable.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district update continued. 

However, that statement appeared premature. After a countdown clock reached zero on Medusa’s dark web blog Friday, the files weren’t readily available for download. Instead, a “Download data now!” button directed users to contact the gang through an encrypted instant-messaging protocol. 

District officials didn’t respond to requests for comment from ����Ӱ�� Wednesday. Attempts by ����Ӱ�� to reach the gang have been unsuccessful. 

Instead of uploading district files to the dark web blog, a download link to the Minneapolis data is available in the Telegram channel and on the faux tech news blog, which is not relegated to the dark web, does not require special tools to access and can be found through a Google search. The site also includes a 50-minute video offering a preview of files within the gang’s possession. 

In posting the download link to the “clearnet” — a publicly accessible website that’s indexed by search engines — Medusa may have lowered the technical bar for people who are interested in downloading and viewing the stolen records. But at some 92 gigabytes, Levin said the file’s size may serve as a barrier to access to cyber criminals interested in exploiting the information — and to district officials who are investigating the breach and attempting to alert those whose information has been exposed.

Comments on the Telegram channel suggest there is interest in the stolen records. Since last week, Telegram users have questioned when the file download would become available. By Wednesday afternoon, Telegram posts with links to the district data amassed more than 400 views. Viewing the links doesn’t necessarily mean the data was downloaded.

“Hey, how can I see the mps stuff,” one Telegram user asked in the ransomware group’s channel. “I”m hoping I’m not on there. I attend school and work at this district.” 

The Telegram user, who identified themselves to ����Ӱ�� as an 18-year-old Minneapolis high school student, said they were trying to download the data due to concerns that it could contain their Social Security number or other sensitive information. 

Among a list of safety precautions, the district has urged the community to refrain from downloading the breached data, arguing that doing so “plays into the cybercriminals’ hands by drawing attention to the information and increasing our community’s fear and panic.” 

The district has also warned people against responding to suspicious emails or phone calls due to phishing risks and urged people to change their passwords. On Friday, the district said it was working to identify which records were compromised and planned to notify affected individuals at the end of a process that “will take some time.” 

Callow said that ransomware victims should take a proactive approach to notifying those whose data was potentially stolen, rather than waiting until investigations are concluded. 

“I would much prefer to see organizations preemptively warn people that their data may have been compromised so that they can be cautious. Forewarned is forearmed, as they say,” Callow said. “If my personal information may have been compromised, I would want to know straight away.”

Early Friday morning, after the Medusa gang’s countdown clock on the ransom deadline struck zero, the files weren’t readily available for download on its dark web leak site. Instead, a “Download data now!” button directs users to contact the ransomware gang through an encrypted instant-messaging protocol. Attempts by ����Ӱ�� to reach the gang have been unsuccessful.

Files from previous Medusa victims are available on a website designed to resemble a technology news blog — a front of sorts. Unlike the Medusa blog, this site is not relegated to the dark web and does not require special tools to access. Download links are also posted in a channel on Telegram, the encrypted social media service that’s been and . Yet as of Friday afternoon, the files purportedly stolen from the Minneapolis district were not available for download on either platform. 

Data breaches from previous victims appear to be uploaded to the faux technology news blog about a month after their ransom expires, suggesting that the Minneapolis files could become available online after a brief lag. 

Still, in a statement on Friday, the district said it “is aware that the threat actor has released certain MPS data on the dark web today.” 

“We are working with cybersecurity specialists to quickly and securely download the data so that we can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates,” the district continued. “This will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted.” 

Early indications suggest the files contain a significant volume of sensitive information about students and staff. Leading up to the Friday deadline, Medusa posted a short-lived video to Vimeo that previewed the files in its possession and published a file tree on its dark web blog that purportedly showed the names of the compromised documents. The file tree suggests those records involve student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. As of Friday afternoon, the dark web blog post showing the file tree had amassed more than 3,100 page views. 

Should the files become available at some point, an analysis of the file tree points to the trove of stolen records being extensive. The file tree lists more than 172,000 individual records including large backup files. Though it’s unclear how many of the documents contain personally identifiable information and other sensitive data, the files add up to a startling 157 terabytes. 

“Yikes, that’s a lot,” said Doug Levin, an expert in K-12 cybersecurity incidents and national director of the K12 Security Information eXchange. “It’s a very significant exfiltration.” 

By comparison, last year the Los Angeles Unified School District suffered a ransomware attack and a cache of stolen district files — including thousands of current and former students’ sensitive mental health records — were uploaded to a dark web leak site. The files in that leak, which drew national attention to cybersecurity vulnerabilities in K-12 schools, total some 500 gigabytes. There are 1,000 gigabytes in one terabyte. 

The records stolen from the Los Angeles school district could fit on the hard drive of just one laptop. The scope of records stolen in Minneapolis, meanwhile, are more akin to “entire IT systems,” said Levin, who was especially concerned about the breach of district backup files. “You’re probably looking at some of the more sensitive data that the district maintains — sensitive enough that they are backing it up and maintaining those files.” 

The data leak deadline comes a little more than a week after Medusa listed the district on its dark web blog and two weeks after Minneapolis school officials attributed with its computer system to an “encryption event.” That euphemistic characterization left the public in the dark about the incident’s severity, cybersecurity analysts and community members said.

Such experts said Medusa’s pre-leak efforts were a particularly aggressive attempt to increase public attention around the attack and coerce the district to meet its ransom demand. 

Medusa’s decision to upload its stolen files to the faux technology news blog is likely a tactic to elevate the privacy risks to potential data breach victims and convince hacked organizations to pay the ransom, said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

Despite Medusa’s extensive steps to publicize the ransomware attack prior to the Friday deadline, the group has been  “unusually uncommunicative,” since the clock struck zero and its dark web blog listed the Minneapolis records as published, Callow said. The cyber expert said he also reached out to the group Friday to inquire about the Minneapolis breach but didn’t receive a response. 

