No, you’re not experiencing déjà vu. No, we’re not talking about some recent cyber incidents caused by teenagers, such as the PowerSchool data breach by a 19-year-old hacker from Massachusetts in 2024 who accessed sensitive data of more than 60 million students and 10 million teachers.

Watching PowerSchool make a comeback from such an incident made it clear that organizations can no longer afford to wait for proof that weaknesses exist. Continuous testing and engaging diverse perspectives are the best ways to stay ahead. That’s why this effort that began in July was intentionally designed to make students part of the solution, not the problem — to transform the same curiosity and skill that might lead to hacking toward cyber defense. 

After all, kids have been hacking computers, systems and schools since they’ve existed — and they’ll keep doing it. The difference now is that teenage defenders can help protect against teenage attackers.

The large-scale cyber incidents by teenagers emphasize three interconnected problems facing schools and our broader society:

First, our schools are dependent on a few key technology vendors that, if hacked, could shut down school districts across the country or lead to massive breaches of sensitive student, teacher and family data.

Second, teenage hackers who are fluent English-speakers — in loosely affiliated groups that go by names like Scattered Spider, Shiny Hunters, and Lapsus — have been behind some of the biggest cyber incidents in the past few years. They’ve hacked organizations from Caesars casinos to Snowflake to Salesloft. Even giants like Google and Microsoft haven’t been spared. 

Some cyber experts have begun calling these young hackers Advanced Persistent Teenagers (or APTeens), a play on Advanced Persistent Threats (or APTs), the term used to describe sophisticated nation-state hacking groups from countries like China, Russia, Iran and North Korea. 

Ultimately, our country faces a cyber workforce challenge that most strongly impacts “target rich, cyber poor” sectors like schools, state and local governments, and small businesses that lack the funding and capacity to defend themselves against cyber threats.

With a different approach, progress can be made on all three problems — insecure tech, teenage hackers and the cyber workforce challenge — by creating an alternative pathway for teenage hackers. To make this work, edtech companies, hackers, policymakers, higher education and even high schools must provide a pathway that builds the skills the workforce needs. That includes offering the opportunity to receive immediate payment for hacking and bolstering the cybersecurity of key technologies society relies on daily.

With this in mind, in July, joined the and the to flip the APTeen challenge on its head. The goal was to promote hacking for good to secure our schools. The EdProtect Cybersecurity Research Symposium brought together teenage hackers, professional security researchers, and Skyward, a widely used edtech product, for a two-week live hacking event. 

The teenagers, college students from around the country, received support and training as they worked to find and report bugs. We know people learn best through hands-on experiences where novices can work alongside seasoned professionals and mentors, who were once teenagers too.

While live hacking events and bug bounty programs — where companies pay good-faith security researchers to find and share software bugs that can be used to hack their systems — are not new, they are rare in “target rich, cyber poor” sectors like education. 

Since the nation’s 14,000 school districts rely on the same few software vendors for their critical infrastructure, efforts like this to strengthen the cybersecurity of key vendors can have a dramatic impact for millions of students, families and teachers across the country. Furthermore, these endeavors shift the burden for managing cyber risk to the companies that are best positioned to address it.

Computer hacker and former college student Matthew Lane — who was a teenager when he carried out a massive cyberattack on education technology company PowerSchool — was sentenced in federal court on Tuesday to four years in prison and ordered to pay more than $14 million in restitution. 

Lane, a former Assumption University freshman who federal prosecutors described as a sophisticated and experienced cybercriminal, told a federal judge that his crimes occurred during an “extremely dark time in my life,” but acknowledged, “I deserve to be punished.” In June, Lane pleaded guilty to what is widely considered the largest exposure of private student data in history, a breach that compromised the sensitive information of some 60 million students and 10 million educators.

“I robbed actual people and their families of their sense of security,” Lane, now 20, told U.S. District Court Judge Margaret Guzman, his shaggy hair obscuring his eyebrows and the tops of his glasses, adding he was “thankful I got caught.”

Lane said he takes “full responsibility” for his crimes but that he was “disconnected from reality” while he engaged in hacking. He has since become “sober not just from drugs, but from the internet as well,” he told Guzman.

Accompanied in court by family members and several friends, Lane broke down and sobbed after learning his sentence, which includes three years of supervised release and a $25,000 fine.

He was convicted of cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers and aggravated identity theft. Federal prosecutors were seeking a seven-year prison term, describing Lane in a sentencing memo as being motivated by greed and said the threat to Powerschool warned, “we fully intend to destroy your company and bankrupt it to the point of no absolute return ” if it didn’t meet a $2.85 million ransom demand in Bitcoin.

Lane’s sentencing concludes a yearlong cybercrime saga, which began in September 2024 when prosecutors say he hacked into PowerSchool’s computer network and transferred stolen records to a leased server in Ukraine. About three months later, PowerSchool officials received the extortion demand to prevent sensitive student and teacher data — including the Social Security numbers of children as young as 5 — from being leaked “worldwide.” 

Lane also pleaded guilty to working with an unnamed co-conspirator from Illinois to extort $200,000 from an unnamed U.S.-based wireless telecommunications company between April and May 2024 before he discussed the “need to hack another shitty company that[’]ll pay” and set his sights on PowerSchool. 

Guzman, who appeared sympathetic to Lane’s young age at the time he carried out multiple cyberattacks, said the case should serve as a cautionary tale to parents everywhere and expressed alarm about the “breadth and reach of technology” to commit crimes anonymously. Guzman said the challenges Lane faced as a teenager, including social isolation and struggles to fit in with his peers, made him “vulnerable to falling through the rabbit hole.” 

Guzman said society can’t go back to the days of typewriters and television sets with just five channels. But parents have placed computers in their children’s bedrooms and provided cell phones to grade schoolers without proper guardrails. Lane, she said, won’t be the last one to exhibit “bravado behind the screen of a computer.” 

Defense attorney Sean Smith asked the judge to sentence Lane to three years in prison and three years of supervised release. Smith said Lane was “very much cognizant of the seriousness” of his offenses and that he pleaded guilty and “admitted fault almost from the get-go.” 

Smith said Lane was a teenager when the cyberattacks unfolded and had no previous convictions. Letters of support submitted by family members to the court made clear Lane was “a generous, loving, patient individual,” who grappled with loneliness, depression and anxiety.

The seriousness of Lane’s actions “can’t be overstated,” said Assistant U.S. Attorney Kristen Kearney, who called his behavior “calculated.” The PowerSchool data breach has caused real harm to millions of people, she said, who now face stifled job prospects, heightened insurance costs and other harms that will follow them “for the rest of their lives.” 

Kearney noted that Lane made several efforts to conceal his identity and avoid detection and was financially motivated: He desired designer clothes and jewelry, she said, and to “host parties at extravagant Airbnbs.” 

Lane “did not make a teenage mistake” or get “mixed up with the wrong crowd,” she argued, but carried out “carefully planned attacks” for financial gain. Personal statements that put Lane in a positive light, she said, showed he was living “a double life.” In the online world, she said, digital chat messages included racial slurs, antisemitism and threats of sexual violence. 

The prosecutor challenged Lane’s request for a three-year prison sentence, arguing that other cybercriminals could see it as the cost of doing business if they have millions of dollars in cryptocurrency waiting for them after their release. Lane returned about $160,000 to the government, according to a sentencing memo released last week, but roughly $3 million remains unaccounted for. 

Kearney also disputed Smith’s assertion that Lane was a first-time offender at the time of the PowerSchool breach, despite his absence of a criminal record. Last week, federal officials accused him of carrying out at least eight cyberattacks dating back to at least 2021 when he was still in high school.

Prosecutors said the PowerSchool attack resulted in more than $14 million in damages, including the ransom payment and identity theft services for the students and teachers who were victimized. 

In a statement to The 74 on Tuesday, PowerSchool said it “appreciates the efforts of the prosecutors and law enforcement who brought this individual to justice” and that the company remains focused on “supporting our school partners and safeguarding student, family and educator data.”

After the sentencing hearing, a tearful Lane, who wasn’t immediately taken into custody, was embraced by friends and family members. 

“I’m sorry, guys,” he said to four friends outside the courtroom, exchanging hugs and handshakes before getting into an elevator. “I love you guys.”

Three union members filed suit in March, just days after the union announced a data breach had occurred on July 6, 2024.

A union investigation into the incident, completed Feb. 18, found that an “unauthorized actor” gained access to records like Social Security numbers, bank account numbers, birthdates and taxpayer identification information.

The Rhysida ransomware gang claimed on its dark web site in September that it had carried out the cyberattack.

The union refused to comment on how widespread the attack was, but a data breach tracker maintained by the said 517,487 people were affected.

The suits allege the union failed “to properly secure and safeguard private information that was entrusted to them” and that those affected — including the relatives of members — will suffer financial losses and lost time detecting and preventing identity theft. 

Educators must provide personal information to the union to receive its benefits, according to the lawsuits. 

The plaintiffs also allege that the union waited too long to announce the data breach. were sent out on March 17, a month after the union’s investigation was finished.

“We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,” the union said in the notification letter.

The attack occurred on computer systems that needed security upgrades, the lawsuits allege. Two of the plaintiffs have reportedly experienced increased numbers of spam calls and emails.

“[The union] failed to properly monitor the computer network and systems that housed the private information,” one lawsuit says. “Had [the union] properly monitored its computer network and systems, it would have discovered the massive intrusion sooner rather than allowing cybercriminals almost a month of unimpeded access.”

The union, which represents 178,000 members, said in a previous statement that it isn’t aware of identity theft connected to the breach. It did not respond to a request for comment from The 74 about the lawsuits.

The plaintiffs are seeking compensatory damages and want the court to order the union to pay for at least 10 years of credit monitoring services for those affected. Motions were filed in a Pennsylvania district court Tuesday to consolidate the lawsuits into one class-action case.

When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate — unsuccessfully — with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by The 74 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn’t hand over 60 bitcoin which, at the time, was worth about $660,000. 

“If we don’t reach an agreement we will start leaking your private data,” the hacker wrote, noting that for bitcoin they would also offer “a list of security measures” to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by The 74 describes the ransom payment as being for “technical consultant services and remediation.”

“Typically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,” Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn’t respond to requests for comment for this story. 

Records show that Beazley, the school district’s cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack’s impact and its data breach reporting obligations, but it wasn’t until November — four months later —that the firm told them a “programmatic review of the files” had been completed. 

