Confidential documents stolen and released online through ransomware gangs are raw, intimate and graphic. They describe sexual assaults by students, psychiatric hospitalizations, abusive parents, absenteeism and even suicide attempts.
“Please do something,” one student pleaded in a leaked file, recalling the trauma of continually stumbling upon a former abuser at a Minneapolis school. Other patients spoke of wetting the bed or crying to fall asleep.
The full sex assault records containing those main points were among more than 300,000 files released online in March after 36,000 Minneapolis public school students refused to pay a million-dollar ransom. Other knowledge presented included medical records, discrimination complaints, social security numbers, and contact. Data for District Employees.
Rich in digitized data, schools across the country are prime targets for large-scale hackers, who regularly locate and touch files that, not long ago, were stored on paper in locked cabinets. “In this case, everyone has a key,” said Ian Coldwater, a cybersecurity expert whose son attends one of Minneapolis’ top schools.
Districts, often cash-strapped, are incredibly ill-equipped not only to protect themselves, but also to respond diligently and transparently when attacked, especially as they struggle to get young people to catch up with the pandemic and cope with shrinking budgets.
Months after the Minneapolis attack, directors failed to follow through on their promise to notify individual victims. Unlike hospitals, there is no federal law that requires this notification from schools.
The Associated Press has contacted the families of six academics whose sexual assault cases were exposed. A reporter’s message the first time someone tipped them off.
“The fact is, they didn’t tell us anything,” said a mother whose son has a record of 80 documents.
Even when schools stumble upon an ongoing ransomware attack, the knowledge is gone. That’s what the Los Angeles United School District did this past Labor Day weekend, only to view the personal documents of more than 1,900 alumni, adding mental tests and medical records. – Inline filtering. It wasn’t until February that district officials revealed the full dimensions of the breach, noting the complexity of notifying victims with exposed files dating back three decades.
It turns out that the lasting legacy of ransomware attacks on schools doesn’t lie in school closures, recovery costs, or even sky-high cyber insurance premiums. This is the trauma for staff, students and parents from the online exposure of personal folders, which AP discovered. on the open and dark web.
“A lot of data is published online, and no one is looking to see how bad everything is. Or, if you look, they don’t make the effects public,” said analyst Brett Callow of cybersecurity firm Emsisoft.
Other major districts recently bitten by the knowledge gap are San Diego, Des Moines and Tucson, Arizona. While the severity of those attacks is unclear, all have been criticized for being slow to admit they were attacked by ransomware or for delaying. in informing patients, or both.
IN CYBERSECURITY, SCHOOLS ARE LEFT BEHIND
While other ransomware targets have hardened and segmented networks, encrypted data, and demanded multi-factor authentication, systems have been slower to respond.
Most likely, the ransomware has affected more than five million U. S. school students. Attacks on districts will pile up this year, said analyst Allan Liska of cybersecurity company Recorded Future. according to a survey through the Center for Internet Safety, a federally funded nonprofit.
“Everyone needs to go to school to be safer, but very few need to see their taxes go by for doing so,” Liska said.
Instead, parents were forced to use a limited budget for things like bilingual and new soccer helmets, said Albuquerque Schools Superintendent Scott Elder, whose district suffered a ransomware attack in January 2022.
Just 3 years ago, criminals weren’t systematically recovering ransomware attacks from knowledge, said TJ Sayers, head of cyber risk intelligence at the Center for Internet Security. Now, it’s common, he said, and much of it is sold on the dark web.
The criminals of the Minneapolis robbery were particularly aggressive. They shared links to the stolen data on Facebook, Twitter, Telegram and the dark web, which popular browsers can’t access. cases appeared for some time on YouTube competitor Vimeo, which temporarily removed the video.
The cybercrime syndicate that attacked Los Angeles United was less brazen. But the 500 gigabytes it downloaded on its obscure Internet “leak site” remained freely downloadable in June. They come with money records and non-public records with social security cards and scanned passports.
