Ransomware Attacks on Schools: Shocking Revelations of Stolen and Exposed Confidential Documents

The confidential documents stolen from schools and dumped online by ransomware gangs are crude, intimate and graphic

The confidential documents stolen from schools and dumped online by ransomware gangs are crude, intimate and graphic. The documents describe sexual assaults on students, hospitalizations in psychiatric hospitals, abusive parents, truancy - even suicide attempts. Full sexual assault case files containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Other data exposed included medical records and discrimination complaints.

"Please do something," pleads a student in one of the leaked files, recalling the trauma of constant encounters with the former perpetrator at a Minneapolis school. Rich in digital data, the nation's schools are prime targets for high-profile criminal hackers, who diligently search for and retrieve sensitive files not so long ago stored in locked cabinets, in which case cybercriminals say everyone has a key. Parents are instead pushing to spend limited funds on things like bilingual teachers and new soccer helmets, said Albuquerque school superintendent Scott Elder, whose district suffered a ransomware attack in January 2022.

Often underfunded, districts are ill-equipped not only to defend themselves, but also to respond diligently and transparently when attacked, especially as they struggle to help children catch up from the pandemic and grapple with shrinking budgets. Months after the Minneapolis attack, administrators have yet to fulfill their promise to notify individual victims. Unlike hospitals, there is no federal law requiring this notification from schools.  The Associated Press contacted the families of six students whose sexual assault case files came to light. A message from a reporter was the first to alert them.

Even when schools know a ransomware attack is underway, the data is usually already gone. That's what the Los Angeles Unified School District did last Labor Day weekend, only to see the personal documents of more than 1,900 former students - including psychological evaluations and medical records - leaked online. It wasn't until February that district officials revealed the full dimensions of the breach.

The lasting legacy of school ransomware attacks, it turns out, is not in school closures, recovery costs, or even soaring cyber insurance premiums. Rather, it's the trauma to staff, students and parents of online exposure of personal data - which AP found on the open internet and dark web.

Other large areas recently stung by data theft include San Diego, Des Moines and Tucson, Arizona. While the severity of the hacks remains unclear, all have been criticized for either being slow to admit they had been hit by ransomware, or slow to notify victims - or both. While other ransomware targets have fortified and segmented networks, encrypted data and required multi-factor authentication, school systems have been slower to react. Ransomware has likely affected more than 5 million US students at this point, with district attacks expected to increase this year, said analyst Allan Liska of cybersecurity firm Recorded Future. Nearly one in three US districts had been breached by the end of 2021, according to a survey conducted by the Center for Internet Security, a government-funded nonprofit. The criminals in the Minneapolis theft were particularly aggressive. They shared links to the stolen data on Facebook, Twitter, Telegram and the dark web, which is inaccessible to standard browsers. Parents in Minneapolis notified by AP of the leaked sexual assault complaints feel doubly victimized. Their children have battled PTSD, and some have even left their schools. Now this.

The cybercrime syndicate behind the Los Angeles United attack was not particularly bold. However, the 500 gigabytes it dumped on its dark web "leak site" remained freely available for download in June. The data included financial records and personnel files with scans of Social Security cards and passports. Public disclosure of psychological records or sexual abuse case files, complete with student names, can be mentally disruptive and derail careers, psychologists say. One file stolen from Los Angeles United described how a high school student had attempted suicide and was in and out of psychiatric hospitals a dozen times a year. The extent of the breach became clear when a ransomware group posted a video of the stolen data, giving the district 10 days to pay the ransom before leaking the files. The district refused to pay, following advice from the FBI, which said that ransoms encourage criminals to target more victims.

Districts are prioritizing spending on internet connectivity and distance learning, during the covid-19 pandemic. According to the findings of the University of Chicago and New York University researchers, Security is becoming less of a concern as IT departments invest in software to track student engagement and performance, often at the expense of privacy and security. Cybersecurity funding for public schools is limited. Currently, districts can only expect a fraction of the $1 billion in cybersecurity funds distributed by the federal government over four years.

Minnesota's chief information security officer, John Israel, said his state is getting $18 million of the fund this year to distribute to 3,600 entities. State lawmakers provided an additional $22.5 million in grants for cyber and physical security at schools.