“Baker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,” staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would “conduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.” 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

“All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,” said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district’s lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: “I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

Tedford asked if the accusation was legitimate and if the police had been notified.

“I need to cover these bases now that we have been made aware of this claim,” Tedford wrote in an Aug. 3 email. “It’s clear the attorneys don’t want law enforcement involved, and that’s fine, but this is a different issue.”

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is “well aware of that situation,” which was related to an incident during an out-of-town show choir event. 

“After a thorough investigation, no charges were filed,” Shoonover wrote, adding in a later email that an officer “interviewed dozens of kids” in response to “this entire unfortunate event.” 

In August 2020, the district was working on its talking points to the public and it’s clear the consultants weren’t far away. The 74 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would “have preferred to notify the public earlier” but couldn’t “to ensure the privacy of student records,” that they were unsure what, if any, records may have been compromised and that they were encouraged to “wait to release any information until the investigation” was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was “unable to provide any further information” about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized — but he didn’t divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 — five months after the incident — and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver’s license and credit card numbers. 

As President Donald Trump reportedly mulls an executive order to eliminate the Education Department, the federal government’s role could shift from ensuring children have equal educational opportunities to making it easier to deport them. 

One closely watched avenue where that could happen is allowing immigration enforcement in schools. Trump last month barring federal agents from conducting raids in sensitive locations like churches, hospitals and schools. 

A protest Thursday against the administration targeting schools in its mass deportation pledge was sparked in part by claims that last month was precipitated by rampant classroom bullying, with the student’s peers claiming the Texas girl’s family was undocumented and would get deported.

“The presence of immigration enforcement in our classrooms will not make schools safer, it will actually do the opposite,” Alejandra Gonzalez Rizo, an eighth-grade teacher in Washington, D.C., and a former DACA recipient, said during a Thursday press call organized by two advocacy groups, United We Dream Action and The Immigration Hub. “It will create chaos and fear, forcing students and teachers to look over their shoulders instead of focusing on learning.” 

The big picture: To date, I’m not aware of any cases during Trump’s second term where immigration officials carried out enforcement actions inside a school. Advocates warned of a greater fallout to come. 

• School police in Texas have opened an investigation into Jocelynn’s death. |
• Now you see it, now you don’t: The Trump administration implemented — then walked back just days later — an order that sidelined a federal program that allows nonprofits to provide legal representation to undocumented children who are in the country without their parents. |
  • The young migrants, called unaccompanied minors, have become a central target in Trump’s immigration crackdown. |
  • Prohibiting ICE activities at or near schools or bus stops “could significantly limit immigration enforcement in Denver,” the Trump administration said in response to a lawsuit from the city’s school district seeking to prevent an end to the sensitive locations policy. |
  • In February, a federal judge blocked immigration officials from conducting raids and arrests at a handful of churches and places of worship that sued to halt the policy shift. Trump’s directive, the judge ordered, likely denied religious freedoms protected by the First Amendment. |

Emboldened states: Decades ago, the Supreme Court ruled that all children in the U.S. are entitled to a free public education regardless of their immigration status. Conservative state officials want that to change — with lawmakers in Tennessee, Oklahoma, Indiana and Texas introducing bills to bar undocumented kids from classrooms. |

The Pinellas County, Florida, police department has reportedly applied for a federal program that deputizes local officers with immigration enforcement powers. |

• On Thursday, Pinellas school officials said they would cooperate with ICE but would stop short of instructing its officers to work alongside federal immigration agents. |

Departing gifts: From soccer balls to handwritten letters, educators across the country have been giving heartfelt mementos to multilingual learners whose families have chosen to leave their schools and their homes rather than risk scrutiny from immigration agents. | The 74

In the news

R.I.P. ED? Trump is expected to sign an executive order as early as today calling for an end to the Department of Education, throwing into uncertainty an agency that enforces federal civil rights laws and distributes financial support to low-income schools and students with disabilities. But here’s the thing: The department was created by Congress — and bringing down a federal agency will take a lot more than a few scribbles on a piece of paper. |

Now you see it, now you don’t (again): The department appeared to walk back a controversial order that threatened to strip federal funding from schools with diversity, equity and inclusion policies. | The 74

• In response to the original order, some educators said they had no intention of playing along. In Long Beach, California, for example, school officials moved forward with plans to open the Center of Black Student Excellence despite federal pressure. | The 74
  
• In a lawsuit Wednesday, the ACLU and the nation’s largest teachers union alleged Trump’s anti-DEI order stifled educators’ free speech rights. |

In a first-in-the-nation move, Iowa Gov. Kim Reynolds has signed a law that strips state anti-discrimination protections from transgender and nonbinary students. |

A lawsuit has accused a former security guard at a Milwaukee private school of secretly recording underage girls in a campus locker room. |

• More from Milwaukee: City officials approved a $1.6 million plan to station police officers in public schools — more than 400 days after a state law went into effect requiring cops on campuses. |

The Senate failed to pass legislation that sought to bar transgender students from participating in school athletics programs consistent with their gender identity. | The 74

Free from gun-free zones: A new Wyoming law has banned “gun-free zones” in schools and other public spaces. |

Kept in the Dark

For a recent investigation for The 74 and Wired, I fell down a dark web rabbit hole and chronicled more than 300 school cyberattacks in the last five years — and revealed the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. 

This week, I highlighted my investigation into a ransomware attack on the Providence, Rhode Island, school district — where educators denied a massive student data breach in plain sight. 

As a result of that 18-month-long investigation, I was interviewed last week on KARE 11, the NBC affiliate in Minnesota’s Twin Cities. Public records I obtained from Minneapolis Public Schools uncovered sharp disparities in what district leaders told the FBI after a 2023 data breach and what it communicated to the public. You can watch the newscast .

ICYMI @The74

• To Make Ed Tech More Secure, Software Companies Need to Step Up
  
• AI Chatbots Can Cushion the High School Counselor Shortage — But Are They Bad for Students?
  
• 1st Confirmed Death in Texas Measles Outbreak Is Unvaccinated, School-Aged Child

Emotional support

Oh hey, springtime, is that you? The 74 editor Andrew Brownstein’s pup Sagan is already out in the yard waiting for longer, warmer days. 

After the Providence, Rhode Island, school district fell victim to a September 2024 cyberattack by the Medusa ransomware gang, school officials said an ongoing investigation found “no evidence that any personal information for students has been impacted.” 

An investigation by The 74, including a review of stolen files captured in the 217-gigabyte leak, indicates otherwise. Sexual misconduct allegations involving both students and teachers, children’s special education records and their vaccine histories were posted online after Providence Public Schools did not pay the cybercriminals’ $1 million ransom demand. 

The district’s failure to acknowledge that students’ records had been exposed — even after being informed otherwise by The 74 — means that parents and students were likely unaware that their private affairs had entered the public domain. 

In October 2024, Providence schools notified 12,000 current and former employees that their personal information, such as their names, addresses and Social Security numbers, had been compromised. But the letter never makes mention of students’ sensitive records. 

In response to The 74’s findings in mid-October 2024, a district spokesperson didn’t acknowledge that students’ sensitive information was compromised. He said the district “has been able to confirm that some [of its] files” were accessed by an “unauthorized, third party,” and that “security consultants are going through a comprehensive review” to determine whether the leaked files contain personal information “for individuals beyond current and former staff members.” 

Meanwhile, in an unsolicited phone call to The 74, a state education department spokesperson appeared to contradict that, saying “no one had actually gone in to see the files.” 

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had “significant difficulty sustaining attention to task” and who “wandered around the classroom setting without purpose.” Another special education plan notes a 3-year-old boy “randomly roamed the room humming the tune to ‘Wheels on the Bus,’ pushed chairs and threw objects.” 

A single spreadsheet lists the names of some 20,000 students and their demographic information, including disability status, home addresses, contact information and parents’ names. Another contains information about their race and the languages spoken at home.

A “termination list” included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who “retired in lieu” of being fired and a middle school English teacher who “resigned per agreement.” Another set of documents reveals a fifth-grade teacher’s request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her “less effective as an educator if I am not supported with the accommodations because I can not sleep at night.” 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they “have a safe at work as well as one at home.”

Following an investigation published by The 74 and in October, the district to families acknowledging that students’ personal information, such as vaccine records and special education details, were exposed in the attack.

In response to an inquiry from The 74, a district spokesperson said in a November statement that educators remain “committed to transparency and the security of personal information.”

“During these types of incidents, districts typically start with limited information on what occurred and then gain more information over the course of the investigation,” the statement continues. “As we navigated the initial uncertainty of the situation, PPSD prioritized taking real-time action and communicating with all stakeholders as we gathered more information.”

The school district in Louisiana’s St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack — long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general’s office. 

A December 2023 investigation by The 74 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack. 

Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status.

Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online. 

“They want to brush everything under the rug,” said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. “The districts don’t want bad publicity.”

Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary. 

After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district’s supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws. 

“We never received reports of the actual information that was obtained,” she said in November 2023. “All of that is under investigation. We have not received anything in regards to that investigation.” 

Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general’s office was on the  phone with the district, questioning them “directly in response to the article” and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal. 

Under Louisiana’s breach notification law, schools and other entities are required to notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark.

School board attorney Courtney Joiner responded a day later to the attorney general’s office, saying they were working “to address the notice issue without further delay.”

In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their “sensitive information may have been obtained by an unknown malicious third-party,” records show. Officials didn’t send a formal notice to the AG’s office until Jan. 10, 2024.

Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter “well after the fact” she and her colleagues had been victimized. 

“I really thought it was too little, too late,” she told reporters. “This should have happened much earlier.” 

School officials couldn’t be reached for comment for this story.

This story was supported by a grant from the Fund for Investigative Journalism.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district’s computer network, accessing reams of students’ and educators’ sensitive information, officials contacted the FBI and laid out what happened. 

The district “immediately initiated an investigation” after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker’s demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an “encryption event” and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by The 74 through public records requests, the district told families in a Feb. 24 email that its investigation “has found no evidence that personal information was compromised.” 

The statement was sent after cybersecurity experts advised district communications staff that “sharing the least amount of information” as possible was “in the best interest” of district security. 

Threat actors with the ransomware gang Medusa — known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what’s known as a “double-extortion” scheme — took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn’t acknowledge for nearly two weeks after the attack that sensitive records may have been compromised — and waited months to notify breach victims directly by letter. 