People who don’t work in cybersecurity may not know how to access dark web sites, he said, while the technology news blog is more accessible to the general public. Therefore, dark web sites “would concern organizations less than the data being released from the “clearnet” where it is easily accessible and links to it can be shared via Twitter and other social platforms. It’s much easier for people to access.”

Callow agreed the volume of data purportedly stolen from the Minneapolis district constitutes an outlier among ransomware attacks — but he offered a caution. 

“Just because they published a file tree doesn’t mean they necessarily obtained all of the data it shows in that tree,” he said, noting that organizations like school districts can shut hackers out of their systems if they’re caught in the act. 

In a March 9 statement, the district said it had “taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal.” 

During a school board meeting Tuesday, interim Superintendent Rochelle Cox said the district’s computer network “was infected with an encryption virus that was first discovered” Feb. 18. Secure backups allowed the district to restore many of its systems, Cox said, and while sensitive data has now been released publicly, the district is unaware of any evidence that the information has been leveraged by criminals to commit fraud. Once the district identifies impacted individuals, Cox said it will provide them with credit monitoring and identity protection services. 

Yet as Cox credited the district’s technology department for responding swiftly to restore district systems after the attack, Levin, the K-12 cybersecurity expert, said the sheer volume of files purportedly stolen point to the threat actors possibly lurking around inside the MPS computer systems for weeks — if not months. 

“Exfiltrating this amount of data without detection certainly is concerning,” Levin said. “This sort of mass exfiltration is something that cybersecurity experts look for when they are defending systems and this is certainly not something that is downloaded in an hour or two.”

As the district works to analyze the scope of the attack, it’s advising district families and staff to avoid interacting with suspicious emails or phone calls, to change their passwords and warned them against downloading any data released by cyber criminals because it plays into their hands “by drawing attention to the information and increasing our community’s fear and panic.” 

While districts nationwide have become victims in in the last several years, cybersecurity experts said the extortion tactics leveraged against the Minneapolis district are particularly aggressive and an escalation of those typically used against school systems to coerce payments.

In a dark web blog post and an online video uploaded Tuesday, the ransomware gang Medusa claimed responsibility for conducting a February cyberattack — or what Minneapolis school leaders euphemistically called an “encryption event” — that led to . The blog post gives the district until March 17 to hand over $1 million. If the district fails to pay up, criminal actors appear ready to post a trove of sensitive records about students and educators to their dark web leak site. The gang’s leak site gives the district the option to pay $50,000 to add a day to the ransom deadline and allows anyone to purchase the data for $1 million right now.

On the video-sharing platform Vimeo, the group, calling itself the Medusa Media Team, posted a 51-minute video that appeared to show a limited collection of the stolen records, making clear to district leaders the sensitive nature of the files within the gang’s possession. 

“The video is more unusual and I don’t recall that having been done before,” said Brett Callow, a threat analyst with the cybersecurity company Emsisoft. 

A preliminary review of the gang’s dark web leak site by ����Ӱ�� suggest the compromised files include a significant volume of sensitive documents, including records related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications. 

The video is no longer available on Vimeo and a company spokesperson confirmed to ����Ӱ�� that it was , which prohibits users from uploading content that “infringes any third party’s” privacy rights. 

As targeted organizations decline to pay ransom demands in efforts to recover stolen files, Callow said the threat actors are employing new tactics “to improve conversion rates.”

“This is likely just an experiment, and if they find this works they will do it more frequently,” Callow said. “These groups operate like regular businesses, in that they A/B test and adopt the strategies that work and ditch the ones that don’t.” 

Here’s a snippet of the video’s introduction (with all sensitive records omitted):

The Minneapolis school district hasn’t acknowledged being a ransomware victim, while Callow and other cybersecurity experts have been harshly critical of how it has disclosed the attack to the public. In , the district attributed “technical difficulties” with its computer systems to the referenced “encryption event,” a characterization that experts blasted as creative public relations that left potential victims in the dark about the incident’s severity. 

The district “has not paid a ransom” and an investigation into the incident “has not found any evidence that any data accessed has been used to commit fraud,” school officials said in the March 1 statement.  

In a statement to ����Ӱ�� Tuesday, the district said it “is aware that the threat actor who has claimed responsibility for our recent encryption event has posted online some of the data they accessed.” 

“This action has been reported to law enforcement, and we are working with IT specialists to review the data in order to contact impacted individuals,” the statement continued.

Minnesota-based student privacy advocate Marika Pfefferkorn called on the district to be more forthcoming as it confronts the attack. 

“First and foremost, they owe an apology to the community by not being explicit right away about what was happening,” said Pfefferkorn, executive director of the Midwest Center for School Transformation. “Because they haven’t communicated about it, they haven’t shared a plan about, ‘How will you address this? How will you respond?’ Not knowing how they are going to respond makes me really nervous.”

School cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange, said that district officials appear to have coined the term “encryption event,” but available information suggests the school system was the victim of “classic double extortion,” an exploitation technique that’s become popular among ransomware gangs in the last several years. 

With its video and dark web blog, Medusa may have spent “a little more time and energy” than other ransomware groups in presenting the stolen data in a compelling package, “but the tactics seem to be the same,” Levin said. “Now that we have a group coming forward with compelling evidence that they have exfiltrated data from the system and it’s actively extorting them, that’s all I would need to know to classify this as ransomware.”

In double extortion ransomware attacks, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if a ransom is not paid, criminals sell the data or publish the records to a leak site. 

Such a situation recently played out in the Los Angeles Unified School district, the nation’s second-largest school system. Last year, the ransomware gang Vice Society broke into the district’s computer network and made off with some 500 gigabytes of district files. When the district refused to pay an undisclosed ransom, Vice Society uploaded the records to its dark web leak site. 

District officials have sought to downplay the attack’s effects on students. But an investigation by ����Ӱ�� found thousands of students’ comprehensive and highly sensitive mental health records had been exposed. The district then acknowledged Feb. 22 that some 2,000 student psychological assessments — including those of 60 current students — had been leaked.

