Minneapolis schools find student and staff data on the dark web

On Friday, Minneapolis Public Schools announced that personal information belonging to students and staff was posted on the dark web following an encryption incident in late February. According to one cybersecurity expert, this is the worst-case scenario.

Nearly one month ago today is when the district first became aware of the issue. Here’s a brief timeline of the events, according to news releases from the district:

Feb. 18: The district notified parents of a “system incident” and began working on tracing the source.
Feb. 21: All impacted data was restored and “no data will be lost due to this incident,” according to the district. Additionally, all passwords were updated and multifactor authentication strategies were implemented.
Feb. 27: The investigation is ongoing; many systems are up and running.
March 1: The source of the disruption was discovered to be an “encryption virus.” The investigation is ongoing and the district refused to pay a ransom. It is not evident whether the threat actor was able to access personal information.
March 7: The district discovered that data was posted online. It was reported to law enforcement and they began working on having it removed.
March 9: The investigation is ongoing; it’s not evident whether the data accessed has been used to commit fraud. Individuals will be contacted directly by MPS if their personal information has been impacted.
March 14: The district advises everyone to continue taking steps to protect themselves online. Despite the circumstance, many systems are functioning normally.
March 17: It became clear that MPS data was posted on the dark web, a part of the internet that allows users to operate without being traced. The district is working closely with cybersecurity specialists to download the data and review it.

James Turgal, vice president of Optiv’s Cyber Risk, Strategy and Board Relations and former chief information officer for the FBI, says this is exactly what every district fears.

“It is very serious,” he says. “Clearly, in the Minneapolis Public Schools ‘encryption’ incident, as they called it, the threat actors exfiltrated a significant amount of Personal Identifiable Information (PII) from the ecosystem before they detonated the ransomware.”

Compromised student data, particularly those in K12 ecosystems, are the “most egregious,” he adds. Young students have clean credit histories and little to no social media presence.

“This type of ‘clean’ data can be used by and sold to a plethora of threat actors in the world who create fake personas in the child’s name and might be used in waves of financial crimes against these children for decades,” he explains. “One of these poor kids could wake up when they’re 30 and realize that someone bought a beach house in Bora Bora using their identity.”

Once their information is posted on the dark web is when things really get out of hand, according to Turgal. At this point, there’s not much parents and families can do. Even worse, if the threat can link that student’s information to their parents’ data, it further expands the opportunity for fraud. He advises that districts communicate to families to look into an identity theft solution like Life-Lock. Then, administrators should ask the community to take the following preventative measures:

Check their credit, generate a credit report and possibly choose a credit freeze.
Monitor their Social Security number.
Change usernames and passwords frequently.
Set up multifactor identification on all devices.
Check on their bank accounts frequently.
Watch out for suspicious charges or demands for loan payments.
Do not reply to odd or unsolicited emails.
Install anti-malware firewall protection.

Lastly, parents should be on the lookout for:

Collection calls or notices for a debt incurred in their child’s name.
Mailings that would generally be for someone over the age of 18, such as preapproved credit card offers, jury duty notices or parking tickets.
An insurance bill or explanation of benefits from a doctor listing medical treatments or services that did not take place.
A notice from the IRS that their child’s name and/or Social Security number is already listed on another tax return.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

‘It is very serious’: Minneapolis schools find student and staff data on the dark web

Most Popular

Forward-thinking furnishings

Superintendent hiring season is now kicking into higher gear

Teacher pay becomes prominent theme of this year’s budget season

5-year promise: How one leader steers her strategic plan

4 superintendents are switching places as hiring surge continues

This district found some important partners to fight absenteeism