The district didn’t respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by The 74.  The cyber insurance provider will “facilitate breach counsel and forensic investigation teams,” the plan notes, and deploy “experienced negotiators” to communicate directly with the hackers. The policy also states it would cover the district’s liability for bad press, fines and “regulatory proceedings” related to a cyberattack. 

“The insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,” the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a “privileged investigation,” according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

“Per [Minneapolis Public Schools’] request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,” according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn’t respond to The 74’s request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed “the world’s most profitable spy organization.” The researchers prepared “a report detailing the forensic analysis process and analysis” at Mullen Coughlin’s direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went “through the list of what TA [the threat actor] might’ve accessed,” and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the “Medusa contact team,” urging the person to respond to the threat actors immediately or else “we will ensure your popularity.” 

In March, Medusa ransomware actors posted the district’s stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom — a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by The 74, include confidential and highly sensitive records about individual students and teachers. 

It wasn’t until September 2023 — seven months after the attack — that 105,617 people were notified the “hacking” incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general’s office. The notice states that the process to identify that information had been completed in July — a month and a half before officials notified victims.

“Although it has been difficult to not share more information with you sooner,” the letter to victims notes, “the accuracy and the integrity of the review were essential.”

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.

The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. 

Three subsequent class-action lawsuits from parents accused the nation’s second-largest district of taking inadequate steps to protect their children’s personal records — and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. 

The trio of events encompass a September 2022 ransomware attack that exposed students’ highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. 

Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An told the local press that students’ psychological evaluations were included in the leak, a revelation Carvalho refuted as “absolutely incorrect.” 

“We have seen no evidence that psychiatric evaluation information or health records, based on what we’ve seen thus far, has been made available publicly,” said Carvalho, who acknowledged the hackers had “touched” the district’s massive student information system but said the “vast majority” of exposed student records involved their names, academic records and home addresses. 

An investigation by The 74 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that “approximately 2,000” student psychological evaluations — including those of 60 current students — had been uploaded to the dark web. 

In a statement to The 74, a district spokesperson said its cybersecurity response protocol “follows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.” The process, the district said, is “designed with transparency, compliance and community trust in mind.”

Due to the sensitive nature of the information, students may have to “deal with this breach for the rest of their lives,” attorney Ryan Clarkson told The 74. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students’ personal records had been compromised.  

“It’s hard to bury it, it’s hard to get away from it, it’s kind of part of who we are,” Clarkson said in an interview. “Your psychology as a child is always going to be your psychology as a child.”

While the parents of special education students had been left in the dark about the breach, so too were members of the district’s special education committee. Carvalho acknowledged at a September 2022 that L.A. Unified was a “district under siege” and sought to “dispel rumors” about the incident, including one that multiple attacks had occurred. He didn’t make any statements regarding the impact on sensitive special education records. 

Carl Petersen, who served on the committee at the time, told The 74 that Carvalho left the committee members without information about the attack’s ramifications on children with disabilities. 

“At that point it was, ‘Oh, this was a very minor thing. We caught them in the system immediately and we shut it down,” said Petersen, who described Carvalho’s comments as part of a larger district effort to obfuscate. 

In January 2023 — four months after the attack — L.A. school officials acknowledged in that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn’t until March 2023 that they disclosed to state regulators the leak had also compromised . 

The letter submitted to the California AG’s office doesn’t make clear the types of student records that were affected but urges individuals to “keep a copy of this notice for your records in case of future issues with your child’s medical records.” 

The 74 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho’s communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any “non-privileged responsive records,” meaning that they didn’t have to provide any of the records that were responsive because they were legally protected from disclosure. 

A week after it was discovered, the school board to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to “enter into any and all contracts” to address the incident “without advertising or inviting bids and for any dollar amount necessary.” 

‘Shared with the world’

In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.

“If we want to safeguard our children’s futures, we must protect their personal data,” she said at the first-ever K-12 cybersecurity summit. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”

Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn’t touch on the leak of students’ mental health records but said the number of stolen files “could have been much worse” had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because “we don’t negotiate with terrorists.”  

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she’s worried that fallout from the data breach could divert money from the services her children with disabilities need.

“I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,” said Harman-Holmes, while acknowledging it “would be very disturbing” if her own child’s psychological evaluations were leaked online. 

As L.A. Unified’s response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district’s mitigation efforts weren’t just inadequate — they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students’ sensitive records and failed to provide enough notice to victims once that information was stolen. 

An inspector general’s office audit highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students’ psychological records and other files were published online. 

The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System — the district’s primary student data portal. The district “has stated under oath in discovery responses” that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs.

Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide “prompt and accurate notice of the data breach.” 

The breached portal “is currently the largest student data system in the United States,” the 162-page complaint notes, yet district officials “prioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.” 

One district, three breaches

Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general’s office in May 2022, some unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected. 

Then, in June 2024, a threat actor who goes by the name “the Satanic Cloud” posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as “Sp1d3r” similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. 

The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn’t disclose the name of the vendor or the types of records that may have been compromised. 

The district denied a public records request by The 74 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. 

The incident doesn’t appear in a California attorney general’s office database of data breaches.

This story was supported by a grant from the Fund for Investigative Journalism.

It was October 2022 when Los Angeles schools Superintendent Alberto Carvalho made a false assurance about a massive ransomware attack on the country’s second-largest school district — and the leak of thousands of highly sensitive student mental health records — that set me off.

Published reports that the breach exposed students’ psychological evaluations, Carvalho said, were “absolutely incorrect.” The dark web proved otherwise: On a shady corner of the internet, I revealed, hackers used the detailed, very confidential records about Los Angeles children as leverage in a sick ploy for money. After my story ran, L.A. schools acknowledged publicly that some 2,000 student psych evals were indeed exposed by the Vice Society ransomware gang. 

And so began my descent down the rabbit hole, marking the early days of an in-depth investigation I published Tuesday and supported by a grant from the .

What I found is that as educators take steps to protect themselves, their school districts and their reputations after cyberattacks, they employ a pervasive pattern of obfuscation that leaves students, parents and teachers — the real victims of the hacks and subsequent data breaches — in the dark. 

I spent a year (OK, more than a year) learning everything I could about more than 300 K-12 school cyberattacks since the pandemic pushed students into online learning and educators became lucrative targets for hackers. I reconfigured a crappy old laptop to track ransomware gangs on the dark web and to analyze the reams of sensitive files published to their sketchy leak sites. I obtained thousands of public records from more than two dozen school districts. I used the government procurement database GovSpend to uncover school spending after attacks, including ransom payments made to cyberthieves in Bitcoin. I scoured news reports, state data breach disclosures and district websites for public confirmations and, oftentimes, denials — sometimes even after their students’ and employees’ personal information had already been published. 

My reporting documented that educators routinely offered incomplete, misleading or downright inaccurate information about cyberattacks — and the risks that subsequent data breaches pose to students, parents and teachers for identity theft, fraud and other forms of online exploitation. 

The hollowness in schools’ messaging and the mechanisms that leave school communities clueless are no coincidence. Staring down a cyberattack and the prospect of being sued over the leak of sensitive information, school leaders turn to insurance companies, consultants and privacy lawyers to steer “privileged investigations,” which keep key details hidden from the public. Often contacted before the police, the paid consultants who arrive in the wake of a cyberattack are portrayed to the public as an encouraging sign, trained to handle the bad actors and restore learning.

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them. 

School cybersecurity expert Doug Levin had this to say about our investigation: “For institutions whose mission is to lift up and protect children and youth, it is unconscionable that they are incentivized to cover up the criminal acts perpetrated against them by malicious foreign actors.”

K-12 cyberattacks in focus: Now you can fall down the school cyberattack rabbit hole, too! Use our new search feature to read about how incidents unfolded in your own community, complete with investigative reveals you won’t want to miss. 

Emotional support

This story was brought to you with invaluable editing and guidance from The 74’s Kathy Moore.

And Matilda.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by The 74 shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations”, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools’ messaging is no coincidence. 

That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms —&�Բ�����;��ܲ������  by one law professor for their massive caseloads — hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools’ behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online — from their financial and medical information to traumatic events in young people’s lives — are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are “all but guaranteed.” 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 —  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers — often called breach coaches — arrive on the scene. 

“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told The 74. “What breach coaches try to do is push right up to that line — and sometimes they cross it.”

When breaches go unspoken

The 74’s investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites. 

Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search — even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

The 74 tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials’ false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students’ detailed psychological records. 

In many instances, The 74 relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, The 74 could find no information at all about alleged school cyberattacks uncovered by its reporting — suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to The 74’s investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond “to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.” Those at Florida’s River City Science Academy said the school “acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.” 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation’s seventh-largest district said they notified student breach victims “by email, mail and a telephone call” and “set up a special hotline for affected families to answer questions.”

Hackers have exploited officials’ public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

“But those negotiations do not go on forever,” said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'” the ransom.

“All right, well, negotiation is over,” Levin said. “You need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students “

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them.

The extent to which this involves keeping critical information out of the public’s hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico’s Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll’s findings from public view. 

“Without privacy counsel in place, public records would be accessible in the event of an information leak,” she wrote in an email to school leaders that was obtained by The 74 through a public records request. School districts routinely denied The 74’s requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by The 74 reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California’s Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an “information technology system outage” — and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn’t stop the leak of data for more than 22,000 people, nor did the district’s initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

“What brainiac recommended this?” asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who “recommended the deceitful description.”

It wasn’t until June 2023 — four months after the attack — that Sweetwater their records were compromised. But the district’s breach notice never says what specific records had been taken, refers to files that “may have been taken” and tells those receiving the notice that their “personal information was included in the potentially taken files.”

“Well, was my information taken or not?” April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked The 74. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks “to avoid exacerbating their liability, quite frankly,” in a way that prevents families from being able to “assert their rights more competently.” 

�پ����ٰ������ٲ�’ vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

“The wording in notices is disheartening,” Strauss told The 74. “It’s almost like revictimization.”

Who’s in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they’ve been hacked. Cyberattacks were called an  “encryption event” in Minneapolis; a “network security incident” in Blaine County, Idaho; “temporary network disruptions” in Chambersburg, Pennsylvania, and “anomalous activity” in Camden, New Jersey. 