According to psychologists, the public disclosure of intellectual records or sexual assaults, with the names of students, can weaken the psyche and frustrate careers. A stolen record at Los Angeles United described how a high school student attempted suicide and went in and out of the intellectual. hospital a dozen times in a year.
The mother of a 16-year-old autistic boy recently won a letter from the San Diego Unified School District that said her daughter’s medical records would possibly have been leaked online on Oct. 25.
“What if you don’t need the global to know you’re autistic?” asked Barbara Voit.
AT A GLANCE, THE SCOPE OF AN OFFENSE EMERGES
Minneapolis parents told the AP about leaked sexual assault court cases that feel doubly victimized. Her children struggled with PTSD and some even dropped out of school. Now that.
“The circle of relatives is beyond horrified to learn that this highly sensitive information is now available in perpetuity on the web for discovery by lifelong friends, romantic interests, employers and others of the child,” said Jeff Storms, an attorney. for one of the families. It is PA policy not to identify victims of sexual abuse.
In the meantime, teachers should know why they want to call the district and report problems getting loose credit tracking and identity theft coverage promised after their Social Security numbers were leaked.
“Everything they’ve learned about this comes from the news,” said Greta Callahan of the Minneapolis Federation of Teachers.
Minneapolis schools spokeswoman Crystina Lugo-Beach did not say how many other people were contacted or answer additional questions from the AP about the attack.
By early April, school nurse Angie McCracken had already earned 10 alerts on her credit card indicating that her social security number and date of birth were circulating on the dark web. He questioned his 18-year-old degree. ” If their identity is stolen, how complicated is my son’s life going to be?”
Despite frustration from parents and teachers, schools receive information through incident reaction groups involved about legal liability issues and rescue negotiations for greater transparency, Emsisoft’s Callow said. Minneapolis school officials allegedly followed this manual, first describing the Feb. 17 attack as a “system incident,” then as “technical difficulties,” and later as an “encryption event. “
However, the extent of the breach became clear when a ransomware organization released a stolen knowledge video more than two weeks later, giving the district 10 days to pay the ransom before leaking the files.
The district has refused to pay, following instructions from the FBI, which says the ransoms inspire criminals to seek out more victims.
SCHOOLS SPEND TECHNICAL BUDGETS ON LEARNING TOOLS, NOT SECURITY
During the COVID-19 pandemic, districts have prioritized spending on web connectivity and distance learning. Security has been overlooked when IT departments have invested in software to track student engagement and performance, at the expense of privacy and security, researchers at the University of Chicago have said. and New York University have found.
In a 2023 survey, the Consortium for School Networking, a technology-focused nonprofit, found that 16% of districts had full-time network security staff, and nearly a portion spent 2% or less of their IT budgets on security.
With a shortage of personal sector skills in cybersecurity, districts are struggling to hold on to it. Districts that rent to someone see them snatched away through corporations that can double their salaries, said Keith Krueger, executive director of the consortium.
Cybersecurity effectiveness for public schools is limited. As it stands, districts can expect tranches of the billion dollars in cybersecurity grants the federal government distributes over 4 years.
Minnesota’s leading data security officer, John Israel, said his state earned $18 million this year to be split among 3600 other entities, adding tribal towns and governments. State lawmakers have provided an additional $22. 5 million in grants for cybersecurity and physical protection in schools.
Schools also need to implement a federal program called E-Rate that is designed for broadband connections to schools and libraries. More than 1,100 more people wrote to the Federal Communications Commission after the Los Angeles Unified breach to request that E-Rate be switched to losing budget for cybersecurity. The FCC is still reviewing the application.
It’s too late for the mother of one of the Minneapolis fellows whose confidential sexual assault complaint was posted online. She almost feels “raped again. “
“All the things that are kept private,” he said, “are there. And they’ve been there for a long time. “