Districts that become ransomware targets could face significant liability issues. Earlier this month, the education technology company Aeries Software a negligence lawsuit after a data breach exposed records from two California school districts. District families accused the software company of failing to implement reasonable cybersecurity safeguards. 

Federal authorities have made progress in curtailing cybercriminals. In January, authorities seized control of a prolific ransomware gang’s leak site and earlier this month officials with ties to a Russian-based ransomware group that’s known to target schools. 

At least 11 U.S. school districts have been the victims of ransomware attacks so far in 2023, according to Emsisoft research. Last year, 45 school districts and 44 colleges. 

In Minneapolis, a lack of transparency from the district could put affected students and staff at heightened risk of exploitation, Emsisoft’s Callow said. 

“There absolutely are times when districts have to be cautious about the information they release because it is the source of an ongoing investigation,” he said. “But calling something a ransomware incident as opposed to an encryption event really isn’t problematic. Nor is telling people their personal information may have been compromised.”

Pfefferkorn, the Minneapolis student privacy advocate, said she’s concerned about the amount of data the school district collects about students and worries it lacks sufficient cybersecurity safeguards to keep the information secure. She pointed to Minneapolis schools’ since-terminated contract with the digital student surveillance company Gaggle, which monitors students online and alerts district officials to references about mental health challenges, sexuality, drug use, violence and bullying. 

The district said it adopted the monitoring tool in a pandemic-era effort to keep kids safe online, but the unauthorized disclosure of Gaggle records maintained by the district could make them more vulnerable, she said. 

There’s little recourse, she said, for students and educators whose sensitive records were already leaked by Medusa. 

“It’s already out there and that cannot be repaired,” she said. “There’s information out there that’s going to impact them for the rest of their lives.”

Its admission on Wednesday, which included the news that 60 current students’ records had been compromised, comes five months after the nation’s second-largest school district was the victim of a ransomware attack and four months after schools Superintendent Alberto Carvalho categorically denied that students’ psychological records were part of that breach.

“As the District and its partners delve deeper into the reality of the data breach, the scope of the attack further actualizes and new discoveries have been revealed,” Jack Kelanic, the district’s senior administrator of IT infrastructure, said in a statement. “Approximately 2,000 student assessment records have been confirmed as part of the attack, 60 of whom are currently enrolled, as well as Driver’s License numbers and Social Security numbers.”

����Ӱ�� published an extensive investigation by reporter Mark Keierleber Wednesday revealing that the records — among the most sensitive information school districts maintain on students — could be uploaded from a dark web leak site of the Russian-speaking ransomware gang Vice Society. The cyber criminal gang infiltrated LAUSD’s computer system last year and then released the records when the school district refused to pay an undisclosed ransom demand.

When presented with the results of ����Ӱ��’s investigation Tuesday, district officials did not retract or correct Carvalho’s earlier statements, which a district spokesperson said “were based on the information that had been developed at that time.” The comments were made in early October, about a month after the cyber attack was first reported, and at a point where school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web, according to the schools chief.

The district is now saying that notification to individuals whose information was posted has been slowed by the painstaking nature of the process and the fact that some of the records date back nearly 30 years. To comply with state privacy rules, the district posted to the California state attorney general’s office website in January disclosing that district contractors’ certified payroll records and their names, addresses and Social Security numbers were leaked.

School officials have not said anything publicly about notifying current or former students or district employees that their information has been compromised, but said Wednesday their investigation is ongoing and they “will continue notifying individuals as they are determined.” A day earlier, a district spokesperson told ����Ӱ�� that no current or former students had been informed that their psychological records were posted online.

The records identified by ����Ӱ�� were at least a decade old and involve special education students. They include a comprehensive background on the student’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

“It could ruin careers, it could damage families, people could get fired, it could potentially increase the likelihood of self harm if they suffer some kind of mental trauma from it,” a cyber security expert told the Los Angeles Daily News it published on the district’s response to ����Ӱ��’s investigation. 

Hundreds — and likely thousands — of sensitive files were leaked online

People are likely unaware their health records were stolen

Because the district hasn’t disclosed the trove of records exists

And federal privacy laws don’t require schools to go public

Update: After this story published, the Los Angeles school district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web.

Detailed and highly sensitive mental health records of hundreds — and likely thousands — of former Los Angeles students were published online after the city’s school district fell victim to a massive ransomware attack last year, an investigation by ����Ӱ�� has revealed. 

The student psychological evaluations, published to a “dark web” leak site by the Russian-speaking ransomware gang Vice Society, offer a startling degree of personally identifiable information about students who received special education services, including their detailed medical histories, academic performance and disciplinary records. 

But people are likely unaware their sensitive information is readily available online because the Los Angeles Unified School District hasn’t alerted them, a district spokesperson confirmed, and leaders haven’t acknowledged the trove of records even exists. In contrast, the district publicly acknowledged last month that the sensitive information of district contractors had been leaked. 

Cybersecurity experts said the revelation that student psychological records were exposed en masse and a lack of transparency by the district highlight a gap in existing federal privacy laws. Rules that pertain to sensitive health records maintained by hospitals and health insurers, which are protected by stringent data breach notification policies, differ from those that apply to education records kept by schools — even when the files themselves are virtually identical. Under existing federal privacy rules, school districts are not required to notify the public when students’ personal information, including medical records, is exposed. 

But keeping the extent of data breaches under wraps runs counter to schools’ mission of improving children’s lives and instead places them at heightened risk of harm, said school cybersecurity expert Doug Levin, the national director of the K12 Security Information eXchange. 

“It’s deeply disturbing that an organization that you’ve entrusted with such sensitive information is either significantly delaying — or even hiding — the fact that individuals had very sensitive information exposed,” Levin told ����Ӱ��. “For a school system to wait six months, a year or longer before notifying someone that their information is out on the dark web and being potentially abused is a year that those individuals can’t take steps to protect themselves.” 