In several cases, consultants advised educators against using words like “breach” and “cyberattack” in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district’s computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

“ ‘Cyberattack’ is severe language that we prefer to avoid when possible,” the firm’s representative wrote .

The district called it “irregular activity” instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe’s most notorious cybergangs — many with known ties to Russia — officials have claimed in arresting and indicting some of the masterminds. Yet The 74 identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only “in conjunction with qualified counsel.” 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized “payment of ransoms that fuel cyber crime ecosystems.” 

“This is a troubling practice that must end,” she wrote.

Records obtained by The 74 show that in Somerset, Massachusetts, Beazley, the school district’s cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district’s incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district’s course of action, they didn’t express it. In fact, William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

But he was quick to defer to the district and its lawyers.

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote. “All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.”

While ransom payments are “ethically wrong because you’re funding criminal organizations,” insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

“The insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,” he told The 74. “They see dollar signs — that everybody wants this protection — but they’re losing their butts on it.” 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told The 74 that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by The 74 — one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its “third-party forensic investigation firm” communicating with the gang “regarding the ransom.”

Mullen Coughlin then told the FBI that it was leading “a privileged investigation” into the attack and, at the school district’s request, “all questions, communication and requests in connection with this notification should be directed” to the law firm. Mullen Coughlin didn’t respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants’ discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn’t the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials’ knowledge. Taken by surprise, Camden schools were not “able to preemptively advise each of you about the notice and what it meant.”

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

“In terms of how law enforcement can help you out, there’s really not a whole lot that can be done to be honest with you,” said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn’t respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but “the problem is there’s not enough funding and personnel for them to be able to be responsive to incidents.” 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn’t know where to go to vet if they were any good or not.”

He said it had been a community member — not a paid consultant — who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes — or over 1,000 gigabytes — of stolen data.

“We were literally taking that right to the cyber companies and going, ‘Hey, they’re finding this, can you confirm this so that we can get a message out?’ ” he told The 74. “That is what I probably would tell you is the most frustrating part is that you’re relying on them and you’re at the mercy of that a little bit.”

The breach coach

Breach notices and other incident response records obtained by The 74 show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a “quarterback.” 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district’s cyber insurance policy —  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector — which, Paluzzi noted, isn’t “always the best when it comes to the latest protections."

When asked why districts’ initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

“It’s not a time to make assumptions, to say, ‘We think this data has been compromised,’ until we know that,” Paluzzi said. “If we start making assumptions and that starts our clock [on legally mandated disclosure notices], we’re going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.” 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

“While it often looks a bit canned and formulaic, it’s often because we just don’t know and we’re doing so many things,” Paluzzi said. “We’re trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.”

A data breach is confirmed, he said, only after “a full forensic review.” Paluzzi said that process can take up to a year, and often only after it’s completed are breaches disclosed and victims notified. 

“We run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,” he said. “We try, in most cases, to get to that level of specificity, and our letters are very specific.”

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase “the likelihood of a data breach class action [lawsuit] in the process.” Companies that under-notify “may reduce the likelihood of a data breach class action,” but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches’ chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to “retain their primacy” in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers’ emphasis on reducing payouts to parents who sue overstates schools’ actual exposure and is another way to promote themselves as “providing a tremendous amount of value by limiting the risk of liability by providing you with a shield.”

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine “the long-term cybersecurity of their clients and society more broadly.”

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by The 74 show school cyberattacks carry particularly devastating consequences for the nation’s most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district “show choir” event. The accusations were investigated by local police and no charges were filed.

“I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,” the hacker alleges in records obtained by The 74. “This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

The exposure of intimate records presents a situation where “vulnerable kids are being disadvantaged again by weak data security,” said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

“It’s not just that you have a leak of the information,” Citron told The 74. “But the leak then leads to online abuse and torment.”

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students’ personal information, a parent reported being contacted by the hackers who placed a “strange call demanding money for ransoming their child.”

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are “unfunded mandates” and “there’s been no enforcement that we know of,” according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It’s a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls “the multiverse of madness.” 

“It's like you're living in different privacy realities based on the state that you live in,” Hendricks said. He said federal cybersecurity rules could provide a “level playing field” for data breach victims who have fewer protections “because they live in a certain state.” 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn’t require disclosure when outside forces cause those records to be exposed. Schools that have “a policy or practice” of routinely releasing students‘ records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they’ve grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told The 74 he got the district’s September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are “mostly worthless.” 

It may be enforcement against districts’ misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to “communicate very carefully and very deliberately and very accurately” the known facts of cyberattacks and data breaches. 

“Communities smell blood in the water,” she said, “because we’ve got these mixed messages.”

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for The 74.

This story was supported by a grant from the Fund for Investigative Journalism.

If so, your sensitive data — like Social Security numbers and medical records — . Their target was education technology behemoth PowerSchool, which provides a centralized system for reams of student data to damn near every school in America.

Given the cyberattack’s high stakes and its potential to harm millions of current and former students, I teamed up Wednesday with Doug Levin of the  to moderate a timely webinar about what happened, who was affected — and the steps school districts must take to keep their communities safe.

Concern about the PowerSchool breach is clearly high: Some 600 people tuned into the live event at one point and pummeled Levin and panelists Wesley Lombardo, technology director at Tennessee’s Maryville City Schools; Mark Racine, co-founder of RootED Solutions; and Amelia Vance, president of the Public Interest Privacy Center, with questions. 

PowerSchool declined our invitation to participate but sent a statement, saying it is “working to complete our investigation of the incident and [is] coordinating with districts and schools to provide more information and resources (including credit monitoring or identity protection services if applicable) as it becomes available.”

The individual or group who hacked the ed tech giant has yet to be publicly identified.

Asked and answered: Why has the company’s security safeguards faced widespread scrutiny? What steps should parents take to keep their kids’ data secure? Will anyone be held accountable?

In the news

Oklahoma schools Superintendent Ryan Walters, who says undocumented immigrants have placed “severe financial and operational strain” on schools in his state, proposed rules requiring parents to show proof of citizenship or legal immigration status when enrolling their kids — a proposal that not only violates federal law, but is likely to keep some parents from sending their children to school. | 

• Not playing along: Leaders of the state’s two largest school districts — Oklahoma City and Tulsa — rebuked the proposal and said they would not collect students’ immigration information. Educators nationwide fear the incoming Trump administration could carry out arrests on campuses. | 
   
• Walters filed a $474 million federal lawsuit this week alleging immigration enforcement officials mismanaged the U.S.-Mexico border, leading to “skyrocketing costs” for Oklahoma schools required “to accommodate an influx of non-citizen students.” | 
   
• Timely resource guide: With ramped-up immigration enforcement on the horizon — and with many schools already sharing student information with ICE — here are the steps school administrators must take to comply with longstanding privacy and civil rights laws. | 

A federal judge in Kentucky struck down the Biden administration’s Title IX rules that enshrined civil rights protections for LGBTQ+ students in schools, siding with several conservative state attorneys general who argued that harassment of transgender students based on their gender identity doesn’t constitute sex discrimination. 

Fires throw L.A. schools into chaos: As fatal wildfires rage in California, the students and families of America’s second-largest school district have had their lives thrown into disarray. Schools serving thousands of students were badly damaged or destroyed. Many children have lost their homes. Hundreds of kids whose schools burned down returned to makeshift classrooms Wednesday after losing “their whole lifestyle in a matter of hours.” |  

• At least seven public schools in Los Angeles that were destroyed, damaged or threatened by flames will remain closed, along with campuses in other districts. | 

Has TikTok’s time run out? With a national ban looming for the popular social media app, many teens say they’re ready to move on (and have already flocked to a replacement). | 

Instagram and Facebook parent company Meta restricted LGBTQ+-related content from teens’ accounts for months under its so-called sensitive content policy until the effort was exposed by journalist Taylor Lorenz. | 

The Federal Communications Commission on Thursday announced the participants in a $200 million pilot program to help schools and libraries bolster their cybersecurity defenses. They include 645 schools and districts and 50 libraries. | 

Scholastic falls to “furry” hackers: The education and publishing giant that brought us Harry Potter has fallen victim to a cyberattacker, who reportedly stole the records of some 8 million people. In an added twist, the culprit gave a shout-out to “the puppygirl hacker polycule,” an apparent reference to a hacker dating group interested in human-like animal characters. | 

• Dig deeper: Here’s how AI is being used by cybercriminals to rob schools. |  

Not just in New Jersey: In a new survey, nearly a quarter of teachers said their schools are patrolled by drones and a third said their schools have surveillance cameras with facial recognition capabilities. | 

The number of teens abstaining from drugs, alcohol and tobacco use has hit record highs, with experts calling the latest data unprecedented and unexpected. | 

ICYMI @The74

Emotional Support

New pup just dropped.

Meet Woodford, who, at just 9 weeks, has already aged like a fine bourbon. I’m told that Woody — and the duck, obviously — have come under the good care of 74 reporter Linda Jacobson’s daughter.

From gun-toting math teachers to federal rules that decide which bathroom a kid can use, the student safety and civil rights issues that are central to the School (in)Security newsletter could be in for some major changes. 

