A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by 社区黑料 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain 鈥� and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students鈥� sensitive records and, district spokesperson Jay W茅gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.鈥�

An analysis by 社区黑料 of the stolen files 鈥� posted by the threat actors to the messaging platform Telegram  鈥� indicates otherwise. Included in the 217 gigabyte data leak are students鈥� specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter鈥檚 underwear. After one incident, a boy uttered a threat: 鈥淒on鈥檛 tell nobody.鈥� 

In a statement to 社区黑料 on Wednesday, W茅gimont said the district has 鈥渂een able to confirm that some files鈥� stored on the district鈥檚 internal servers were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

W茅gimont鈥檚 statement doesn鈥檛 acknowledge that students鈥� records had been compromised. 

The district鈥檚 failure to acknowledge the breach affected students and parents 鈥� even after being informed otherwise 鈥� is 鈥渁 massive violation of trust with communities,鈥� student privacy expert Amelia Vance told 社区黑料.

鈥淧eople should be aware 鈥� especially when particularly sensitive information is being released in ways that could make it findable and searchable later,鈥� said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence 鈥渁re likely to have a substantial impact on people鈥檚 future lives, whether it be their opportunities, their ability to get a job or their relationships with others.鈥� 

The school district acknowledged in an Oct. 4 letter to the state attorney general鈥檚 office 鈥� and in letters to the individuals themselves 鈥� that the sensitive information of 12,000 current and former employees was 鈥減otentially impacted鈥� in the attack. A spokesperson for the AG鈥檚 office shared the letter that Providence Superintendent Javier Monta帽ez submitted 鈥渁s required by statute,鈥� but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days 鈥� but the breach 鈥減oses a significant risk of identity theft.鈥� Covered records include individuals鈥� names, Social Security numbers, driver鈥檚 license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It鈥檚 unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department鈥檚 spokesperson, said in a phone call on Wednesday. 

鈥淣o one had actually gone in to see the files,鈥� he told 社区黑料, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are 鈥渨orking closely with the district鈥� on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents鈥� names. Another includes information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents revealed a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web 鈥渘ame and shame blog,鈥� it then previews the victim鈥檚 stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa鈥檚 many tentacles 

The Medusa attack and Providence鈥檚 response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district 鈥� what officials there vaguely called an 鈥渆ncryption event鈥� 鈥� the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack 鈥� and only after a joint investigation by 社区黑料 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General鈥檚 Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records 鈥� like those pertaining to student civil rights investigations, security plans and financial records 鈥� a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher鈥檚 German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what 鈥渋rregular activity鈥� on its computer network but on whether they鈥檇 been the target of ransomware. In 鈥� and the same day that Medusa鈥檚 ransom deadline expired 鈥� Superintendent Monta帽ez acknowledged that 鈥渁n unverified, anonymous group鈥� had gained 鈥渦nauthorized access鈥� to its computer network and claimed to have stolen sensitive records. 

鈥淲hile we cannot confirm the authenticity of these files and verify their claims,鈥� Monta帽ez wrote, 鈥渢here could be concerns that these alleged documents could contain personal information.鈥�

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn鈥檛 think much about it 鈥� even after her Facebook got hacked. 

Now, she鈥檚 left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by 社区黑料 and The Acadiana Advocate revealed. The reporting included a data analysis by 社区黑料 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels 鈥� enough to prompt the Biden White House to convene an August summit on how to tackle the threat 鈥� and in multiple instances, districts have been accused of withholding information from the public.

鈥淭hey want to brush everything under the rug,鈥� said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Among the district鈥檚 breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana鈥檚 data breach notification rules.

and other entities notify affected individuals 鈥渨ithout unreasonable delay,鈥� 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven鈥檛 taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general鈥檚 office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn鈥檛 respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is 鈥渁 long time to not notify somebody of that level of sensitive information.鈥�

鈥淏ecause the school district hasn鈥檛 issued a notice, then it鈥檚 hard to know exactly what happened and why,鈥� Lee said. 鈥淭hat鈥檚 important because that also leads you to, 鈥榃ell, what does the individual need to do to protect themselves now that their information has been exposed?鈥欌��

鈥楧ouble extortion鈥�

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry鈥檚 computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� and became available for download on Telegram, an encrypted social media platform that鈥檚 been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that鈥檚 grown in popularity in recent years called 鈥渄ouble extortion.鈥� Hackers gain access to a victim鈥檚 computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son鈥檚 information was leaked 鈥� especially because he hasn鈥檛 attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

鈥淚f they鈥檙e lying about it and our information did get out there, then that鈥檚 a whole other situation,鈥� she said. 鈥淭hey’re telling all their employees all of our information did not get messed with.鈥� 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

鈥淲e never received reports of the actual information that was obtained,鈥� she said. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥�

The board, Fontenot said, decided to 鈥渢rust the process.鈥�

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry鈥檚 computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

鈥淵ou know how many people get hacked a year? Can you point that to the school board 100%?鈥� Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer鈥檚 desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents鈥� phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That鈥檚 because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff鈥檚 offices to parish governments to school boards. St. Landry Parish鈥檚 sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools鈥� is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach 鈥� a reality she called 鈥渁larming.鈥� 

鈥淚 feel like I should have gotten a more formal notification about this,鈥� Lyons said.

