Hackers who broke into the Minneapolis Public Schools earlier this year have circulated a large number of files that appear to include highly sensitive documents on schoolchildren and teachers, including allegations of teacher abuse and student psychological reports.
The files appeared online in March after the school district announced that it had been the victim of a ransomware cyberattack. NBC News was able to download the document cache and reviewed around 500 files. Some were printed on school letterhead. Many were listed in folder sets named after Minneapolis schools.
NBC News was able to view the leaked files after downloading them from links posted on the hacker group’s Telegram account. NBC News has not verified the authenticity of the cache, which numbers some 200,000 files, and the Minneapolis Public Schools declined to answer specific questions about the documents, instead noting that his previous public statements.
The files reviewed by NBC News include everything from relatively benign data like contact information to much more sensitive information, including descriptions of student behavior problems and teachers’ social security numbers.
In addition to leaking the documents, the hacking group appeared to go a step further, posting about the documents on Twitter and Facebook, as well as on a website, which hosted a video that opens with an animated clip of a motorcycle on fire. , followed by 50 minutes of screenshots of the stolen files. NBC News does not name the group.
It’s a stark reminder that schools often have reams of sensitive information, and that such leaks often leave parents and administrators with little recourse once their information is released.
“The fact is that school districts really should be treating this more like nuclear waste, where they need to identify and contain it and make sure that access is restricted,” said Doug Levin, director of K12 Security. Information Exchange, a nonprofit organization that helps schools protect themselves from hackers. “Organizations that are supposed to help uplift children and prepare them for the future, instead, could be introducing significant headwinds into their lives just by participating in public school.”
School districts really should treat this more like nuclear waste.
Doug Levin, director of the K12 Safety Information Exchange
In an update posted on the Minneapolis Public Schools website on April 11, Acting Superintendent Rochelle Cox said the school district was working with «outside specialists and law enforcement to review the data» that was posted online. . Cox also said the district was reaching out to people whose information was found in the leak. Cox also warned about reports that people had received messages telling them their information had been leaked.
“This week, we are seeing an increase in reports of messages, sometimes multiple messages, sent to people in our community that say something like ‘your social security number has been posted on the dark web,’” Cox wrote. «First, I want to remind everyone to NOT interact with such messages unless you KNOW the sender.»
Cybersecurity experts familiar with the leak have called it one of the worst in living memory.
«It’s horrible. The worst I’ve ever seen,» Brett Callow, an analyst who tracks ransomware attacks for cybersecurity company Emsisoft, said of the breach.
Ransomware attacks on schools, often ending with hackers releasing sensitive information, have become prevalent in the US since 2015.
At least 122 public school districts in the US have been hit with ransomware since 2021, Callow said, and more than half, 76, resulted in hackers leaking sensitive school and student data.
In such cases, districts often provide parents and students with identity theft protection services, even though they are unable to prevent the files from being shared after they are released.
The leak has left some Minneapolis parents wondering what to do next.
“I feel like my hands are tied and I feel like the information that the district is giving us is very limited,” said Heather Paulson, who teaches at the district’s high school and is the mother of a younger child attending the school in Minneapolis. .
Lydia Kauppi, the mother of a student in the district, said it’s disturbing to learn that her family’s private information may have been shared by hackers.
“It causes anxiety on multiple, multiple fronts for everyone involved,” he said. «And it’s one of those weird, vague, unsettling feelings because you just don’t know how long I’m going to have to worry about it.»
The Minneapolis Public Schools, which oversees about 30,000 students in 68 schools, said April 11 that it was continuing to notify people affected by the breach and that it was offering victims free credit monitoring and credit protection services. identity theft.
Ransomware hackers have dramatically intensified their tactics in recent years, increasing the amount they ask for and launching efforts to pressure schools to pay up, including contacting people whose information has been leaked. The group that hacked into Minneapolis schools publicly demanded $1 million. The district Announced in March that it hadn’t paid, and ransomware gangs typically only leak large data sets of victims who refuse to pay.
Since last year, various criminal hacker groups have leaked treasure troves of files in some of the nation’s largest school districts, including in the Angels and chicago.
The leaked Minneapolis files appear to include files on hundreds of children with special needs, identifying each by name, date of birth and school. Those files often include pages of details about the students, including problems at home like divorced or incarcerated parents, conditions like attention deficit disorder, documented indications where they appear to have been injured, intelligence test results, and what medications they take.
Other files include databases of cases in which teachers have written students for behavior problems, sorted by school, student ID number, behavior problem, and student race.
The leaked files also include hundreds of forms documenting when teachers learned that a student had been potentially mistreated. Most of them are allegations that a student suffered negligence or physical harm by a teacher or student. Some are extraordinarily sensitive, alleging incidents such as the sexual abuse of a student by a teacher or another student. Each report names the victim and cites her date of birth and address.
In one report, a special education student claimed that the bus driver groped her and forced her to touch him. Minnesota police later charged a man whose name matches the driver named in the report and the date of the incident.
Others describe a teacher accused of having had an affair with two students. Another describes a student who was suspected by teachers of having been the victim of female genital mutilation. NBC News was able to verify that the teachers listed in those reports worked for Minneapolis schools, but has not verified those reports.
Those files have been promoted online in an unorthodox and particularly aggressive way, according to experts.
Many ransomware hacker groups create blogs on the dark web (sites that cannot be found through search engines like Google and Bing) where they post files from non-paying victims.
The group behind the Minneapolis hack maintains such a blog, which is widely tracked by cybersecurity experts. But he also seems to maintain a more conventional website, launched in November, that posts «reviews» of each of his hacking exploits along with news copied from other sites. The news site does not review leaks from other hackers. Both websites point to the same social media accounts.
Posts on Twitter and Facebook bragging about the Minneapolis attack remained live on those social media accounts as of Monday morning. The posts direct people to the news website, which includes a 50-minute video of the hackers showing off the files and instructions on how visitors can download them.
“What is unusual is the number of platforms this group uses to promote leaks, including Facebook and Twitter,” said Callow, the ransomware expert.
“And I think his use of video is unique,” he said. “Gangs have privately shared videos with victims before, but this is the first time recordings of stolen data have been shared publicly.”
Paulson, the teacher and parent, said she has taken some steps to prevent further damage, but she has no ideas about what else she could do.
“I froze my credit, my son’s credit,” she said. “And more than that, I’ve just been watching and hoping nothing happens.