Here are 11:

• The return of an architect of the family separation immigration policy during the first Trump administration. | 
  
• An effort to end the constitutional right of citizenship for children born in the U.S. regardless of their parents’ immigration or citizenship status. | 
  
• A rollback of civil rights and anti-discrimination protections for transgender students. | 
  
• A shakeup at the federal government’s primary cybersecurity agency, which has taken a leading role in school cyberattack prevention. | 
  
• Efforts to unwind bipartisan firearm restrictions approved in 2022 following the mass shooting at Robb Elementary School in Uvalde, Texas. | 
  
• Policies that address school violence through a renewed focus on suspensions and “hardening schools” with measures like campus-based police and metal detectors. |  
  
• Efforts to strengthen protections for students accused of sexual misconduct. | 
  
• A promise to eliminate the U.S. Department of Education — and the potential return of policies enacted during the first Trump administration that scaled back investigations into discrimination based on students’ race, sex or religion. | 
  
• A vice president who said school shootings — which have surged exponentially in the last decade — are a “fact of life” and that schools are “soft targets” if you are a “psycho and you want to make headlines.” | 
  
• Efforts to reform anti-discrimination rules to remove “disparate impact” liability, including for racial disparities in school discipline. | 
  
• Efforts to eliminate federal funds for schools that recognize students’ transgender identities and grant equal access to bathrooms and locker rooms. | 

In the news

To school shooting survivor David Hogg, Democrats’ failure to motivate voters rests on the shoulders of one constituency above all: Boomers. I recently profiled , a well-financed political action committee designed to elevate Gen Z and millennial progressives. Here’s how they fared on Nov. 5. | 

Notorious swatter confesses: An 18-year-old from California has pleaded guilty to making 375 swatting calls throughout the U.S., including false police reports of school shootings and bombings. | 

Federal authorities indicted two suspected cybercriminals accused of breaking into a cloud computing platform and exposing the data of major corporations and the Los Angeles school district. | 

A federal judge has temporarily halted a new Louisiana law that would require public schools to display the Ten Commandments in classrooms. | 

A drop in the bucket: The Federal Communications Commission said demand for a $200 million school cybersecurity pilot program far exceeded its capacity, with 2,734 applications requesting a total of $3.7 billion. | 

The Providence, Rhode Island, school district acknowledged in a letter to families that a recent cyberattack compromised sensitive student information — but only after I published  into the extent of the breach. | 

‘A culture of bullying:’ Federal authorities have opened a civil rights investigation into a New Jersey school district where school resource officers are accused of failing to protect an 11-year-old student from harassment before she died by suicide last year. | 

The 28-year-old athletics director of a New York school district has been arrested in an extortion case, accused of demanding that a 17-year-old student send him sexual photos over Snapchat under a threat of exposing personal information about the minor. 

ICYMI @The74

Emotional Support

George, the four-legged companion of education consultant David Irwin, found the perfect lobster costume for Halloween a decade ago and hasn’t looked back.

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by The 74 revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain — and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students’ sensitive records and, district spokesperson Jay Wégimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.”

An analysis by The 74 of the stolen files — posted by the threat actors to the messaging platform Telegram  — indicates otherwise. Included in the 217 gigabyte data leak are students’ specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter’s underwear. After one incident, a boy uttered a threat: “Don’t tell nobody.” 

In a statement to The 74 on Wednesday, Wégimont said the district has “been able to confirm that some files” stored on the district’s internal servers were accessed by an “unauthorized, third party,” and that “security consultants are going through a comprehensive review” to determine whether the leaked files contain personal information “for individuals beyond current and former staff members.” 

Wégimont’s statement doesn’t acknowledge that students’ records had been compromised. 

The district’s failure to acknowledge the breach affected students and parents — even after being informed otherwise — is “a massive violation of trust with communities,” student privacy expert Amelia Vance told The 74.

“People should be aware — especially when particularly sensitive information is being released in ways that could make it findable and searchable later,” said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence “are likely to have a substantial impact on people’s future lives, whether it be their opportunities, their ability to get a job or their relationships with others.” 

The school district acknowledged in an Oct. 4 letter to the state attorney general’s office — and in letters to the individuals themselves — that the sensitive information of 12,000 current and former employees was “potentially impacted” in the attack. A spokesperson for the AG’s office shared the letter that Providence Superintendent Javier Montañez submitted “as required by statute,” but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days — but the breach “poses a significant risk of identity theft.” Covered records include individuals’ names, Social Security numbers, driver’s license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It’s unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department’s spokesperson, said in a phone call on Wednesday. 

“No one had actually gone in to see the files,” he told The 74, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are “working closely with the district” on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had “significant difficulty sustaining attention to task” and who “wandered around the classroom setting without purpose.” Another special education plan notes a 3-year-old boy “randomly roamed the room humming the tune to ‘Wheels on the Bus,’ pushed chairs and threw objects.” 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents’ names. Another includes information about their race and the languages spoken at home.

A “termination list” included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who “retired in lieu” of being fired and a middle school English teacher who “resigned per agreement.” Another set of documents revealed a fifth-grade teacher’s request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her “less effective as an educator if I am not supported with the accommodations because I can not sleep at night.” 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they “have a safe at work as well as one at home.”

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web “name and shame blog,” it then previews the victim’s stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa’s many tentacles 

The Medusa attack and Providence’s response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district — what officials there vaguely called an “encryption event” — the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack — and only after a joint investigation by The 74 and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General’s Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records — like those pertaining to student civil rights investigations, security plans and financial records — a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher’s German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what “irregular activity” on its computer network but on whether they’d been the target of ransomware. In — and the same day that Medusa’s ransom deadline expired — Superintendent Montañez acknowledged that “an unverified, anonymous group” had gained “unauthorized access” to its computer network and claimed to have stolen sensitive records. 

“While we cannot confirm the authenticity of these files and verify their claims,” Montañez wrote, “there could be concerns that these alleged documents could contain personal information.”

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Alabama State Schools Superintendent Eric Mackey said Wednesday that the Alabama State Department of Education’s computer systems had been breached last month, and that students and employees of the department may have been affected.

Speaking at a press conference in Montgomery, Mackey said  the breach took place on June 17. According to Mackey, the department’s  staff interrupted and stopped the attack.

Mackey said that there “was no question” that it was a denial of service attack to encrypt and steal data so they need to be paid off, but said officials were “still assessing exactly which data were taken.”

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

“What I would say is that to all parents, and all local and state education employees out there, they should monitor their credit, they should assume that there’s a possibility that some of their data were compromised,” he said.

Mackey said that the department does not keep direct deposit information.

“We do have information about which data possibly could be taken because we’re able to look and see which servers they were not able to get to in the time they were in there,” he said.

A foreign agent may have been involved, Mackey said, but he said that he could not provide more information.

“I shouldn’t say I’m not aware,” he said. “I’m not able to answer that.”

According to a statement from the department, the Alabama Attorney General, the Alabama Office of Information Technology and an independent contractor are working with the department to strengthen the cyber defenses and identify which data may have been compromised.

The statement said notification will be made to relevant parties in full compliance with laws and best practices.

The Department has launched a dedicated landing site – – and questions and comments can be sent to databreach@alsde.edu.

Mackey said that their websites will be down for “critical updates” beginning at 5 p.m. Wednesday evening for several hours.

is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Alabama Reflector maintains editorial independence. Contact Editor Brian Lyman for questions: info@alabamareflector.com. Follow Alabama Reflector on and .

Last week, I set out to write a quick news hit on the  — a pilot program that will pump $200 million toward next-gen firewalls and other tools.

But that’s when things got weird. 

I came upon a new listing on a notorious dark web forum — the Amazon for stolen data, if you will — that offered millions of files purportedly stolen from the Los Angeles Unified School District for a thousand bucks.

LAUSD officials said they’re investigating the anonymous threat actor’s claims and a threat intelligence executive told me the district must carry out a full incident response to verify if the files are real.

Or new. 

It isn’t déjà vu: America’s second-largest school district fell victim to a massive ransomware attack in 2022. Thousands of students’ mental health records and other sensitive files found their way to the dark web. It’s possible that the LAUSD data got a facelift of its own, with the same data repackaged to make a quick buck. 

Read more about the latest LAUSD incident — and about the FCC’s new effort to thwart similar attacks nationally — here. 

In the news

Today in Florida, workers are set to demolish the Marjory Stoneman Douglas High School building where a gunman killed 17 people in a 2018 rampage. |

Relatives of 17 children killed during the 2022 school shooting in Uvalde, Texas, have sued state law enforcement officers who waited 77 minutes before confronting the gunman at Robb Elementary School. |

Special report: Through an unprecedented trove of dispatch call data for 852 California school addresses, reporters offer a rare look at “the vast presence of police in schools.” A third of calls “were about serious incidents that reasonably required a police presence.” |

New York lawmakers approved landmark rules that ban social media companies from using “addictive” algorithms to customize children’s feeds. Here’s a strong rundown on how the rules work. |

SWATted down: A Washington man has been sentenced to three years in prison for calling in hoax police reports in more than 20 states, including inciting false school shooting panic, leading to frantic lockdowns and massive police responses. |

First they came for the books. Next they came for the books about book bans. |

A new program in Illinois to help low-income families pay for the funeral costs of children killed by guns was designed to ease grief and financial burdens. After a year, just two families have been compensated. |

Prioritizing ‘profit over the wellbeing and safety of children’: Residential treatment companies that provide behavioral health services have put children at risk of sexual abuse and dangerous physical restraints, a new Senate committee report argues. |

First comes marriage, then comes homeroom: Missouri lawmakers failed to pass legislation that sought to prevent anyone under 18 years old from getting married, keeping in place the state’s minimum age of 16. |

A Tennessee school district where officials failed to prevent rampant racist bullying against a Black student will overhaul its anti-harassment procedures after reaching a settlement agreement with the Justice Department. Federal investigators found the student’s classmates passed around a drawing of a Ku Klux Klansmen, added him to a bigoted group chat and sold him to white peers in a mock “slave auction.” |

New York City school bathrooms could soon have “vape sensors” following a court settlement with tobacco company Juul that’ll direct $27 million to the city’s schools to combat youth vaping. |

Research & advocacy

‘New Jim Code’: Federal officials have failed to deter the civil rights harms that artificial intelligence in schools poses to students of color, a new report argues. |

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. |

DACA recipients are more likely than migrants without deportation safeguards to ask the police for help, suggesting the program increases engagement with police and reduces fear among crime victims. |

ICYMI @The74

• Report: Higher Rates of Depression, Anxiety for LGBTQ Teens Forcibly Outed
  
• LA Schools Chief Carvalho Warns Student Homelessness Across City Worse Than Data Shows
  
• Psychologist Peter Gray Sounds the Alarm About Excessive Adult Oversight & What It’s Doing to Kids’ Mental Health

Emotional support

I promised you a new pup. I bring you a new pup. 

Sinead, editor Kathy Moore’s new emotional support companion, surveys her domain. 

For more school safety news, subscribe to Mark’s School (in)Security newsletter below.

Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months — long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General’s Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general’s office was on the phone to the school district. The attorney, focused on consumer protection, questioned them “directly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and The 74, contradicted school district assertions that no sensitive student, employee or business owners’ information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general’s office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry’s data breach response obligations under state law — rules that school officials had failed to follow. 