鈥楢 soft target鈥�

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It鈥檚 also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are 鈥渓ow-hanging fruit,鈥� said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

鈥淓ducational entities are going to be a soft target,鈥� he said. 鈥淚f they鈥檙e not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.鈥� 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

鈥淭hey鈥檙e such a small fish in the ocean, (they think) why would anybody bother with them?鈥� said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It鈥檚 improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

鈥淚t鈥檚 a question of them throwing their fishing hook in the barrel 鈥� and just waiting to see who bites,鈥� Levin said. 鈥淭hey don鈥檛 know who their next victim is going to be and they don鈥檛 really care.鈥� 

When a small- or medium-sized district takes the bait, the impact can be substantial because they鈥檙e often among their communities鈥� largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

鈥楢 cause of action鈥�

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

鈥淚 just want (the district) to be professional,鈥� said Vidrine, the former science teacher. 鈥淎 notification that this happened: 鈥榃e鈥檙e tending to it and you need to protect yourself. We made a mistake.鈥欌��

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is 鈥渨hat class actions are made of,鈥� Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don鈥檛 typically have credit cards, they also don鈥檛 receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children鈥檚 Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they鈥檝e been compromised, the problem 鈥渋s not easy to address and can have lifelong impacts,鈥� he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as 鈥済hosting.鈥�

鈥楾he hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of 鈥渧ery sophisticated networks鈥� based overseas.

鈥淚t鈥檚 not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,鈥� Lee said. 鈥淭hat鈥檚 not the hacker of today. They鈥檙e not sitting in their parents鈥� basement. They鈥檙e in call centers in Dubai and in Cambodia and in North Africa.鈥�

It鈥檚 important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn鈥檛 authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims 鈥� including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

鈥淭hat they didn鈥檛 notify us of this, it鈥檚 disappointing,鈥� said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

鈥淏ut it鈥檚 a poor parish and I don鈥檛 think they do anything unless they really, really have to.鈥�

This story was supported by a grant from the Fund for Investigative Journalism.

It took two years of middle school girls accusing their Minneapolis English teacher of eyeballing their bodies in a 鈥渨eird creepy way,鈥� for district investigators to substantiate their complaints.

Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public Schools investigative records that are now readily available online 鈥� just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports. 

The files, purportedly stolen from the Minneapolis school district, first appeared online in March, just days after a ransomware gang named Medusa announced the school system failed to pay $1 million to keep its information from getting posted to the web. 

In a leaked 2018 email, a district official seems to make light of the frequency of civil rights complaints after several girls accused their high school Arabic teacher of inappropriate touching. 

鈥淲hen it rains, it pours, I guess!鈥� the district official wrote. In other documents, an educator was accused of buying a colleague a lap dance during an afterwork outing to a strip club and, in a separate incident, a district technology specialist was accused of hacking into a girl鈥檚 social media to stalk her on a date. The veracity of the files hasn鈥檛 been confirmed by Minneapolis schools but by all appearances, they expose a shocking degree of information about current students and staff. 

The information is so searingly personal that attorney and student privacy consultant Amelia Vance said she would have a hard time strategizing a mitigation response. 

鈥淚鈥檓 an expert in this and I have no idea,鈥� Vance, president of the Public Interest Privacy Center, told 社区黑料. 

The records were uncovered in an analysis by 社区黑料 of a cache of files reportedly stolen from Minneapolis schools and uploaded to the internet after the district fell victim to what it euphemistically described as an 鈥渆ncryption event.鈥� The Medusa gang, a that adopts a clumsy, perhaps youthful online persona, ultimately took credit for the February breach that led to . 

The vast records 鈥� more than 189,000 individual files totaling 143 gigabytes 鈥� also offer a remarkable level of raw insight into the district鈥檚 civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack鈥檚 severity and the extent to which students鈥� and employees鈥� sensitive information is vulnerable to abuse. 

Minnesota-based student privacy advocate Marika Pfefferkorn said she鈥檚 already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns. 

