The confidential documents stolen from schools and dumped online by ransomware gangs are raw, intimate and graphic. They describe student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.

“Please do something,” begged a student in one leaked file, recalling the trauma of continually bumping into an ex-abuser at a school in Minneapolis. Other victims talked about wetting the bed or crying themselves to sleep.

Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom. Other exposed data included medical records and discrimination complaints.

Rich in digitized data, the nation’s schools are prime targets for far-flung criminal hackers, who are assiduously locating and scooping up sensitive files.

Often strapped for cash, districts are grossly ill-equipped not just to defend themselves but to respond diligently and transparently when attacked, especially as they struggle to help kids catch up from the pandemic and grapple with shrinking budgets.

Months after the Minneapolis attack, administrators have not delivered on their promise to inform individual victims. Unlike for hospitals, no federal law exists to require this notification from schools.

The Associated Press reached families of six students whose sexual assault case files were exposed. The message from a reporter was the first time anyone had alerted them.

“Truth is, they didn’t notify us about anything,” said a mother whose son’s case file has 80 documents.

Even when schools catch a ransomware attack in progress, the data are typically already gone. That was what Los Angeles Unified School District did last Labor Day weekend, only to see the private paperwork of more than 1,900 former students — including psychological evaluations and medical records — leaked online. Not until February did district officials disclose the breach’s full dimensions.

The lasting legacy of school ransomware attacks, it turns out, is not in school closures, recovery costs or even soaring cyberinsurance premiums. It is the trauma for staff, students and parents from the online exposure of private records — which the AP found on the open internet and dark web.

“A massive amount of information is being posted online, and nobody is looking to see just how bad it all is. Or, if somebody is looking, they’re not making the results public,” said analyst Brett Callow of the cybersecurity firm Emsisoft.

Other big districts recently stung by data theft include San DiegoDes Moines and Tucson, Arizona. While the severity of those hacks remains unclear, all have been criticized either for being slow to admit to being hit by ransomware, dragging their feet on notifying victims — or both.

ON CYBER SECURITY, SCHOOLS HAVE LAGGED

While other ransomware targets have fortified and segmented networks, encrypting data and mandating multi-factor authentication, school systems have been slower to react.

Ransomware likely has affected well over 5 million U.S. students by now, with district attacks on track to rise this year, said analyst Allan Liska of the cybersecurity firm Recorded Future. Nearly one in three U.S. districts had been breached by the end of 2021, according to a survey by the Center for Internet Security, a federally funded nonprofit.

Just three years ago, criminals did not routinely grab data in ransomware attacks, said TJ Sayers, cyberthreat intelligence manager at the Center for Internet Security. Now, it’s common, he said, with much of it sold on the dark web.

The criminals in the Minneapolis theft were especially aggressive. They shared links to the stolen data on Facebook, Twitter, Telegram and the dark web, which standard browsers can’t access.

The Minneapolis parents informed by the AP of the leaked sexual assault complaints feel doubly victimized. Their children have battled PTSD, and some even left their schools. Now this.

“The family is beyond horrified to learn that this highly sensitive information is now available in perpetuity on the internet for the child’s future friends, romantic interests, employers, and others to discover,” said Jeff Storms, an attorney for one of the families. It is AP policy not to identify sexual abuse victims.

Minneapolis Schools spokeswoman Crystina Lugo-Beach would not say how many people have been contacted so far or answer other AP questions about the attack.

Despite parents' and teachers' frustration, schools are routinely advised by incident response teams concerned about legal liability issues and ransom negotiations against being more transparent, said Callow of Emsisoft. Minneapolis school officials apparently followed that playbook, initially describing the Feb. 17 attack cryptically as a “system incident,” then as “technical difficulties” and later an “encryption event.”

The extent of the breach became clear though when a ransomware group posted video of stolen data, giving the district 10 days to pay the ransom before leaking files.

The district declined to pay, following the standing advice of the FBI, which says ransoms encourage criminals to target more victims.

SCHOOLS SPEND TECH BUDGETS ON LEARNING TOOLS, NOT SECURITY

During the COVID-19 pandemic, districts prioritized spending on internet connectivity and remote learning. Security got short shrift as IT departments invested in software to track student engagement and performance, often at the expense of privacy and safety, University of Chicago and New York University researchers found.

Cybersecurity money for public schools is limited. As it stands, districts can only expect slivers of the $1 billion in cybersecurity grants that the federal government is distributing over four years.

Minnesota’s chief information security officer, John Israel, said his state got $18 million of it this year to divvy among 3,600 different entities. State lawmakers provided an additional $22.5 million in grants for cyber and physical security in schools.

It’s already too late for the mother of one of the Minneapolis students whose confidential sexual assault complaint was released online. She almost feels “violated again.”

“All the stuff we kept private,” she said, “it’s out there. And it’s been out there for a very long time.”

Share:
More In Technology
Spain fines Airbnb $75 million for unlicensed tourist rentals
Spain's government has fined Airbnb 64 million euros or $75 million for advertising unlicensed tourist rentals. The consumer rights ministry announced the fine on Monday. The ministry stated that many listings lacked proper license numbers or included incorrect information. The move is part of Spain's ongoing efforts to regulate short-term rental companies amid a housing affordability crisis especially in popular urban areas. The ministry ordered Airbnb in May to remove around 65,000 listings for similar violations. The government's consumer rights minister emphasized the impact on families struggling with housing. Airbnb said it plans to challenge the fine in court.
Militant groups are experimenting with AI, and the risks are expected to grow
The Islamic State group and other militant organizations are experimenting with artificial intelligence as a tool to boost recruitment and refine their operations. National security experts say that just as businesses, governments and individuals have embraced AI, extremist groups also will look to harness the power of AI. That means aiming to improve their cyberattacks, breaking into sensitive networks and creating deepfakes that spread confusion and fear. Leaders in Washington have responded with calls to investigate how militant groups are using AI and seek ways to encourage tech companies to share more about how their products are being potentially misused.
Trump signs executive order to block state AI regulations
President Donald Trump has signed an executive order to block states from regulating artificial intelligence. He argues that heavy regulations could stifle the industry, especially given competition from China. Trump says the U.S. needs a unified approach to AI regulation to avoid complications from state-by-state rules. The order directs the administration to draw up a list of problematic regulations for the Attorney General to challenge. States with laws could lose access to broadband funding, according to the text of the order. Some states have already passed AI laws focusing on transparency and limiting data collection.
San Francisco woman gives birth in a Waymo self-driving taxi
Waymo's self-driving taxis have been in the spotlight for both negative and positive reasons. This week, the automated ride-hailing taxis went viral after a San Francisco woman gave birth inside a Waymo taxi while on her way to the hospital. A Waymo spokesperson on Wednesday confirmed the unusual delivery. It said the company's rider support team detected unusual activity inside the vehicle and alerted 911. The taxi arrived safely at the hospital before emergency services. Waymo's popularity is growing despite heightened scrutiny following an illegal U-turn and the death of a San Francisco cat. The company, owned by Alphabet, says it is proud to serve riders of all ages.
OpenAI names Slack CEO Dresser as first chief of revenue
OpenAI has appointed Slack CEO Denise Dresser as its first chief of revenue. Dresser will oversee global revenue strategy and help businesses integrate AI into daily operations. OpenAI CEO Sam Altman recently emphasized improving ChatGPT, which now has over 800 million weekly users. Despite its success, OpenAI faces competition from companies like Google and concerns about profitability. The company earns money from premium ChatGPT subscriptions but hasn't ventured into advertising. Altman had recently announced delays in developing new products like AI agents and a personal assistant.
Load More