New searches into the 300,000 files leaked from a February ransomware attack on Minneapolis Public Schools have uncovered highly sensitive and confidential documents — including students’ sexual assault case folios.
Other confidential documents include psychiatric hospitalizations, cases of abusive parents, truancy, and suicide attempts.
The Associated Press broke the news about the latest findings on Wednesday, describing the documents as “raw, intimate and graphic.”
The MN Public Schools, and its approximately 36,000 students, fell victim to ransomware on February 17. The malicious actors released the stolen data in March after the school district refused to pay a $1 million ransom.
The actors took a particularly vicious approach to ensure they spread the information as much as possible. They shared the contents of their hack on Facebook, Twitter, Telegram, Vimeo, and the dark web.
The incident highlighted several issues with cybersecurity in US schools and the laws on reporting data leaks to victims. Last year, a massive ransomware attack crippled the LA United School District. According to the AP, ransomware attacks on school districts are on the rise, and have likely affected over five million students across the country to date.
Kids Doubly-Victimized, Schools Unprepared for Cybersecurity Challenges
The digitization of public schools has led to many sensitive records being stored online. However, schools do not have the resources to defend themselves from modern cybersecurity challenges.
They are often unable to even inform victims about security incidents in a timely and transparent manner. The MN Public Schools system has yet to notify all the victims about the incident. Unlike hospitals, no federal law in the United States obligates schools to notify victims about data breaches. Many of the students and their parents only learned about the data leak from the press.
Parents of sexual assault victims told the AP that their kids felt doubly victimized as they’re now having to deal with their sensitive records made public in addition to their struggles.
“The family is beyond horrified to learn that this highly sensitive information is now available in perpetuity on the internet for the child’s future friends, romantic interests, employers, and others to discover,” said an attorney for one of the families, Jeff Storms.
Teachers Struggle to Receive Free Credit Monitoring and Identity Theft Protection
School teachers are another group who have suffered from the district’s failure to reach out to victims. Teachers, who also had their data leaked, have to contact the district and report their issues to receive free credit monitoring and identity theft protection.
They have questioned why it is their responsibility to do so, after having their social security numbers exposed for no fault of their own. Additional leaked data include medical records, discrimination complaints, and contact information.
A recent survey by the Consortium for School Networking states that only 16% of school districts have full-time IT staff. Furthermore, nearly half of these districts spend 2% or less of their IT budgets on cybersecurity.
Unfortunately, the issue may not just be about an unwillingness to spend. There is a shortfall of cybersecurity talent in the US private sector and schools often lose out to businesses when it comes to hiring. They simply get outbid for the talent they seek in the market.
As things stand, it appears that preventing similar incidents will require new federal laws as well as increased cybersecurity grants to schools. While an individual cannot do much to prevent cyber incidents at an organizational level, there are ways to learn about data leaks and to take action.
Recommended Reading
We recommend reading some of our resources on dark web monitoring and identity theft to help you make an informed decision about these services.
- What is dark web monitoring and do you need it?
- What is identity theft?
- LifeLock Identity Theft Monitoring Review
Additionally, you could check out our article on cybersecurity tips for students for advice on maintaining cyber hygiene and staying protected online.