鈥淥ne of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,鈥� Pfefferkorn said. 鈥淚t鈥檚 like it was an afterthought.鈥� 

She鈥檚 also struggled to give meaningful advice to anxious parents who need help. 

鈥淭he conversation that we鈥檙e having is like, 鈥榊our information is going to be out there forever, and the impression of you is also going to be out there forever,鈥欌�� she said. 鈥淚 don鈥檛 know the advice that I need to be giving them other than, 鈥榊ou need to be aware of what鈥檚 happening and communicate with the district what your expectations are.鈥� 

鈥楢 rock over their head鈥�

While the oldest breached records span back to at least 2018, the most recent files, including several related to confidential civil rights cases, are from earlier this year. Some of the files 鈥� which were previewed in a 50-minute video 鈥� can be read with little more than a Google search. 

The way the files were uploaded is 鈥減art of what makes this incident so heartbreaking and extraordinary,鈥� Vance said. 

Breaking from standard procedure for data leaks, the stolen Minneapolis records weren鈥檛 published to the dark web. Instead, as 社区黑料 first revealed, download links were published to Telegram, the encrypted instant messaging service, and a faux technology news blog that appears to have direct ties to the ransomware attackers. Unlike breaches posted to the dark web, which require special tools and some know-how to access, Vance said 鈥渢his information is easier to access and potentially easier for people to have follow them around for the rest of their lives.鈥�

The files include district financial records, educators鈥� Social Security numbers and other documents that have long been targets for cyber criminals looking to facilitate identity theft. Yet Vance said the real harm 鈥� and a distinguishing feature 鈥� of the Minneapolis breach is the sheer volume of compromising information about students and staff that has been exposed. 

The district didn鈥檛 respond to a list of questions from 社区黑料. In its , from April 11, interim Superintendent Rochelle Cox said it has completed a review of data 鈥減osted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.鈥� While a small subset of the data was previewed in a video in early March, a download link for the complete archive of stolen district records didn鈥檛 become available until late March. Cox said the district is working with 鈥渆xternal specialists and law enforcement鈥� to review data posted after March 7, but does 鈥渘ot have the results of that investigation.鈥� 

Because the harm from ransomware attacks have long been framed through the lens of identity theft and fraud, robust protections are now in place to help the victims of financial crimes, Vance noted. Parents can freeze their children鈥檚 credit. People can also cancel any credit cards that get caught up in a breach, and districts regularly provide identity theft protection to data breach victims. 

After the release of highly sensitive information, she said there are no clear remedies for something that could be potentially life altering for victims.

鈥淭his becomes a rock over their head for their entire life: 鈥榃hen is someone going to find out about the worst thing that ever happened to me?鈥欌�� Vance said. 鈥淚f I were a parent dealing with this, what on earth do you do next?鈥� 

鈥楶otentially catastrophic鈥� 

Federal law enforcement officials have long advised school districts and other cybercrime victims against paying ransom demands, but the sheer volume and sensitive nature of the breached Minneapolis files has left some experts questioning whether the district made the right call by refusing to pay up. 

鈥淭here are circumstances where 鈥� if you鈥檙e looking at it from a question of, 鈥楬ow do you reduce potential harm and risk and danger to your school community,鈥� 鈥� then doing the unsavory is perhaps the correct choice,鈥� said Doug Levin, the national director of the K12 Security Information Exchange.

Officials generally warn against paying ransoms for several reasons: Negotiating with known criminals may not produce the desired outcome, and offering payments helps finance future crimes. But in this case, Levin said the Minneapolis district was presented with a difficult choice. Even before the records were posted online, the group took extraordinary steps 鈥� including uploading a video to Vimeo 鈥� to publicize sensitive records in what appeared to be a particularly aggressive bid to coerce payment. 

Given how current and diverse the stolen records are, Levin and other experts suspect Medusa infiltrated multiple live computer systems. The freshness of the files, Levin said, means their content may still be accurate and, for bad actors, actionable. 

Calling the Minneapolis breach a 鈥渨orst-case scenario,鈥� he said, 鈥淭he amount of information that was taken and the recency and the scope of it is certainly deeply troubling.鈥�

Minneapolis may be a cautionary tale for districts nationwide who have fallen prey to money-hungry ransomware gangs leveraging 鈥渄ouble-extortion鈥� attacks against schools, hospitals and businesses. In such incidents, which present an alarming evolution from previous strategies, threat actors gain access to a victim鈥檚 computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if the money doesn鈥檛 materialize, they sell the data or publish it to a leak site. 

Ransomware attacks on U.S. schools have become a primary concern for federal law enforcement officials this year. In January, the federal Cybersecurity and Infrastructure Security Agency in attacks with 鈥減otentially catastrophic impacts on students, their families, teachers and administrators.鈥� Since the pandemic forced students into remote learning, district cyber attacks have been particularly acute. The number of publicly disclosed cybersecurity incidents affecting schools grew from 400 in 2018 to more than 1,300 in 2021, according to that relies on data from Levin’s group. 