In , the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted by cyber gangs “with potentially catastrophic impacts on students, their families, teachers and administrators.” Threats became particularly acute during the pandemic as schools grew more reliant on technology.  The number of publicly disclosed cybersecurity incidents affecting schools has grown from 400 in 2018 to more than 1,300 in 2021, according to the federal agency. 

When L.A. schools Superintendent Alberto Carvalho acknowledged in early October that the cyber gang published some 500 gigabytes of stolen records to the dark web after the district declined to pay an unspecified ransom demand, he sought to downplay its effects on students. An early news report said the leaked files contained some students’ psychological assessments, citing “a law enforcement source familiar with the investigation.” Carvalho called that revelation “absolutely incorrect.” 

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system and had exposed a limited collection of students’ records, including their names and addresses. 

The 500 gigabytes of stolen records include tens of thousands of individual files, including scanned copies of adults’ Social Security cards, passports, financial records and other personnel files. 

The systemic release of students’ psychological assessments stolen from the Los Angeles district and published to the dark web hasn’t been previously reported. Leaked psychological evaluations use a consistent file-naming structure, allowing ����Ӱ�� to isolate them from other types of district records that appear on the ransomware gang’s leak site, including those related to district contractors and files that are benign and do not contain confidential information. ����Ӱ�� has independently verified that 500 students’ sensitive psychological assessments are available for download as PDF files on the Vice Society leak site, reaching a federal threshold that would require health care providers to publicly disclose such a data breach if it involved patient health records. 

More than 2,200 PDFs — and a large swath of other document types — follow the consistent file-naming structure, suggesting the total number of leaked student psychological files is in the thousands. The records are at least a decade old and while they don’t appear to contain information about current students, they do contain highly personal information about former LAUSD students who are now in their 20s and 30s. 

In early October, Carvalho said that if their information got exposed in the data breach, assuring them, “No news is good news.” By that point, Carvalho said, school district and law enforcement analysts had already reviewed about two-thirds of the data leaked on the dark web. 

Now, more than four months after the schools chief denied that psychological evaluations were exposed, the nation’s second-largest school district has not changed its position publicly. A district spokesperson said that Carvalho’s statements in October “were based on the information that had been developed at that time” and that the review was still ongoing.

“Los Angeles Unified is in the process of completing its review and analysis of the data posted by the criminals responsible for the cyberattack to the dark web, to identify individuals impacted and to provide any required notifications,” the district told ����Ӱ�� in a statement. “Once Los Angeles Unified has completed its review and analysis of that data, Los Angeles Unified will provide an update,” to affected individuals and the public.  

‘Huge emotional strain for the family’

The particular files posted online — students’ psycho-educational case studies — are among the most sensitive records that schools keep about children with disabilities, said Steven Catron, senior staff attorney of the Learning Rights Law Center, a Los Angeles-based nonprofit that provides free legal representation to low-income families in special education disputes with their children’s school district.

The evaluations are how a student’s disabilities and other factors affect their learning. They include a comprehensive background on the child’s medical history, observations on their home and family life, and assessments of their cognitive, academic and emotional functioning. 

One of the reports notes that a student was placed in foster care “due to domestic violence in the home.” The student struggled with “a limited attention span” and often refused to complete his work, the report notes, and “is easily angered when he does not get his way.” Another states a student’s desire to “become a police officer so that he can ‘arrest people because they do drugs.’” A student’s father “works in a plant that makes airplane parts and speaks no English,” one report notes. “His mother is a librarian assistant and speaks a ‘little English.’” 

In general, Catron said, such reports can include details about a family’s immigration status, sexual misconduct allegations, unfounded child abuse reports or that a student has “been hitting other children or adults in a school environment.” Yet it’s often difficult for families to get sensitive information removed from the files, he said, even if it isn’t accurate. Now, with breached student records of this nature in the public domain, “who knows what is going to happen.”

“The sheer scope of information, like you’ve seen, it’s darn broad and pretty hurtful for people,” Catron said. “If those records include those types of notes, whether correct or not, it can just cause a huge emotional strain for the family.” 

The files themselves note that the assessment reports “may contain sensitive information subject to misinterpretation by untrained individuals” and that the “nonconsensual re-disclosure by unauthorized individuals is prohibited” by state law. 

Available files appear to be limited to former Los Angeles students born primarily in the late 1980s and 1990s. The age of the records highlight how potential data breach victims extend far beyond current students when districts suffer hacks, Levin, the cybersecurity expert, said. Students’ sensitive information can be exposed years or even decades after they graduate if districts lack sufficient data security safeguards.  

The timeline could also complicate any potential efforts by the district to find and notify affected individuals who could unknowingly face heightened risks including embarrassment, identity theft and extortion.

“Sometimes school districts will delay notifying until they can identify every last person that they possibly can, but that can be an expensive to impossible endeavor,” Levin said. “For a school district like LAUSD to try to track people who were associated with the district say 10 years ago, that’s a daunting task and clearly is very likely to be imperfect.”

The disclosure gap

Health care providers are held to strict data privacy rules and could face steep fines in the event of a data breach involving sensitive patient records. Agencies and businesses covered by the federal Health Insurance Portability and Accountability Act to publicly acknowledge health data breaches affecting 500 or more people and notify the U.S. Department of Health and Human Services “without unreasonable delay and in no case later than 60 days following a breach.” 

The Broward County, Florida, school district recently got caught in after the country’s sixth-largest school system suffered a ransomware attack in 2021 and refused to pay an extortion demand initially set at $40 million. In response, threat actors published to a dark web leak site the personal information of nearly 50,000 district personnel enrolled in its health plan. The Broward district is currently one of four K-12 school systems listed on maintained by the Department of Health and Human Services. The breach portal  — often referred to as the “Wall of Shame” — includes all data breaches affecting 500 or more people that were reported to the federal agency in the last 24 months. 