Under Louisiana’s breach notification law, schools and other entities are required to notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It’s unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board’s attorney Courtney Joiner wrote in a response email to Styron a day later that he was “working with the School Board to address the notice issue without further delay.” 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that “sensitive information may have been obtained by an unknown malicious third-party,” according to the records. Officials didn’t send a formal notice to the attorney general’s office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail “well after the fact” that she had been victimized. 

“I really thought it was too little, too late,” she said. “This should have happened much earlier.”

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they “may have been impacted by the incident” and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general’s office didn’t respond to interview requests. 

St. Landry’s response resembles that of school districts across the country, investigative reporting by The 74 has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat’s impact on students and teachers, education leaders nationwide have sought to downplay the attacks’ severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based said the delay by St. Landry officials is “reflective of a problem we have” nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

“In many instances, it’s because the decision to issue a notice resides 100% with the organization that loses control of the information,” Lee said. “Highlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they’re at risk.” 

‘For reasons that are unknown’

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn’t contain any sensitive employee or student information.

But The 74’s data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG’s office, the district stated that the stolen files had been “recovered.” However, a check by The 74 last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don’t pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district’s computer network had been encrypted by “a malicious person or group” in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled “LOOK!!!!,” which includes a link to Medusa’s dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa’s Telegram channel and to a website designed to resemble a technology news blog — a front of sorts — with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that “an unknown number of files containing sensitive information” had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site “were recovered by the Cyber Crime Unit” with the state police, Batiste’s letter continues, “but, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6” — two days after the newspaper investigation published. 

‘How do you recover it?’

The cybercriminals behind the St. Landry breach employed “double extortion,” a growing ransomware strategy where hackers break into a victim’s computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn’t lead to a breach of sensitive information — despite overwhelming evidence that it had — district officials acknowledged they hadn’t taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district’s computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools — even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district’s supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

“We never received reports of the actual information that was obtained,” Fontenot said. “All of that is under investigation. We have not received anything in regard to that investigation.”

Fontenot’s statement contradicts Batiste’s timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by “an unknown malicious” threat actor but isn’t explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets’ investigation — including teachers, staff, students and sales tax filers from across the country — received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because “the process of obtaining and then reviewing the acquired files took several months.”

“We are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,” the letter states, acknowledging that stolen information contains individuals’ names, addresses, birth dates, Social Security numbers and driver’s licenses. 

Louisiana’s data breach notification law doesn’t apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn’t exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

“In fact, I don’t think I’ve ever heard of that kind of arrangement,” he said. “Most organizations do hire their own cybersecurity experts whether it’s a school district or it’s a nonprofit or a commercial entity.” 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring — a common practice after entities suffer data breaches — Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

“How do you recover it once it’s out there?” she said. “Do you tell the people who got it illegally that you have to take it down and hope they do?”

This story was supported by a grant from the Fund for Investigative Journalism

In response to an inquiry by The 74, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with The 74. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told The 74 the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by The 74 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in The 74, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told The 74 at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided The 74 didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and The 74.

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by The 74 and The Acadiana Advocate revealed. The reporting included a data analysis by The 74 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

and other entities notify affected individuals “without unreasonable delay,” 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.” 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.” 

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It’s also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.” 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel … and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.” 

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.

“I’m so sorry to tell you this but unfortunately your private information has been leaked,” read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they’d just spent the night asleep. 

“Be careful out there,” the cryptic message warned. “Don’t shoot the messenger!”

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation’s fifth-largest district and where Hecht’s three daughters are enrolled. But the message, she’d soon learn, was not from a California student but from the student’s email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a “burner” account to brazenly extort Clark County schools by frightening district parents directly.

“I put my child on the bus and then immediately called the district,” Hecht told The 74. “I called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.”

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords — in this case students’ dates of birth — and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students’ special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

“This is not going to qualify as sophisticated hacking,” said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. “Given that they reached out to the media” and have demanded payments smaller than those typically leveraged by ransomware gangs, “it seems they may be more interested in publicity and reputation than they are money.”

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a “cybersecurity incident” on Oct. 5, noting in that it was “cooperating with the FBI as they investigate the incident” and that such attacks against schools have become routine. “Rest assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.”

When contacted by The 74, a Clark County spokesperson declined to comment further and shared a copy of the district’s previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County’s computer systems. In two follow-up emails shared with The 74, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student’s email address “to show how much of a joke their IT security is and to show how seriously they are taking this.” 

Beyond outreach to parents, the hacker — which could be one or multiple people — on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as “SingularityMD (the hacker team),” the threat actor disputed Clark County’s statement that it had detected “a security issue” on its own and that district leaders had only become aware after the hackers sent an email “to tell them we had been in their network for a few months.” 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward “double-extortion ransomware” schemes, where they gain access to a victim’s computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students’ sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students’ passwords to their birth date at the beginning of each academic year. Using a student’s date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student’s account, they claim to have exploited poor data-sharing practices in the district’s Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

“Google groups and google drives, if not configured correctly will expose teachers and staff files and conversations,” the hacker told DataBreaches.net. “In rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.”

Schools are particularly easy targets because so many students have access to a district’s computer network, the hacker noted, with a word of advice: “I would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.” 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker’s breach methods should set off alarm bells for educators nationwide, with “virtually every school in the U.S.” relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

“It’s very easy to overshare information and grant rights for people who shouldn’t be able to see this information,” Levin said. “That’s what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.” 

Google spokesperson Ross Richendrfer said in an email that as districts become “a top target” for cybercriminals, “there’s not just one way that attackers attempt to infiltrate schools.” This particular incident, he said, was “the result of compromised passwords and configuration issues at the user/admin level.” 

He pointed to the company’s , which notes that while Google products “are built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.” The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received “alarming email messages from an external cybersecurity threat actor.” The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as “burner accounts” when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn’t become the victim of a data breach, Superintendent Lori Villanueva told The 74. She said the student’s email address was used to send four emails, which were then deleted. 

“We canceled that email account, we set up a new one for the student, and we’re just running our own diagnostics to make sure there was no other unusual activity,” Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. “My people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we’re really limited to that one tiny piece of information.” 

Never before had she experienced an incident where a student’s email address was compromised and exploited in such a major way, she said. 

“Nothing this widespread, nothing in another state, nothing this big,” she said. “For our little neck of the woods here, this was a little crazy.” 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

“The only thing I can think of is somebody knows that I’m not quiet, that I will talk,” she said. If the hacker’s goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn’t been able to get any answers from school administrators. 

“I’ve emailed the superintendent and I just continue to call that helpline,” she said “Nothing. Nobody has responded. I can’t even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.”

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused “to fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.” 

“We think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,” attorney Steve Hackett, who represents the families, told The 74.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

“As the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,” the statement said. 

The district also offered a sharp rebuttal to calls for Jara’s resignation, specifically referring to with the local teachers union: “Superintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,” the statement continued “No bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.” 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

“It worries me because this stuff is going to follow them for life,” she said. “Look, I know that our district is not great, but if you’re going to go against the district, don’t take our kids down with you. They did nothing wrong.”

, led by researchers at the University of Chicago and New York University, highlights how the scramble to adopt new technologies in schools has served to create an $85 billion industry with significant data security risks for teachers, parents and students. The issue has become particularly pervasive since the pandemic forced students nationwide into remote, online learning. 

Students’ sensitive information is increasingly leaked online following high-profile ransomware attacks and user data monetization is a key business strategy for tech companies, including those that serve the education market, like Google. Yet student privacy is rarely a top consideration when teachers adopt new digital tools, researchers learned in interviews with district technology officials. In fact, schools routinely lack the resources and know-how to assess potential vulnerabilities.

Such a reality could spell trouble: In an analysis of education technologies widely used or endorsed by districts nationwide, researchers discovered privacy risks abound. The analysis relied on , a privacy inspector tool created by the nonprofit news website The Markup which scours websites to uncover data-sharing practices. Those include the use of cookies that track user behaviors to deliver personalized advertisements. Analyzed education tools, they found, make “extensive use of tracking technologies” with potential privacy implications. 

Most alarming to the researchers were the 7.4% that used “session recorders,” a type of tracker that documents a user’s every move. 

“Anyone visiting those sites would have their entire session captured which includes information such as which links they clicked on, what images they hovered over and even data entered into fields but not submitted,” the report notes. “This could include data that users might otherwise consider private such as the autofilling of saved user credentials or social network data.” 

The 74 caught up with report co-author Jake Chanenson, a University of Chicago Ph.D. student, to gain insight into the report’s findings and to understand why he believes that parents and students should be concerned about how ed tech companies collect, store and use their personal data. 

The conversation has been edited for length and clarity. 

Why did remote learning pique your interest in digital privacy and what are the primary implications that worry you? 

Remote learning can be done well but we all had to get to it very quickly without a plan because we all suddenly got thrown at home because of the global pandemic. Suddenly schools had to scramble and find new solutions to reach their students, to educate their students, without being able to test the field, to think critically about it. They really were, with shoestring and gum, trying to keep their classes together. 

Whether you were in school, whether you were at work, whether you were at neither and still just trying to keep in touch with your friends, you were using anything that came your way because that’s what you had to do. I found that really interesting — and a bit concerning. It’s no one’s fault because we don’t understand the ramifications of these technologies and now that we’ve used them a lot of them are here to stay. 

I don’t want to sound like some sort of demonizing figure saying that all tech is bad — that is certainly not the case. It’s merely the fact that sometimes these promises are oversold, and now we have this added element of data privacy. 

When you interact with any of these platforms, tons and tons of student data — from how you interact with it, how well you do on their assignments, when you do it, if you’re a chronic procrastinator, if you’re always getting your work done, if you seem more interested in your art class than your math class. These are all data points collected by these companies and I wanted to know, ‘What is it they’re collecting? What are they doing with it,’ and, specifically for this study, ‘What are schools thinking about in this space if anything at all?’

This study took a two-pronged approach. You conducted surveys with experts in this space and then used technology to identify information that folks might not be aware of. Let’s discuss the surveys first. How did the school administrators and district technology officials you interviewed view privacy issues? 

Lots of them knew that something wasn’t quite up to snuff in their security and privacy practices. 

The best security and privacy practices that I saw in these school districts were entirely because someone, usually in the IT department, had an independent interest in student privacy. They were going above and beyond what their job descriptions required because they cared about the students. 

That’s not to imply that school officials don’t care about the kids —they care about them very much — but they’re so busy making sure the lights are on and making sure there are teachers for the classrooms, dealing with discipline issues, dealing with staffing concerns. They’re not necessarily focused on data privacy and security. 

