The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.
“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep.
Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Other exposed data included medical records and discrimination complaints.
Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files.
“Truth is, they didn’t notify us about anything,” said a mother whose son’s case file has 80 documents.
Even when schools catch a ransomware attack in progress, the data are typically already gone. That was what Los Angeles Unified School District did last Labor Day weekend, only to see the private paperwork of more than 1,900 former students — including psychological evaluations and medical records — leaked online. Not until February did district officials disclose the breach’s full dimensions.
On Cyber Security, Schools Have Lagged
While other ransomware targets have fortified and segmented networks, encrypting data and mandating multi-factor authentication, school systems have been slower to react.
Ransomware likely has affected well over 5 million U.S. students by now, with district attacks on track to rise this year, said analyst Allan Liska of the cybersecurity firm Recorded Future. Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security, a federally funded nonprofit.
“The family is beyond horrified to learn that this highly sensitive information is now available in perpetuity on the internet for the child’s future friends, romantic interests, employers, and others to discover,” said Jeff Storms, an attorney for one of the families. It is AP policy not to identify sexual abuse victims.
Minneapolis Schools spokeswoman Crystina Lugo-Beach would not say how many people have been contacted so far or answer other AP questions about the attack.
Schools Spend Tech Budgets on Learning Tools, Not Security
During the COVID-19 pandemic, districts prioritized spending on internet connectivity and remote learning. Security got short shrift as IT departments invested in software to track student engagement and performance, often at the expense of privacy and safety, University of Chicago and New York University researchers found.
Cybersecurity money for public schools is limited. As it stands, districts can only expect slivers of the $1 billion in cybersecurity grants that the federal government is distributing over four years.
“All the stuff we kept private,” she said, “it’s out there. And it’s been out there for a very long time.”