‘It is very serious’: Minneapolis schools find student and staff data on the dark web

Once students' personal data is found on the dark web, there is virtually nothing families can do, according to one cybersecurity expert. Here are eight recommendations district leaders should give to families following an incident like this.

On Friday, Minneapolis Public Schools announced that personal information belonging to students and staff was posted on the dark web following an encryption incident in late February. According to one cybersecurity expert, this is the worst-case scenario.

Nearly one month ago today is when the district first became aware of the issue. Here’s a brief timeline of the events, according to news releases from the district:

  • Feb. 18: The district notified parents of a “system incident” and began working on tracing the source.
  • Feb. 21: All impacted data was restored and “no data will be lost due to this incident,” according to the district. Additionally, all passwords were updated and multifactor authentication strategies were implemented.
  • Feb. 27: The investigation is ongoing; many systems are up and running.
  • March 1: The source of the disruption was discovered to be an “encryption virus.” The investigation is ongoing and the district refused to pay a ransom. It is not evident whether the threat actor was able to access personal information.
  • March 7: The district discovered that data was posted online. It was reported to law enforcement and they began working on having it removed.
  • March 9: The investigation is ongoing; it’s not evident whether the data accessed has been used to commit fraud. Individuals will be contacted directly by MPS if their personal information has been impacted.
  • March 14: The district advises everyone to continue taking steps to protect themselves online. Despite the circumstance, many systems are functioning normally.
  • March 17: It became clear that MPS data was posted on the dark web, a part of the internet that allows users to operate without being traced. The district is working closely with cybersecurity specialists to download the data and review it.

James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI, says this is exactly what every district fears.

“It is very serious,” he says. “Clearly, in the Minneapolis Public Schools ‘encryption’ incident, as they called it, the threat actors exfiltrated a significant amount of Personal Identifiable Information (PII) from the ecosystem before they detonated the ransomware.”

Compromised student data, particularly those in K12 ecosystems, are the “most egregious,” he adds. Young students have clean credit histories and little to no social media presence.

“This type of ‘clean’ data can be used by and sold to a plethora of threat actors in the world who create fake personas in the child’s name and might be used in waves of financial crimes against these children for decades,” he explains. “One of these poor kids could wake up when they’re 30 and realize that someone bought a beach house in Bora Bora using their identity.”

Once their information is posted on the dark web is when things really get out of hand, according to Turgal. At this point, there’s not much parents and families can do. Even worse, if the threat can link that student’s information to their parents’ data, it further expands the opportunity for fraud. He advises that districts communicate to families to look into an identity theft solution like Life-Lock. Then, administrators should ask the community to take the following preventative measures:

  • Check their credit, generate a credit report and possibly choose a credit freeze.
  • Monitor their Social Security number.
  • Change usernames and passwords frequently.
  • Set up multifactor identification on all devices.
  • Check on their bank accounts frequently.
  • Watch out for suspicious charges or demands for loan payments.
  • Do not reply to odd or unsolicited emails.
  • Install anti-malware firewall protection.

Lastly, parents should be on the lookout for:

  • Collection calls or notices for a debt incurred in their child’s name.
  • Mailings that would generally be for someone over the age of 18, such as preapproved credit card offers, jury duty notices or parking tickets.
  • An insurance bill or explanation of benefits from a doctor listing medical treatments or services that did not take place.
  • A notice from the IRS that their child’s name and/or Social Security number is already listed on another tax return.

More from DA: Most school apps are tracking students. The question is: How closely?


Micah Ward
Micah Wardhttps://districtadministration.com
Micah Ward is a District Administration staff writer. He recently earned his master’s degree in Journalism at the University of Alabama. He spent his time during graduate school working on his master’s thesis. He’s also a self-taught guitarist who loves playing folk-style music.