Your research takes a unique approach to show the real-world impacts of education technology on student privacy. You identify that some of these tools raise significant privacy implications. How did you go about that?

We looked at the online websites of educational sites and tried to understand, what are the privacy risks here? What we found is that 7.4% of all these websites had a session recorder, which records everything you do when you’re interacting with a web page. How long you hovered over a certain element, how often you scrolled, what you clicked on and what you didn’t click on. 

That’s a scary amount of data collection for something that’s normally an education site. On top of that we found a high prevalence of cookies and other types of trackers that were being sent to third-parties, basically advertising networks, that were taking that data to track these students across the web. As a student, even while I’m doing my work, they’re creating an ad profile of me that not only encompasses who I am as a consumer in my spare time, but who I am as a student inside of school for this more comprehensive picture of who I am to sell me ads. 

That could be upsetting to somebody who thinks that what I’m doing in school is only the business of me and the teacher, my parents and the principal. 

Why would an education technology company use a session recorder? 

We were able to identify that these trackers, like session recorders, were running on these websites, but we don’t have any idea what they’re recording, which is a project that we’re currently working on and trying to understand. 

I can’t make any well-grounded assumptions to what this is being used for, whether it be nefarious or benign. It’s not uncommon for a session recorder to be used for diagnostic information for a technology company if they want to understand how their users use a site so they can improve it. That’s a legitimate use of one of these session recorders, but without knowing what data they collect, it could be that they’re collecting data that isn’t strictly relevant to improving the service or are over-collecting data in the guise of improving the service and retaining it for future use. 

There are, of course, but I won’t speculate on that because I don’t have definitive proof that’s what’s happening. 

Why should people care about districts’ technology procurements? School districts are using a huge swath of digital tools, some from Google and some from tiny tech companies. If school leaders aren’t putting privacy at the forefront of deciding which tools to use, what concerning outcomes can come from that? 

There are several concerning outcomes, the first being that the data these companies collect don’t necessarily sit on their servers. They sometimes are sold to third parties. Some companies state third parties ambiguously and others list out who they are selling it to and why. 

Just on a normative basis, I think that what you do in the classroom shouldn’t be harvested and sold, especially when many of these companies are raking in somewhere between five- and seven-figure contracts to license this technology. It’s not like they don’t have other sources of income, but the things they can take from students can be incredibly alarming: Information about socioemotional behavior, so if I act out in school, if I am in trouble for something that’s happening at home or I’m bullying another student, that data is collected by a specific service and that data is held somewhere. And of course, when you hold data, it’s a security risk. 

There was a big breach in New York City where hundreds of thousands of students had their personal information leaked because a company was holding onto all of this data. It was leaked to hackers who got that data and can do who knows what with it. That’s a huge privacy violation. Some of the things they stole in that particular breach were names, birthdays and standard things you can use to commit identity fraud, which is a problem. But it can also be more sensitive stuff, such as [special education] accommodation lists or if you qualify for free lunch. There’s stuff about disability or your economic status, stuff that is all collected by these ed tech companies and held somewhere. 

Learning management systems have incredible amounts of metadata. ‘Are you someone who procrastinates and only finishes an assignment one minute before it’s due? Did you do it early? Are you someone who didn’t do the reading but showed up to class anyway? Are you someone who took 10 times to get this quiz right or did it only take you one time’ 

These data are recorded and are available for teachers to see, but because teachers can see it, it’s sitting on a server somewhere. 

Because they’re being stored somewhere and they are not being deleted regularly and these companies are not following data minimization principles, it’s a potential privacy risk for these students should another breach happen, which we’ve seen happen again and again and again. 

Breaches have affected sensitive student information. In her book Danielle Citron argues for federal rules that would protect intimate privacy as a civil right. Why are such rules needed and how would they work in an educational context? 

There are certain types of information, like nonconsensual disclosures of intimate images, so-called revenge porn. I think you can make a straight analogy for student data. Just as there should be a zone of intimate privacy around your personal intimate life, your sexuality, whatever else, we should have a similar zone around your educational life. 

Education is a space where students should be able to learn and make mistakes, and if you cannot make those mistakes without being recorded, then that can have repercussions for you later. If you’re not perfect on your first try and someone gets a hold of that, I could see that affecting your college admissions or that could affect an employment record. If I am someone who wants to hire you and I have a list of every student in a school that turns in their assignments early and all of these people were either habitually late or always procrastinating then obviously I’m going to be more interested in hiring the worker that turned stuff in early. But what that list might not tell you is that it was one data point in eighth grade and that one of those students when they were in high school finally got on top of their executive dysfunction and started turning things in on time. 

It’s ultimately nobody’s business how you do in the classroom. You have final grades, but those fine-grained data are nobody else’s business but yours and the teacher’s. You have a safe space to learn and grow and make mistakes in the educational environment and to not be penalized for them outside of that classroom.

Yet even before the first class started, the 133,000-student district in Prince George’s County, Maryland, faced an assault on its security — one carried out completely online. 

Rather than barge through the front entrance of a school, threat actors appeared to break in through a backdoor in the district’s computer network. The mid-August intrusion meant the high-performing school system — among the nation’s 20 largest — joined a growing list of school district ransomware victims, another proof point that the education sector is now a primary target of cyber gangs. 

“Schools have this delicious trove of data and do not have the same protections” as banks and other for-profit businesses, said Jake Chanenson, lead author of a recent University of Chicago report on school district cyber risks. 

In the case of Prince George’s County Public Schools, the attack appeared to enter its final stage on Tuesday when the Rhysida gang posted to its leak site a collection of data it purportedly stole nearly a month ago. A cursory review of the files suggest they date back two decades. 

The back-to-school season, already a particularly busy period for school technology leaders, has become a prime time for district ransomware attacks, according to cybersecurity experts. In August alone, ransomware gangs claimed new attacks on 11 K-12 school systems, according to an analysis by The 74 of the cyber group’s dark web leak sites. Among them are three New Jersey districts, two in Washington state, a Denver charter school network and a district in remote Alaska. Several additional districts have disclosed cyberattacks since the start of the new year, including news of a breach last week against Florida’s Hillsborough County Public Schools, the seventh-largest district in the U.S. 

In Chambersburg, Pennsylvania, district officials said for three days in just the second week of the academic year. 

At the Lower Yukon School District in Alaska, technology director Joshua Walton said a hack and subsequent data breach by the burgeoning ransomware gang NoEscape was first initiated in late July, before the fall semester began. 

“Your confidential documents, personal data and sensitive info has been downloaded,” the group wrote in a ransom note obtained by The 74. “Published information will be seen by your colleagues, competitors, lawyers, media and the whole world.” 

Ultimately, the district refused to pay the group’s $300,000 ransom demand, leading to a small data breach that doesn’t appear to include sensitive information about educators or students. Rather, an analysis of the leak suggests stolen files center primarily on campus maintenance work. 

Previous data breaches following district ransomware attacks, such as the ones in Los Angeles and Minneapolis, have led to widespread disclosure of sensitive information, including student psychological evaluations, reports of campus rape cases, student discipline records, closely guarded files on campus security, employees’ financial records and copies of government-issued identification cards. 

Though Walton was confident that similarly sensitive records had not been stored on the breached computer server, he told The 74 the Lower Yukon hack could have been far more disruptive had it been carried out just a few weeks later. Instead, they had a few remaining weeks of summer to restore their systems before their returned. 

“It was an inconvenience for sure, but I’ve seen a lot of data breaches over the years and ours is nothing comparable,” Walton said. “I couldn’t imagine that happening when school starts because we’re all rushing to get all of the support tickets taken care of and making sure that school is starting off on the right foot. If it would have happened then, it would have been a whole different ball game.” 

This year, the return-to-school season kicked off with a warning from federal law enforcement about the growing threat that cyberattacks pose for school districts. During a cybersecurity summit at the White House in early August, federal officials warned the coming months could be particularly volatile. Harm isn’t limited to victim districts but rather encompasses their employees, students and families whose sensitive records, including financial information, are vulnerable to data breaches. 

WIth “Social Security numbers and medical records stolen and shared online,” such attacks have left “classroom technology paralyzed and lessons ended,” First Lady Jill Biden said. “So if we want to safeguard our children’s futures, we must protect their personal data.”

There isn’t any hard data on the frequency that ransomware groups exploit back-to-school season compared to other times, said Doug Levin, the national director of the K12 Security Information eXchange. He said it’s also difficult to identify when attacks first begin, with threat actors sometimes infiltrating district servers months before the ransomware attack is initiated. That said, the existing evidence suggests about a quarter of cyber incidents affecting school districts appear to occur during those first few weeks and months of school. He said the chaos of getting technology into students’ hands and setting them up with new online accounts creates an ideal opportunity for criminals to catch district tech officials off guard. 

“With all of these new devices being deployed with all sorts of new tools and applications coming online, I certainly have heard reports of upticks in against school districts already,” Levin said. “It’s definitely a time where you know people are more likely to make mistakes.”

Similar concerns were included in by the New Jersey Cybersecurity and Communications Integration Cell, where officials warned that cybercriminals routinely exploit holiday breaks to target schools. 

“Threat actors take advantage of this pastime when staff is away or just prior to busy seasons, such as the beginning of the school year, long weekends or before the end of a marking period when final grades are due,” the warning notes. “Within the last few weeks, publicly announced ransomware attacks sharply increased.”

‘Exclusive, unique and impressive’

Following a common ransomware playbook in Prince George’s County, the Rhysida gang claimed the theft of sensitive documents, posting screenshots online showing birth certificates, passports and other records purportedly stolen from the district. Unless the district agreed to pay the group 15 bitcoin worth some $375,000, Rhysida threatened to publish the “exclusive, unique and impressive” data on its leak site. 

Such negotiations appeared to expire by Tuesday morning: A trove of files purportedly stolen from the district were published to the cyber group’s leak site, suggesting education leaders had refused to pay the ransom. The development comes after a ticker on the gang’s leak site, meant to signify the district’s approaching ransom payment deadline, was paused or delayed on several occasions. 

A day after the district detected the breach on Aug. 14, it said in a statement that some 4,500 user accounts out of 180,000 were affected, forcing district employees to reset their passwords. Impacted individuals, the district said, “will be contacted in the coming days.” 