District officials in Florida ultimately — three months longer than federal rules allow — to disclose the breach’s full extent on its website, according to the South Florida Sun-Sentinel. In a statement, a district spokesperson told ����Ӱ�� the school system “worked diligently to investigate the incident.” Once officials realized that records related to the district’s self-insured health plan were breached, notifications to affected personnel and the federal health administration “required the gathering and sorting of significant amounts of data in order to determine the individuals to be notified.” 

“That process was complex and took substantial hours,” the spokesperson said. “Under the circumstances, notification was made in an expeditious manner.” 

The Broward district is a HIPAA-covered entity because it operates a self-insured health plan. But public schools under the health privacy law. And even when they are, students’ education records —  — are exempt. by the Family Educational Rights and Privacy Act, the federal student privacy law known as FERPA. The law prohibits student records from being released publicly but, unlike HIPAA, schools to disclose when such breaches occur.

“The same type of information is treated differently from a compliance standpoint depending on who is holding and maintaining that information,” said student privacy expert Jim Siegl, a senior technologist with the nonprofit Future of Privacy Forum. The federal privacy rules that apply to hospitals and schools “live in separate universes. If it’s maintained by the school, it’s FERPA. If it’s maintained by your doctor, the same information is HIPAA protected.” 

A are covered by HIPAA, the LAUSD district spokesperson said, but the psychological assessments are not. A data breach involving student’s records — like the one in Los Angeles — , according to the U.S. Department of Education. 

“FERPA requires the school to maintain direct control over the records,” Siegl said. “There is a lot that goes into a FERPA violation, but I would say that within the spirit of FERPA, they did not maintain direct control over the records.” 

Yet, consequences for violating FERPA are next to nonexistent. Districts if they have “a policy or practice” of releasing students’ records without parental permission, a high bar that excludes occasional violations. Since the law was enacted in 1974, it’s from a district that broke the rules. 

‘A psychological torment’

To , the Los Angeles district has been about the systemic breach of sensitive records about distinct construction contractors. In posted to the California state attorney general’s office website in January, the district said its investigation into the breach had uncovered certified payroll records and other labor compliance documents that included the names, addresses and Social Security numbers of district contractors. 

The data breach notice also made clear that cyber criminals had infiltrated the district’s computer network than initially disclosed. Carvalho said in October that district cybersecurity officials were quick to detect the unauthorized access and, “in a very, very unique way, we stopped the attack midstream.” 

The district spokesperson said LAUSD is working to determine whether any of the breached files are considered “medical information” under state law and whether a notification is required. Any data breach alert to the state attorney general’s office would coincide with notifications to affected individuals, the spokesperson said. 

Asked about the school district’s notification obligations for the trove of leaked student psychological records and whether it’s investigating the matter, an AG’s office spokesperson said in an email “we can’t comment on, even to confirm or deny, a potential or ongoing investigation,” and didn’t offer any other information. Reached for comment about the data breaches in Los Angeles and Broward County, a federal Department of Health and Human Services spokesperson said its civil rights division “does not typically comment on open or potential investigations,” and declined to say anything further. 

The Los Angeles district has for decades struggled with its obligations to provide special education services to children with disabilities. Last year, it reached to provide compensatory services to children with disabilities after an investigation by the U.S. Education Department’s civil rights office found it had failed to provide them during the pandemic. Parents and advocates said last month many children are still waiting for those services.

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried the data breach could further divert funds from those much-needed special education services. 

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, who serves as vice chair of the district’s Community Advisory Committee for Special Education. But she acknowledged it “would be very disturbing” if her own child’s psychological evaluations were leaked online. 

“Our middle son is a very private person and this could be a psychological torment to him knowing that personal observations about him were out there,” she said. “That would be very devastating to him.”

During in 2014, Pesicka was one of thousands of Sony Pictures employees that had their private information exposed in the midst of aggressive attacks by a North Korean hacker group.

Now, as a mom, Pesicka worries about protecting her son Jackson, a 1st grade Playa Vista Elementary School student, so history doesn’t repeat itself.

“When you’re a kid, you won’t ever see a credit report and find out that there’s something on there until you go off to college,” Pesicka said in an interview. “By that time, somebody has had 15 years to rack up a bunch of different credit cards or properties or whatever else on your kid’s account…so that’s very concerning.”

Like Pesicka, LAUSD parents have raised concerns about the district’s response to the cyberattack, ranging from long term data protection to how well a hotline — created to answer parents and staff questions — is working. 

The public release of about 500 gigabytes of stolen district data was posted on the dark web Saturday by Vice Society, a Russian-speaking ransomware gang known to target school districts.

After the district and law enforcement analysts reviewed about two-thirds of the data, LAUSD Superintendent Alberto Carvalho assured students, parents and employees that there is no reason for widespread concern.

“The release was actually more limited than what we had originally anticipated,” Carvalho said in a Monday downplaying the damage done.

Carvalho said any exposed student data – including names, academic information and personal addresses – was between 2013 and 2016, insisting most middle and high school students during that period already graduated.

For now, Carvalho confirmed students who did have their data breached will be contacted and offered credit monitoring services.

But many parents were not convinced the superintendent’s response was enough to ease their concerns about the cyberattack.

When Pesicka’s private information was exposed, Sony offered her one year of credit monitoring. But she found out years later she had a stolen identity and social security number.

“I had three people working under my social security number and I had my identity compromised,” Pesicka said in an interview. “Anybody who’s been through identity theft knows how difficult it is and how there’s not really a streamlined process or way to scrub your information.”

Teresa Gaines, the mom of 2nd and 3rd grade students at Grand View Boulevard Elementary School, was troubled by Carvalho’s response because it didn’t provide the urgency she was hoping for.

“Some people don’t realize how serious this can be because what if five or ten years from now our kids go to college and all of a sudden they get denied entrance because of something that is not their fault…or somebody uses that data to cause issues that prevent them from getting into certain programs or denied work,” Gaines said in an interview.

Gaines also said LAUSD should provide more targeted outreach to families through “town halls” and “informational webinars” so parents could ask questions about the cyberattack.

She is particularly concerned by the release of psychological assessments, which Carvalho insisted did not happen during his press conference. However, the Los Angeles Times did find .

