School officials in Tucson haveĀ said little aboutĀ files stolen in a cyberattack. Troves of data, including Social Security numbers, showed up on the dark web.
(Bloomberg) — Classrooms across Tucson, Arizona,Ā were ravaged by ransomware in January that locked up computer systems and forced teachers to revamp lesson plans. Officials in southern Arizonaās largest school district tried assuringĀ students and staff for weeks that, despite the cyberattack, sensitive data wasnāt stolen.
ButĀ Bloomberg News found thatĀ cybercriminals made off with gigabytes of files, containing tens of thousands of current and former employeesā Social Security numbers and other confidential records. They then uploadedĀ the informationĀ in February to the dark webĀ for anyone to access with an easily downloadable browser. The data were still accessible as recently as April 17.
Examples of the leaked filesĀ includeĀ a high schoolerās medical records; another detailed arguments for expelling several students. There are documents showing a confidential settlement agreement with JoannĀ Anderson, a former employee who had previously sued the Tucson Unified School District in federal court, alleging discrimination.
āThey told me, āThere was no evidence of a data breach,āā Anderson said of a recent conversation with a school districtĀ lawyer, who, she says, told her that nothing was taken.
RansomwareĀ can wreak havoc: Financial institutions flagged almost $1.2 billion inĀ likely ransomware-related payments in 2021 alone, according to theĀ US Treasury Department. Many cases go unreported, so the actual number may be higher. And as TUSDās attack shows, ransomware isnāt just costly, but it can jeopardizeĀ the privacy of private citizens ā including children ā and undermine confidence in school systems.
Last fall, a different group stole gigabytes of data from the Los Angeles public school system, the nationās second-largest. A subsequent reportĀ foundĀ that leak contained hundreds of students’ mental-health records. (A spokesperson for the Los Angeles Unified School District said individuals were notified if their data was posted online.) Cybercriminals frequently use similar tactics to go after businesses, high-net-worth individuals and critical infrastructure.
In response to written questions from Bloomberg, TUSD spokeswoman Leslie Lenhart said an investigation so far showed no indication that Social Security numbers belonging to tens of thousands of employees were accessible, or that anyone could view themĀ on the dark web. āNo instruction time was lost,ā she said. āSchools remained open throughout the event. Systems were safely restored and recovered.ā
Lenhart said senior TUSD leadership was unavailable for an interview with Bloomberg, includingĀ SuperintendentĀ Gabriel Trujillo, whom she said wasĀ on leave.
By late March, after Bloomberg began contacting peopleĀ affected by the breach, Trujillo said in aĀ staff emailĀ that unspecified āemployee information of a confidential and sensitive natureā was accessed,Ā but not Social Security numbers. Bloomberg foundĀ more than 16,000 numbers and birth dates tied to current and former employees on the dark web.
AnotherĀ leaked documentĀ included āconfidential recordsā concerning a high school student’s diabetes diagnosis and instructionsĀ for their insulin injections. Parents for the student, whom Bloomberg is not naming, didnāt respond to inquiriesĀ seeking comment.
Ransomware is a type of malware that encrypts a victimās computers, essentially taking it out of the ownerās control. The attackers then demand a ransom payment to unlock the data. In addition to encrypting files and demanding money, some attackers also steal private troves of data and threaten to release it if their demands arenāt met. Ransomware groups likeĀ the notorious ContiĀ gangĀ have encumbered critical infrastructure globally, including Irelandās public health system in 2021. Lenhart said the TUSD didnāt engage with the attackers or pay a ransom.
Brett Callow, who tracks ransomware attacks for the cybersecurity firm Emsisoft, said school systems face unusual challenges. Budget-strapped districts are often under pressure to prioritize student resources,Ā teacher pay and buildings in disrepair over cybersecurity spending, he said. āAttacks are cheap,ā Callow said. āThey don’t need big or frequent payouts to get a return on investment.ā
The Tucson attack began sometime aboutĀ Jan. 30, interviews and documents show. One morning, staffers were greeted by a message from the attackers, who used a type of ransomware calledĀ Royal, sent to printers across the district. āIf you are reading this, it means that your system were [sic] hit by Royal ransomware,āĀ the author wrote.Ā Since the beginning, the group indicated that some of TUSD’s data could be uploaded online for anyone to see.Ā
For the next two weeks, teachers and staff had to improvise lesson plans and come up with makeshift attendance-taking, documents and interviews show. Electronic grade books, email access and other key services were down as the districtās internet connection was cut. āIt was hard to keep stuff accountable,āĀ said Rueben Loya, who’s taught music for two decades. āWe didn’t even have the kids’ parents’ phone numbers,ā he said, which addedĀ to confusion overĀ who was allowed to pick up students at dismissal.
Days after the attack, documents show, employees were instructed to install a malware scanner made by CrowdStrike Holdings Inc., a major firm that responds to cyberattacks. Lenhart, the district spokeswoman, saidĀ cybersecurity firm PacketWatch began an initial investigationĀ on behalf of the Arizona Risk Retention Trust insurance program.
Other district staff grew frustrated at what they considered a lack of answers. āNot [too] happy with the confusion and lack of transparency,ā one employee replied to their colleagues in an email seen by Bloomberg.Ā Some states require that cyberattacks on school districts be disclosed to stateĀ officials; others have no reporting requirement, according to Allan Liska, a ransomware analyst with the firm Recorded Future Inc.
Campus computer outages, however, were only the beginning of the headaches for TUSD employees. Several teachers interviewed by Bloomberg expressed alarm that their private data was freely available for the taking. Officials, they said, initially offered resources for credit monitoring, but provided few details on the extentĀ of the data leak.
The cybercriminals behind the Royal ransomware applied pressure beyond school leadership. In one email seen by Bloomberg, the hackers claimed to have sent a message to 140 TUSD email addresses containingĀ copies of a half-dozen passports and evidence of gigabytes of data they said they stole: āJust imagine what will happen if such data leak into the internet.āĀ (Royal attacksĀ have also targeted the manufacturing and health care sectors.)
āYour company will face reputational and financial harm among [sic] with regulatory and legal penalties,āĀ the attackers taunted shortly after the attack in late January. āHurry up!ā
The education sector is among the least likely to pay, Liska said.Ā He said nearly two dozen school systems have already been attacked this year, adding toĀ more than 200 school districts hit since early 2020. āRansomware groups are still attracted to these targets,āĀ he said.
The ransomware scourge has grown so concerning worldwide thatĀ the Biden administrationĀ hosted nearly three dozen countries last fall for a summit in Washington. The pace and sophistication of those intrusions is increasing faster than the US governmentās ability to disrupt them, a senior administration officialĀ said late last year.
āI wish that there was more openness about the possibilities of what could go wrong when this happens,āĀ Margaret Chaney, president of the Tucson Education Association, a teachers’ union, said in an interview.Ā āYou don’t want to needlessly panic people. But I’m an adult, and I need to make my own decisions.ā
More stories like this are available on bloomberg.com
Ā©2023 Bloomberg L.P.