The school system is “offering free credit monitoring and identity protections to all staff,” district spokesperson Meghan Gebreselassie said in an email Tuesday morning but declined to comment further. In a Sept. 1 update, the district said staff, students and their families would receive a year of free credit monitoring and identity protection services, acknowledging the attack “may result in unauthorized disclosure of personal information.” 

“We are working diligently to confirm the extent of information that was impacted by this incident, and we will move quickly to provide direct notice to those who are impacted once this determination is made,” the statement says.

Yet special education advocate Ronnetta Stanley said the Prince George’s district hasn’t done enough to keep the community in the loop about the attack and its potential effects on students and parents. The types of information that may have been breached, she told The 74, “has not been clearly communicated.” Special education records, which have been exposed in previous attacks like the one against the Los Angeles Unified School District near the start of the 2022-23 school year, could be at risk in Prince George’s County, she fears.

“There have not been any specific details about exactly what was breached, who may have been affected by it and, then what is the remedy for what should be happening with compromising information?” said Stanley, founder of the special education advocacy group “Not knowing what was leaked and who was affected, it’s difficult to say what the ramifications will be.” 

The by the University of Chicago researchers found that district leaders are frequently unaware of the peril that cyber gangs pose, often implement education technology tools without considering privacy implications and routinely endorse digital tools that present potential privacy issues. While banks and large corporations have become harder targets as they bolster their cybersecurity defenses, schools have fallen behind, said lead author Chanenson, a doctoral student studying computer science. 

“This is only going to get worse,” he said, “until we give schools the resources they need to up their defensive game.” 

Ransomware’s long tail

Among the school districts listed on ransomware gang leak sites in August is the one in Edmonds, Washington — a development that for locals may feel like déjà vu. The Akira group named Edmonds as being among its latest victims on Aug. 24, just six months after district officials announced that a “data event” was to blame for a two-week internet blackout in late January. 

Data stolen in the winter 2023 breach, the district warned in February, could include names, Social Security numbers, student records, financial information and medical documents. The district is still analyzing the extent of the attack and plans to notify affected individuals once their review is finalized, district spokesperson Harmony Weinberg said in a Sept. 8 email to The 74. 

It’s unclear, however, whether the district was victimized a second time this summer, a development officials deny. Cybercriminals routinely target victims on multiple occasions — especially those that pay ransoms to retrieve stolen files. In Edmonds, the district recently became “aware of a public allegation by the group believed to be responsible for our winter 2023 data security incident,” Weinberg said. 

“We reviewed the district’s network systems in relation to this data security incident, and found no evidence that any systems were infected with ransomware,” Weinberg continued. “Further, we are not aware of any malicious activity occurring within our network systems since the winter 2023 event.” 

Meanwhile, the Los Angeles and Minneapolis school districts continue to grapple with the fallout from cyberattacks that crippled their systems last school year and led to the widespread data breaches of sensitive records about students and educators. After the Los Angeles district was targeted in a back-to-school ransomware attack over Labor Day weekend last year, the nation’s second-largest school system kicked off this school year by announcing to bolster its cybersecurity defenses. 

Seven months after Minneapolis Public Schools fell target to a cyberattack that it euphemistically called an “encryption event,” tens of thousands of individual victims are just beginning to learn their sensitive records were compromised as community members blast education officials for leaving them in the dark about key details. 

On numerous occasions over the last several months, educators have complained to district officials that they were being targeted by fraudsters, obtained by The Daily Dot. “I had my bank account drained last week and had $3 to my name,” one person wrote in an email to Minneapolis schools. Another individual reported getting hit with a fraudulent $2,500 charge on a credit card, while parents reported receiving emails from unverified senders related to their children’s college financial aid. 

In a Sept. 1 update on the Minneapolis district website, said school officials undertook a “time-intensive” review to determine what information had been stolen, which included names, Social Security numbers, financial information and medical records. 

“Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential,” the district notice notes. Meanwhile, by the law firm Mullen Coughlin stated that the district had provided written notices to more than 105,000 people whose personal information had gotten caught up in the attack. 

The documents were Minneapolis Public Schools’s first public comments on the attack since April 11.  

Such disclosures often fall short in providing victims enough information to keep themselves safe, said Marshini Chetty, a University of Chicago associate professor focused on privacy and cybersecurity. 

“Disclosure is not enough because people may not fully realize what could actually happen and how their data can be misused,” Chetty said. While victim districts routinely offer credit monitoring and other tools to mitigate financial crimes and fraud, she said it’s more challenging to remedy situations where sensitive information, like medical records or student disciplinary records, are disclosed. 

“A lot of times schools are reactive rather than proactive,” she said.  If district leaders aren’t doing enough to protect the data from being stolen in the first place, “then it’s almost too late.”

Des Moines Area Community College is a harder target for cyberattacks and scams than it used to be, President Rob Denson said, but it takes constant effort and vigilance to stay that way.

He and his staff will receive fake attachments, fraudulent messages from people claiming to be coworkers and applicants with intentions of taking financial aid and running rather than attending classes almost every day, despite best efforts to head them off.

“Threat actors are always looking for you to let down your guard,” he said.

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

In efforts to keep campus safe, some Iowa community colleges are having to put increasingly more time, manpower and money toward cybersecurity efforts.

Aaron Warner, CEO of cybersecurity company ProCircular, said community colleges are targets for bad actors because they house a lot of sensitive information, their student populations see continuous turnover, and they’re made to be as accessible as possible.

The often-chaotic time just before school starts is also utilized by cybercriminals, as faculty and staff are busier and less likely to catch suspicious emails or other activities.

“It’s an unfortunate byproduct of the fact that they’re a community organization,” Warner said. “They are designed to interact as best as possible with the community. Bad guys take advantage of that.”

When the COVID-19 pandemic forced employees to work from home, Warner said the opportunities to conduct cyberattacks expanded. Gone was the castle-and-moat style of keeping sensitive information on one secure network as data was transferred onto home computers and laptops. The risk of a successful cyberattack or intrusion didn’t so much rise as become more distributed, he said.

DMACC and Iowa Central Community College have already faced in real time what ProCircular simulates for training — a breach in cybersecurity. Iowa Central Community College was hacked in 2018, and DMACC saw a breach in 2021.

Both colleges amped up security efforts in response, which they still keep up today.

Colleges work to stop ‘ghost student’ scam

One problem DMACC has worked to curb is “ghost students,” or applicants who use fake or stolen identities to seek financial aid. Denson said the college started seeing more fraudulent applications around two years ago, coming in groups from certain areas in different states and filing for loans without any intent of actually attending classes.

For around a year, DMACC staff have been calling every applicant to confirm their identity before putting their information into the system, Denson said. While this practice has cut down on ghost student applications, it’s not the easiest task to undertake.

In fall 2022, DMACC admitted more than 1,600 full-time, first-time students. Admissions staff and recruiters called each applicant and recorded the confirmation of their identity in the DMACC system — a time-consuming process, Denson said, as many students aren’t easy to reach over phone or email.

“It’s a terrible use of time, it’s not the best use of their skills, but it’s something we’ve got to do,” Denson said. “What we don’t want to do is get a fraudulent app inside of our learning management system.”

At its peak in late July 2022, Denson said the college was receiving around 15 fraudulent applications a day. Since implementing this practice, Denson said that number has decreased significantly, but one or two a day still pop up.

Denson said the amount of time and manpower needed to verify so many applicants pulls people away from their other work.

“We would rather have recruiters out recruiting and advisors talking to students about their career, rather than verifying somebody’s identity,” he said.

In order to lower the risk of a fake student infiltrating Iowa Central Community College’s systems, President Jesse Ulrich said staff purges all records of inactive students — those who applied but never signed up for classes or interacted with the college in any way — every semester.

Cybersecurity is costly

Staff and faculty at both community colleges receive training on how to spot and report phishing, and receive random test phishing emails. Iowa Central Community College has members of its IT team dedicated to servers and infrastructure, and DMACC has a cybersecurity expert on retainer.

Security software, training and insurance all require funds, Ulrich said, which could be used in other areas of the college.

“Anytime you are putting more resources into cybersecurity, whether that’s through people, software, paying more for insurance; all of those things pull from the general fund or other areas of our funds to be able to really meet the core purpose of community colleges,” Ulrich said.

Both colleges have cyber insurance; Denson said the college’s annual insurance cost is five times what it was, and the deductible has doubled.

Even divulging details on its cybersecurity insurance could put the college at risk, Ulrich said, as threat actors will look through public records to determine how well-insured schools are and use that in attacks.

“It’s kind of a lose-lose situation for higher ed when we’re put in that situation,” he said.

However, having these safeguards isn’t really a choice, Denson said — it’s a necessity, and one that isn’t going away soon.

According to SonicWall’s 2023 , educational institutions were cyber criminal’s top targets for malware attacks. At the recent annual Community Colleges for Iowa conference, Ulrich said cybersecurity was among the top 10 challenges facing higher education today.

ProCircular works with more than just community colleges to evaluate cybersecurity efforts, but the leaders at colleges Warner has met are among the most understanding of the issues and how to tackle them, he said. Much of the company’s training involves ensuring people know what to look for, how to respond in the event of a breach and helping them allocate resources in the right areas.

U.S. Rep. Zach Nunn introduced in April to help curb cyber attacks against K-12 schools by increasing available resources, expanding cyber attack prevention information sharing and improve national tracking of cyber attacks. While no bills targeting cybersecurity in higher education have been introduced, a spokesperson for Nunn’s office said they are working with as many entities as possible to help tighten cybersecurity across the board.

Community Colleges for Iowa Executive Director Emily Shields said there has been interest in the state Legislature in working to curb cybersecurity breaches in higher education, but many of the best practices suggested in discussions are already being practiced by community colleges.

When it comes to funding, Shields said colleges would rather see more dollars go into general funds than specific silos like cybersecurity, as it allows them to be more flexible in allocating resources.

The organization has worked to help keep colleges informed about cybersecurity threats and avenues to help fend off attacks, in the event one does occur, she said.

“The conversation always is not if this is going to happen in your college, it’s when,” Shields said. “Everybody’s anticipating. You will have cyberattacks, probably plural — it’s making sure you’re ready for that.”

is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Iowa Capital Dispatch maintains editorial independence. Contact Editor Kathie Obradovich for questions: info@iowacapitaldispatch.com. Follow Iowa Capital Dispatch on and .