For Jenna Schwartz, the mom of a 7th grade student in North Hollywood, Carvalho’s response left her cautiously optimistic.

“If I find out I was impacted…but it was just my child’s school photograph from 2013 and his attendance record, I don’t care as much,” Schwartz said in an interview. “If it was my social security number and bank information, those are two very different scenarios.”

Carvalho pointed parents to the district’s hotline, available Monday through Friday and this weekend for additional questions or support on the cyberattack.

But parents reported long wait times, and limited hours and information when the hotline began earlier this week.  

“Unless you ask a question that fits into their script, they don’t really have a response,” Pesicka said in an interview. “And even if you do, you’re getting a very robotic response.”

In addition, Schwartz noted that she’s “not sure what good the hotline is at this point other than sort of just to make people feel better.”

After a request for comment, a spokesperson from LAUSD referred back to Carvalho’s statement on the cyberattack: 

The hotline hours have been updated to weekdays from 8 a.m. to 8 p.m. and this weekend from 6 a.m. to 3:30 p.m.

According to the initial , hackers used ransomware to freeze and disable some LAUSD systems. The Vice Society ransomware gang then reportedly published a trove of sensitive district records this past weekend, though LAUSD superintendent Alberto Carvalho sought to downplay the damage done at a Monday press conference, particularly as it relates to records about individual students. 

Authorities have said there’s no evidence confidential student information — such as social security numbers or health insurance — has been breached. Last month the district confirmed a ransom demand by the hackers, but Carvalho said there had been no response. 

“School districts are often vulnerable targets to these kinds of attacks because they are large, have many employees, and many other users including students and parents who have access to at least some parts of the system,” said Clifford Nueman, an expert on computer security and professor at USC’s Viterbi School of Engineering in an email to LA School Report. 

“What makes LAUSD an attractive target to criminals deploying ransomware is the number of individuals that are affected when LAUSD systems become unavailable,” Neuman added. 

Dr. Joseph Greenfield, Associate Professor of Practice at USC and an expert on digital forensics, offered three tips on how LAUSD families — as well as parents at any school district across the country — can keep their private data protected:  

1. LAUSD devices should be used exclusively for LAUSD services: 

In order to prevent personal information from even reaching school’s data networks, parents should ensure students are using their LAUSD devices strictly for school purposes. While students may often play online games or indulge in social media content… with their LAUSD devices, these interactions are threatening due to sensitive student content reaching the school’s information history. 

2. Download a Password Manager: 

A password manager is an application tied to a subscription based service, most commonly seen through websites offering to generate customized passwords for their user. Popular examples include Apple Keychain and Dashlane. 

Essentially these programs are targeted towards not repeating passwords across the wide array of sites student’s use on a daily basis. If each application has an individual separate lock, then a compromise of one account does not lead to a compromise of all accounts.

3. Use a Multifactor Authentication Process: 

Multi Factor authentication is a process which can be implemented… in any and all accounts. With the installation of this software, everytime there is a login attempt the user must present two or more forms of evidence to verify their identity. The credentials that students would need to provide may translate to them receiving a confirmation text or needing to approve login through authentication apps such as DUO. Each and every time students log in, they should be required to undergo this process of identity confirmation. 

This article is part of a collaboration between ����Ӱ�� and the USC Annenberg School for Communication and Journalism.

Sara Balanta is an undergraduate student at the USC Annenberg School for Communication and Journalism pursuing a Bachelor’s degree in Journalism. She is a 2022 Dragon Kim Foundation Fellow where she hosts a project called “Teacher’s Aide +”, which conducts free renovations in schools to help brighten campus environments. Aside from writing her passions include youth activism, media culture and music.

The Vice Society ransomware gang reportedly published over the weekend a trove of sensitive student records from the Los Angeles school district. The data was posted to the gang’s dark-web “leak site,” after education leaders refused to pay — and at first even acknowledge — a ransom. 

Yet in a press conference Monday, Superintendent Alberto Carvalho sought to downplay the damage done, particularly as it relates to records about children. An said that student psychiatric evaluation records had been published online, citing a confidential law enforcement source. That reporting, Carvalho said, is “absolutely incorrect.”

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system. The “vast majority” of exposed student data, including names, academic information and personal addresses, was from a period between 2013 and 2016. “That is the extent of the student information data that we have seen.”

Roughly 500 gigabytes of district data was made public on Sunday by the Russian-speaking ransomware gang, which took credit for stealing the district records in a massive data breach last month. The full scope of the information released is unclear, yet after reviewing about two-thirds of the data, Carvalho said that “so far, based on what we’ve seen, critical health information or Social Security numbers for students,” is not included.

Carvalho confirmed on Sunday that LAUSD’s data had been published on the dark web, but did not verify the type of data that was leaked. On Monday, he said that information from private-sector contractors, particularly those in construction, appeared most impacted. Breached records include contracts, financial information and personally identifiable data, Carvalho said.

Cybersecurity experts have warned that the release of district data could come with significant risks for current and former students. Children’s Social Security numbers are particularly valuable to identity thieves because they can be used for years without raising alarm.

James Turgal, a former executive assistant director for the FBI Information and Technology Branch, said it’s particularly important for officials to protect the sensitive data of children, who may “find out they own a condo in Bora Bora under their name 15 years from now” because their information was exploited. 

Turgal, now the vice president of cyber risk and strategy at Optiv Security, praised the district’s decision to withhold payment.

“There’s no upside to ever paying a ransom,” said Turgal, “More likely than not, even if LAUSD would have paid the ransom, [Vice Society] still would have disclosed the information” on their leak site. 

Carvalho made it clear in several statements the district had no intentions of paying up, possibly prompting the criminals to publish the stolen data earlier than planned. Vice Society, which took credit for a massive data breach that caused widespread disruptions at America’s second-largest school district, had initially . 

