UPDATE: Minneapolis Public Schools Data Breach Also Exposed Campus Security Maps

The leaked files include specific locations of campus surveillance cameras as well as other sensitive school security infrastructure information.
Published: May 17, 2023

UPDATE MAY 17, 2023: The ransomware attack that leaked more than 189,000 Minneapolis Public Schools files didn’t just expose information on rape cases, child abuse inquiries, and student mental health cases. It also exposed campus security technology details and blueprints of district school buildings.

The leaked files include specific locations of campus surveillance cameras as well as other sensitive school security infrastructure, reports The74.

The report is particularly troubling because so many K-12 school districts, as well as college campuses, and healthcare facilities, have digitized maps that list the technical details of the security technologies campuses have deployed, as well as show the locations of building entrances and exits, HVAC systems, fire alarms, gas meters, water shutoffs, evacuation routes, and more.

In Minneapolis’ case, that information can be now found via a Google search.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

ORIGINAL ARTICLE: MAY 10, 2023

Nearly 200,000 individual files containing sensitive student and educator information were released in the February ransomware attack against Minneapolis Public Schools (MPS).

On March 7, ransomware gang Medusa escalated its tactics by releasing data stolen from MPS after it refused to pay a $1 million ransom. An analysis of the files, conducted by The 74, found many outlined campus rape cases, child abuse inquiries, student mental health crises, and suspension reports. Among the files were screenshots of handwritten notes describing a sexual assault allegation and the names of students allegedly involved, multiple complaints from students who accused the same teacher of inappropriate touching, and statements from a student describing her alleged rape by a teacher.

Overall, The 74 says the records “offer a remarkable level of raw insight into the district’s civil rights investigation process for sexual assault and racial discrimination complaints and detailed information on campus security and other district operations that many school systems seek to keep under wraps.” Files also include district financial records and educators’ Social Security Numbers.

Attorney and student privacy consultant Amelia Vance told The 74 that a distinguishing feature of this breach is the sheer volume of compromising information that has been exposed. Vance said the information leaked is so personal that she would have a difficult time coming up with a mitigation response for the victims.

“I’m an expert in this and I have no idea,” she said.

It is also a difficult incident to navigate since ransomware attacks have historically been focused on identity theft and fraud. Protections are now in place to support victims of those crimes but there are no leading practices for supporting victims of this type of data leak.

“This becomes a rock over their head for their entire life: ‘When is someone going to find out about the worst thing that ever happened to me?’” Vance said. “If I were a parent dealing with this, what on earth do you do next?”

Another unique aspect of the breach is that the stolen data wasn’t published on the dark web. Instead, The 74 revealed download links were published to Telegram, an encrypted instant messaging service, and a fake technology news blog that has direct ties to the attackers. Breaches posted to the dark web require special tools and knowledge to access. Using this alternative method, said Vance, “this information is easier to access and potentially easier for people to have follow them around for the rest of their lives.”

Another student privacy advocate, Marika Pfefferkorn, told The 74 that she has struggled with giving advice to parents whose children’s data was leaked in the MPS breach.

“The conversation that we’re having is like, ‘Your information is going to be out there forever, and the impression of you is also going to be out there forever,’” she said. “I don’t know the advice that I need to be giving them other than, ‘You need to be aware of what’s happening and communicate with the district what your expectations are.”

Parents of victims are also angered at how MPS officials have handled the breach. Pfefferkorn said several parents told her the district won’t discuss their concerns with them. The district’s most recent public statement from interim Superintendent Rochelle Cox, posted on April 11, said the district has completed a review of data “posted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.”

While Medusa originally posted a 50-minute video of attackers scrolling through stolen records on March 7, a downloadable link containing the complete archive of stolen records was released on March 17, says The 74. Cox said the district is working with “external specialists and law enforcement” to review data posted after March 7 but does “not have the results of that investigation.”

Additionally, WCCO reports emails between MPS officials show a nearly two-week delay before the district acknowledged that staff and student personal data could be compromised. The district found out about the breach on Feb. 17 but it wasn’t until March 1 that the district sent out an email to families acknowledging an “encryption event” had occurred.

ADVERTISEMENT
ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series