Hackers Posting Private Files of Children Following School Cyberattacks
Ransomware gangs have stolen confidential documents from schools and released them online, revealing deeply personal and distressing information. These documents provide explicit details about student sexual assaults, psychiatric hospitalizations, abusive parents, truancy, and even suicide attempts.
“Please do something,” one student pleaded in one leaked file, recalling the trauma of repeatedly running into her former abuser at a Minneapolis school. Other victims spoke of wetting the bed or crying themselves to sleep.
Complete sexual-assault case files containing that information were among more than 300,000 files released online in March after 36,000 students in Minneapolis Public Schools refused to pay a $1 million ransom. Other exposed data included patient records and discrimination complaints.
The nation’s schools, rich in digitized information, are prime targets for far-flung criminal hackers who busily seek out and harvest sensitive files.
Districts, often cash-strapped, are woefully ill-equipped not only to defend themselves but also to respond diligently and openly under attack, especially as they struggle to help children survive the pandemic and contend with shrinking budgets.
In the months since the Minneapolis attack, administrators have not followed through on their promise to notify individual victims. Unlike hospitals, there is no federal law requiring this notification from schools.
The Associated Press reached out to the families of six students whose sexual assault cases came to light. The reporter’s message was the first time someone warned them.
“The truth is, they didn’t inform us of anything,” said the mother, whose son’s case file contains 80 documents.
Even when schools detect a ransomware attack in progress, the information is usually already gone. That’s what the Los Angeles Unified School District did last Labor Day weekend, but the private paperwork of more than 1,900 former students — including psychological evaluations and medical records — was leaked online. It wasn’t until February that district officials revealed the full extent of the breach.
It turns out that the lasting legacy of school ransomware attacks isn’t school closures, recovery costs, or even skyrocketing cyber insurance premiums. Staff, students and parents are traumatized by the exposure of private records online – which AP found on the open internet and dark web.
“There’s a huge amount of information being published online, and no one wants to see how bad it all is. Or if someone is looking, they’re not publishing the results,” said analyst Brett Callow of cybersecurity firm Emsisoft.
Other major areas that have recently been hit by data theft include San Diego, Des Moines and Tucson, Arizona. While the severity of these hacks remains unclear, all have been criticized for either being slow to admit they fell victim to ransomware and delaying notifying victims — or both.
CYBER SECURITY TRAINING IS A MUST
While other ransomware targets have strengthened and segmented networks that encrypt data and require multi-factor authentication, school systems have been slower to respond.
Ransomware has likely already affected well over five million U.S. students, and the number of district attacks will increase this year, said Allan Liska, an analyst at cybersecurity firm Recorded Future. According to a study by the Center for Internet Security, a federally funded nonprofit organization, nearly one in three U.S. districts was breached by the end of 2021.
Just three years ago, criminals weren’t routinely capturing data in ransomware attacks, said TJ Sayers, director of cyberthreat intelligence at the Center for Internet Security. Now it’s common, he said, and much of it is sold on the dark web.
The perpetrators of the Minneapolis theft were particularly aggressive. They shared links to the stolen data on Facebook, Twitter, Telegram and the dark web, which cannot be accessed by regular browsers.
Minneapolis parents who were notified by the AP about the leaked sex-crime reports feel like they’re being double-victimized. Their children have battled PTSD, and some even dropped out of school. Now this.
“The family is absolutely horrified to learn that this highly sensitive information is now constantly available on the Internet for the child’s future friends, romantic interests, employers and others to find,” said Jeff Storms, an attorney for one of the families. AP’s policy is not to identify victims of sexual abuse.
Minneapolis Schools spokeswoman Crystina Lugo-Beach would not say how many people have been contacted so far, and did not respond to other AP questions about the attack.
Despite the frustration of parents and teachers, schools are routinely advised by incident response groups, concerned about legal liability issues and ransom negotiations, to be more open, said Emsisoft’s Callow. Minneapolis school officials apparently followed that playbook, mysteriously describing the Feb. 17 attack as a “system crash,” then “technical difficulties,” and later a “cryptographic incident.”
However, the extent of the breach became clear when the ransomware group released a video of the stolen data and gave the district 10 days to pay the ransom before the files were leaked.
The district refused to pay, following the FBI’s standing advice that ransoms encourage criminals to target more victims.
SCHOOL USERS TECH BUDGETS FOR LEARNING TOOLS, NOT SECURITY
During the COVID-19 pandemic, districts prioritized internet connections and distance learning. Researchers at the University of Chicago and New York University found that security got short shrift when IT departments invested in software to track student engagement and performance, often at the expense of privacy and security.
Cyber security money for public schools is limited. Currently, the districts can only wait for parts to be distributed among 3,600 different entities. State lawmakers provided an additional $22.5 million in grants for cyber and physical school security.
It’s too late for the mother of a Minneapolis student whose confidential sexual assault complaint was posted online. He almost feels “offended again”.
“All the stuff that we kept private,” he said, “it’s there. And it’s been there for a long time.”