“What I can tell you is that the demand — any demand — would be absurd,” Carvalho told the Los Angeles Times. “But this level of demand was, quite frankly, insulting. And we’re not about to enter into negotiations with that type of entity.” 

In a statement, the district acknowledged that paying a ransom wouldn’t ensure the recovery of data and asserted that “public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate. We continue to make progress toward full operational stability for several core information technology services.” 

The district announced on Sunday a new hotline available to concerned parents and students seeking information about the breach. A district spokesperson declined to comment further. The district has also not revealed details of Vice Society’s demand.

In an email to ����Ӱ��, Vice Society said they published the district data because “they didn’t pay,” and acknowledged the “ransom demand was big” without providing a specific figure. Asked what makes school districts attractive victims for such attacks, the group offered a brief explanation: “Maybe news? Don’t know … We just attack it =).”

Over the weekend, they that they demanded a ransom weeks earlier than district officials have publicly acknowledged. Asked about the size of the ransom, the group replied, “let’s say that it was big =).”

Since the breach was disclosed, district officials have been working with federal authorities at the FBI and Cybersecurity and Infrastructure Security Agency, which the ransomware group says has “wasted our time,” in an email that federal authorities were “wrong” to advise the district against paying. 

“We always delete documents and help to restore network [sic], we don’t talk about companies that paid us,” the group told the news outlet. “Now LAUSD has lost 500GB of files.”

����Ӱ�� has not reviewed the data published to the Vice Society leak site. Doug Levin, the national director of The K12 Security Information eXchange, said Monday he was unable to independently verify information posted to the leak site, suggesting that it may have been the victim of a hack. But once the data was published online, he said, it’s impossible to rein it back in.

“You have to assume that it has been compromised by nefarious actors who have copied it down and the damage, therefore, is done,” Levin said. 

For example, while Vice Society likely posted most of the data it exfiltrated onto its leak site, they may have held onto the most sensitive data like Social Security numbers to sell on a dark web marketplace, often for identity theft.

Now that sensitive data has been disclosed, the district must formally notify victims that their information was compromised and provide advice on how to best protect themselves, Levin said. The district may find themselves on the hook for as much as $100 million in medium-term recovery costs, Levin noted, to improve their cybersecurity infrastructure and work to prevent another attack in the future.

He said it’s important that affected educators, parents and students . The district announced plans to provide credit monitoring services to victims, but Levin said that victims should consider freezing their credit. 

“The school district itself is likely going to be facing a crisis of confidence in its school community about its ability to keep data and their IT systems safe and secure,” Levin said. “Ultimately, they’re going to have to be able to answer the question of why they can be trusted to safeguard that personal information going forward.” 

As the shady ransomware gang Vice Society took credit for a hack that sent Los Angeles school officials scrambling last week, cybersecurity experts noticed something peculiar. 

Vice Society, an “intrusion, exfiltration and extortion” group that experts believe is based in Russia, has become notorious for waging cyber warfare against K-12 schools, leveraging the theft of sensitive data to demand a ransom. to prevent hackers from publishing private records on dark-web outposts.  

So what’s a ransomware attack without a demand for money?

“We have not received a ransom demand, nor have we sought a direct communication with the entity,” Superintendent Alberto Carvalho said at a Friday news conference, nearly a week after the breach was detected.

On Tuesday, the L.A. school board an emergency declaration allowing Carvalho, who took the helm at the nation’s second-largest school district in February, to expedite contracts for cybersecurity for a year without competitive bidding.

The new superintendent’s statements are “not consistent” with Vice Society’s extortion playbook, said Alex Holden, founder and chief information security officer of Milwaukee-based Hold Security, a computer security firm that warned the district in 2021 about a cyber vulnerability. 

Holden said he fears “a missing link” between the district and the threat actors, who are “definitely known to send out a ransom note because that’s how they get paid.” Vice Society has made clear that money is the primary motive for the cyber attack on L.A. schools, which the group says it carried out but has not provided evidence to substantiate its claims.

Holden is not the only one trying to read between the lines.

“One big question everybody has is, ‘Did they pay, are they going to pay the extortion demand?’” said Doug Levin, national director of The K12 Security Information eXchange.

Levin and other cybersecurity experts have a few theories. 

For one, it could be the case of carefully worded messaging. While Carvalho noted that the district has not “sought a direct communication with the entity,” the superintendent’s comments don’t “seem to rule out that someone on their behalf may be in touch with Vice Society,” Levin said, adding that “nothing in their response or in what Vice Society has said or done rules out paying extortion and much is consistent with it.”

In previous attacks, districts have declined to recognize ransom demands unless they come through official channels, he added, and it’s possible that “a pop-up on a computer screen is not a valid way of communication to a district and therefore it does not count as being received.” 

It’s possible, Holden said, that a ransom note failed to reach an audience. When organizations learn they’ve been compromised, they sometimes react by defending themselves overzealously and the ransom note winds up getting blocked, he said. 

“The organizations typically tend to lose these notes, block them or don’t report them,” he said. If someone reports a phishing attempt to IT, email administrators tend to purge the message and future communications. “So they basically didn’t block the phishing email, but potentially they blocked the ransomware note.”

But there could be another explanation for the missing ransom — one of success. When district officials moved quickly to take their computer systems offline after detecting the breach, they could have effectively eliminated the threat before the demand was made. 

“If there’s enough notoriety about it and they didn’t get far enough to actually encrypt enough or exfiltrate enough data, I’ve seen the threat actors abandon it,” cyber crime expert James Turgal told ����Ӱ��. “When law enforcement gets involved, that’s when those guys start getting really nervous.”

In his press conference, Superintendent Carvalho never called out the hacking group by name but noted that federal law enforcement officials working on the criminal investigation have “intimate knowledge” of the bad actors. 

While some cyber criminals steer clear of attacks on schools and hospitals, Vice Society — whose dark web “leak site” is styled after the video game — has no such code, Holden said.

“These guys don’t have this stop and that’s extremely disturbing because this may indicate that they won’t stop for anything,” he said.  