Federal law enforcement officials have had several recent victories in tracking down cybercriminals. BreachForums, a popular dark web marketplace where people could buy stolen data, was shuttered after Federal Bureau of Investigation agents in March. The capture of the 20-year-old, who authorities allege operated the forum from his parents鈥� Peekskill, New York, house, sent shock waves through the cybersecurity community and disrupted the global cybercrime ecosystem. In January, federal authorities took control of a prolific ransomware gang鈥檚 leak site and against seven men connected to a Russian-based ransomware group known to target schools. 

In Washington, pending introduced last month seeks to better track cyber incidents in schools and would provide $20 million over two years to help affected systems recover. 

Last year, the school district in Los Angeles, the country鈥檚 second largest, suffered a massive ransomware attack that exposed a trove of compromising information about educators, students and district contractors. In response to investigative reporting by 社区黑料, the Los Angeles district acknowledged the breach included the sensitive mental health records of at least 2,000 current and former students after publicly denying those records were exposed. Last month, data from the Rochester, Minnesota school district was breached after it that forced leaders to cancel classes. shuttered Des Moines, Iowa, schools in January. 

Swift action needed

Taken together, the leaked Minneapolis records offer a startling quantity of compromising information about students and teachers. They also include detailed records about campus security systems that school officials said could place children and educators at a heightened risk of physical danger. 

A single spreadsheet details 699 disciplinary incidents from the 2015-16 school year, listing students鈥� names and a brief description of incidents. One entry claimed a student was 鈥渢hreatening other students鈥� mothers,鈥� and another claimed a student put his hands together in the shape of a gun and said 鈥淚鈥檓 bringing a gun to school tomorrow and shoot.鈥� 

Each of the spreadsheet entries contain pinpoint demographic information about individual students, including their race, gender, whether they鈥檙e in special education, if they鈥檙e homeless or are learning English as a second language. 

One group of files include letters informing disciplined students they could face trespassing charges if they show up on campus, while another includes reports of student maltreatment, including allegations a bus driver hit a student and that a teacher used excessive force. 

Such records could be valuable for blackmail 鈥� and for the police. In 2020, for example, a Florida county sheriff鈥檚 office used sensitive student records to predict which ones were likely to 鈥渇all into a life of crime.鈥� In other cases, police agencies have leaked in data breaches to conduct investigations. 

A separate group of Minneapolis records, purportedly from 2015 to earlier this year, outline nearly 300 individual district equity and civil rights investigations. 

In one case, district investigators found that over the course of several years, a boy coerced a classmate into sexual encounters in exchange for $5 and, in another case, a high school girl reported getting raped in a campus bathroom. In a detailed 2018 complaint, a high school girl accused a male classmate of raping her in a car after a home football game. Yet a district investigator ultimately dropped the complaint because the girl declined an interview and the official was 鈥渦nable to ascertain her credibility based only on her written statement,鈥� according to breached files. 

In multiple complaints, educators were accused of being racist. Just last year, an English as a second language teacher at a Minneapolis high school was accused of racial harassment when she reportedly used the name of a Somali student and a cartoon of a woman wearing a hijab in a class presentation. The slide defined the idiom 鈥渢o have a bone to pick鈥� and the teacher reportedly asked the student to read to the class a description of the term with her name attached: 鈥�(redacted) never comes to class on time; she leaves class without permission, is affecting her peers, her grades and is disrespectful to her peers.鈥� 

In January, a complaint accused a high school coach of making a transphobic joke and openly discussed his genitals. While he was stretching in front of a group of female athletes, the complaint alleges, he warned them that he was wearing 鈥渧ery short shorts鈥� and instructed them to 鈥渓et me know if my junk falls out.鈥� 

In a case from January, the middle school English teacher accused of gazing at students鈥� bodies and touching them inappropriately was placed on paid administrative leave while district investigators conducted their inquiry. Investigators determined the complaint was substantiated, but the middle school鈥檚 website still lists the teacher in its staff directory. A district spokesperson did not respond to questions about whether the teacher faced disciplinary action or his current status.

Given the many ramifications, Levin said the breach demands swift action to ensure the safety of the school community and to prevent something like this from happening again. He said the Minneapolis school board 鈥� or even state authorities 鈥� need to launch a prompt investigation. 

鈥淪tates do intervene in school systems when they鈥檙e being financially irresponsible or even academically irresponsible,鈥� Levin said. 鈥淚t may be that Minneapolis is not equipped to deal with the fallout from an incident like this.鈥