Apr 18, 2023

Hackers Stole School Data. The District Left Teachers in the Dark

Jack Gillum, Bloomberg News

A teacher sits at her desk at John B. Wright Elementary School in Tucson, Arizona. , Bloomberg

(Bloomberg) -- Classrooms across Tucson, Arizona, were ravaged by ransomware in January that locked up computer systems and forced teachers to revamp lesson plans. Officials in southern Arizona’s largest school district tried assuring students and staff for weeks that, despite the cyberattack, sensitive data wasn’t stolen.

But Bloomberg News found that cybercriminals made off with gigabytes of files, containing tens of thousands of current and former employees’ Social Security numbers and other confidential records. They then uploaded the information in February to the dark web for anyone to access with an easily downloadable browser. The data were still accessible as recently as April 17.

Examples of the leaked files include a high schooler’s medical records; another detailed arguments for expelling several students. There are documents showing a confidential settlement agreement with Joann Anderson, a former employee who had previously sued the Tucson Unified School District in federal court, alleging discrimination.

“They told me, ‘There was no evidence of a data breach,’” Anderson said of a recent conversation with a school district lawyer, who, she says, told her that nothing was taken.

Ransomware can wreak havoc: Financial institutions flagged almost $1.2 billion in likely ransomware-related payments in 2021 alone, according to the US Treasury Department. Many cases go unreported, so the actual number may be higher. And as TUSD’s attack shows, ransomware isn’t just costly, but it can jeopardize the privacy of private citizens — including children — and undermine confidence in school systems.

Last fall, a different group stole gigabytes of data from the Los Angeles public school system, the nation’s second-largest. A subsequent report found that leak contained hundreds of students' mental-health records. (A spokesperson for the Los Angeles Unified School District said individuals were notified if their data was posted online.) Cybercriminals frequently use similar tactics to go after businesses, high-net-worth individuals and critical infrastructure.

In response to written questions from Bloomberg, TUSD spokeswoman Leslie Lenhart said an investigation so far showed no indication that Social Security numbers belonging to tens of thousands of employees were accessible, or that anyone could view them on the dark web. “No instruction time was lost,” she said. “Schools remained open throughout the event. Systems were safely restored and recovered.”

Lenhart said senior TUSD leadership was unavailable for an interview with Bloomberg, including Superintendent Gabriel Trujillo, whom she said was on leave.

By late March, after Bloomberg began contacting people affected by the breach, Trujillo said in a staff email that unspecified “employee information of a confidential and sensitive nature” was accessed, but not Social Security numbers. Bloomberg found more than 16,000 numbers and birth dates tied to current and former employees on the dark web.

Another leaked document included “confidential records” concerning a high school student's diabetes diagnosis and instructions for their insulin injections. Parents for the student, whom Bloomberg is not naming, didn’t respond to inquiries seeking comment.

Ransomware is a type of malware that encrypts a victim’s computers, essentially taking it out of the owner’s control. The attackers then demand a ransom payment to unlock the data. In addition to encrypting files and demanding money, some attackers also steal private troves of data and threaten to release it if their demands aren’t met. Ransomware groups like the notorious Conti gang have encumbered critical infrastructure globally, including Ireland’s public health system in 2021. Lenhart said the TUSD didn’t engage with the attackers or pay a ransom.

Brett Callow, who tracks ransomware attacks for the cybersecurity firm Emsisoft, said school systems face unusual challenges. Budget-strapped districts are often under pressure to prioritize student resources, teacher pay and buildings in disrepair over cybersecurity spending, he said. “Attacks are cheap,” Callow said. “They don't need big or frequent payouts to get a return on investment.”

The Tucson attack began sometime about Jan. 30, interviews and documents show. One morning, staffers were greeted by a message from the attackers, who used a type of ransomware called Royal, sent to printers across the district. “If you are reading this, it means that your system were [sic] hit by Royal ransomware,” the author wrote. Since the beginning, the group indicated that some of TUSD's data could be uploaded online for anyone to see.

For the next two weeks, teachers and staff had to improvise lesson plans and come up with makeshift attendance-taking, documents and interviews show. Electronic grade books, email access and other key services were down as the district’s internet connection was cut. “It was hard to keep stuff accountable,” said Rueben Loya, who's taught music for two decades. “We didn't even have the kids' parents' phone numbers,” he said, which added to confusion over who was allowed to pick up students at dismissal.

Days after the attack, documents show, employees were instructed to install a malware scanner made by CrowdStrike Holdings Inc., a major firm that responds to cyberattacks. Lenhart, the district spokeswoman, said cybersecurity firm PacketWatch began an initial investigation on behalf of the Arizona Risk Retention Trust insurance program.

Other district staff grew frustrated at what they considered a lack of answers. “Not [too] happy with the confusion and lack of transparency,” one employee replied to their colleagues in an email seen by Bloomberg. Some states require that cyberattacks on school districts be disclosed to state officials; others have no reporting requirement, according to Allan Liska, a ransomware analyst with the firm Recorded Future Inc.

Campus computer outages, however, were only the beginning of the headaches for TUSD employees. Several teachers interviewed by Bloomberg expressed alarm that their private data was freely available for the taking. Officials, they said, initially offered resources for credit monitoring, but provided few details on the extent of the data leak.

The cybercriminals behind the Royal ransomware applied pressure beyond school leadership. In one email seen by Bloomberg, the hackers claimed to have sent a message to 140 TUSD email addresses containing copies of a half-dozen passports and evidence of gigabytes of data they said they stole: “Just imagine what will happen if such data leak into the internet.” (Royal attacks have also targeted the manufacturing and health care sectors.)

“Your company will face reputational and financial harm among [sic] with regulatory and legal penalties,” the attackers taunted shortly after the attack in late January. “Hurry up!”

The education sector is among the least likely to pay, Liska said. He said nearly two dozen school systems have already been attacked this year, adding to more than 200 school districts hit since early 2020. “Ransomware groups are still attracted to these targets,” he said.

The ransomware scourge has grown so concerning worldwide that the Biden administration hosted nearly three dozen countries last fall for a summit in Washington. The pace and sophistication of those intrusions is increasing faster than the US government’s ability to disrupt them, a senior administration official said late last year.

“I wish that there was more openness about the possibilities of what could go wrong when this happens,” Margaret Chaney, president of the Tucson Education Association, a teachers' union, said in an interview. “You don't want to needlessly panic people. But I'm an adult, and I need to make my own decisions.”