Reporters have received brief responses from an email address that federal law enforcement officials say is controlled by the cyber gang. In their replies, the group and of files from compromised district servers. In an email to The Associated Press, the group offered a simple explanation: “We are not political organization, so everything is just for money and pleasure =).” 

����Ӱ�� contacted Vice Society to request information about its ransom demand and the records it stole. In a brief response, the group said it would provide “all answers after they appear on our website,” suggesting that the L.A. data would be leaked if negotiations fail. 

Even without a ransom, recovering from the attack will likely cost the districts millions of dollars, experts said. As such attacks on schools have become more frequent, districts face steep cyber liability insurance of as much as 300 percent. In 2021, a total of 67 ransomware attacks against U.S. schools and colleges cost an in downtime and recovery costs. In May, Lincoln College in Illinois announced it would after becoming the target of a cyber attack. 

‘Surveillance and grooming of our own systems’

Los Angeles Unified School District, which serves more than 500,000 students, joins the ranks of districts nationwide on the receiving end of ransomware attacks in recent years, falling victim on the Saturday night of the four-day holiday weekend. The LAUSD breach appears to be part of a growing trend of back-to-school hacks, which take advantage of a chaotic moment when district cybersecurity officials are particularly busy. 

“If you were looking to extort a school district and increase the leverage on them to meet an extortion demand or a ransom demand, this time of the school year would be among the best to do it,” Levin said. “We have seen, over the last several years, that ransomware actors have taken advantage of that fact at the beginning of the school year to extort districts out of millions of dollars of money in demands.”

As hackers were carrying out the attack, district technology officials detected “unusual live data movement,” and made the unprecedented decision to shut down the district’s computer system — a move “that itself caused a number of challenges,” Carvalho said, but prevented “other more essential elements.” 

While a district facilities system was a primary target in the hack, Carvalho acknowledged that hackers had “touched” the online student management system. The facilities system includes information on contracts and non-sensitive records, he said, and it remains unclear whether the threat actors were able to acquire sensitive student information. 

“It is quite possible, even likely, that for a period of time in advance of the actual attack, there was a degree of surveillance and grooming of our own systems,” Carvalho said, suggesting threat actors rummaged through district data prior to launching the ransomware scheme. L.A. Unified was currently in the process of rolling out passwords with multi-factor authentication, but Carvalho acknowledged the security measure had not been finalized before the breach. 

The criminal investigation into the attack involves officials from the Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In , federal officials warned that Vice Society actors were “disproportionately targeting the education sector with ransomware attacks” that have led to “delayed exams, canceled school days and unauthorized access to and theft of personal information.” Schools may be “particularly lucrative targets,” the advisory said, because they retain a large amount of sensitive student information. 

Turgal, the vice president of cyber risk and strategy at Optiv Security, offered a harsh critique of L.A. Unified’s response, noting that officials had been previously warned about vulnerabilities.

“They’re doing the right things,” but a speedy response to eliminate threats from servers is critical, said Turgal, a former executive assistant director for the FBI Information and Technology Branch. “Their response was very measured, but it was very slow.”

The district declined to comment.

While schools reopened after the Labor Day weekend as scheduled, the breach came with substantial disruptions and confusion for the 540,000 students and 70,000 district employees who were required to reset their passwords and were unable to access online platforms. 

“From my students, I could tell they were frustrated,” said Nancy Soni, an 11th grade English teacher in East Los Angeles. “A lot of them didn’t really understand what it meant to be hacked.”

‘A wake-up call’

Outside Los Angeles, ransomware attacks have delivered a serious blow to districts nationwide, crippling their finances with extortion demands and recovery costs. 

In Baltimore, saddled the county school district with some $10 million in recovery costs. Costs are similar in Buffalo, New York, where the district was last year but declined to pay the ransom. When education leaders in Broward County, Florida, declined to pay a $40 million ransom demand after district accounting and financial records were stolen, hackers posted some 26,000 files on the dark web. 

In fact, this isn’t Carvalho’s first experience dealing with a data breach. In 2020, while he was superintendent in Miami, Florida, the to a cyber attack on the first day of virtual classes. A 16-year-old district student who took credit for the attack to a year of probation. 

Back in L.A., district leaders were warned on multiple occasions in the last several years that their cybersecurity safeguards weren’t up to snuff and that data had been compromised. 

In January, 2021, the district inspector general of an information security audit that identified lapses that required an “immediate remedy” including “significant risks around passwords and credentials” and the lack of incident response planning and preparation. 

Having been presented with “a laundry list of things that should have been done,” it’s critical to understand how the district responded to the audit, said Turgal of Optiv Security. 

Carvalho also expressed concern about how the report’s recommendations were handled, saying his “first order of business” is to “actually understand that report and ask the tough questions about why were a number, if not the majority of these measures, not acted upon.” 

A month later, in February, 2021, cybersecurity experts with Hold Security used an intermediary to inform L.A. district leaders of more bad news. The computer for a school psychologist who was working from home had become compromised, Holden said, likely after she was duped by a phishing email. 

District officials worked quickly to patch the hole and there’s no evidence to suggest it contributed to the recent ransomware attack, but Holden said it should have served as “a wakeup call’ and suggests that LAUSD probably hadn’t “put enough safeguards in place to prevent something like this.” 

The incident also highlights the reality that cybersecurity attacks on school districts can net highly sensitive data about children, Holden said. 

“Imagine what kind of sensitive information, especially about minors, this person might have within her computer or within her access,” he said. Compromised data from a school psychologist is “the worst-case scenario of what the bad guys could steal, something that would be directly harmful to kids.” 

Soni, the English teacher, said that hackers’ potential access to sensitive information is concerning. As an educator in the district, she said she has access to a significant amount of information about students, including their addresses, phone numbers and whether they’re in special education.

“There’s a lot on there, and to have everybody’s personal history be jeopardized, that is scary,” she said. “One of my concerns is having the wrong people have access to information about me, and information about my students.” 

LA School Report freelancer Destiny Torres contributed to this report