The latest on Minnesota's 2025 election

MPR News helps you turn down the noise and build shared understanding. Turn up your support for this public resource and keep trusted journalism accessible to all. 

Turn Up Your Support

Students and teachers in Rochester Public Schools 

 because suspicious activity on the district’s technology network forced them offline. This incident comes after a hacker group called Medusa 

stole the personal information of students and employees from Minneapolis Public Schools

, demanded $1 million from the district and then posted the personal information to the dark web.

1,619 cybersecurity-related incidents in K-12 public schools in the U.S. between 2016 and 2022

, according to the K12 Security Information eXchange, a national nonprofit that helps schools protect themselves from cybersecurity threats.

MPR News host Angela Davis spoke with two cybersecurity experts: 

founder and managing partner of IT Audit Labs, and Doug Levin, the director of the 

 about why schools are so vulnerable to cybersecurity attacks, why and how hackers steal personal information, and how people can keep their digital information safe. 

Here are some key moments of the conversation.

The following transcript has been edited for length and clarity. Use the audio player above to listen to the full conversation.

Why are schools the target of cybersecurity attacks?

There are three big reasons that schools are the target of these cyber attacks.

What information could hackers get from schools? 

There's two populations that have data that is valuable to criminals.

What can hackers do with your information?

 Unfortunately, the way our credit system is set up, credit starts open. So you get a social security number, and it's open and available for you to use. You don't have to request permission or give authorization to open that credit. So what happens is our social security numbers are floating around, and anyone who gets access to that number can use that for malicious purposes. 

And as Doug said, could open credit up in your name, take a loan out, there are fraudulent tax forms that are filed to try to get your tax rebate before you do. But there's these malicious actors can really hold on to that number and manipulate it. 

What usually happens in the aftermath of a cyber attack?

: What typically happens is companies that have cyber insurance will call that insurance broker, they'll get a breach coach involved, and they'll start understanding how that breach occurred, and what information was disclosed. And organizations that hold personally identifiable information — things like social security numbers — have regulatory response requirements in which they must notify individuals that were impacted by the breach. 

So lawyers get involved, and they really restrict what information can be talked about publicly. As a cybersecurity professional, it bothers me because if the other school districts or other municipalities in the area had that information, they can make sure that that they were protected. But unfortunately, the lawyers typically try to restrict that conversation, because they don't know yet what happened. 

Once they do, they'll release information to the individuals who did have their personally identifiable information compromised. They'll get a breach notification letter, and typically an offer for some form of credit protection or credit monitoring for one, two or three years. 

 What we recommend is freezing your credit so that only you can unlock it and it's not available, just floating out there for everyone to use. We have to request it by working with the individual credit bureaus to freeze that credit. There are four bureaus: 

 and you can work directly with those bureaus for free to freeze your credit. 

It takes about five minutes. You get a passcode or a pin to unlock that credit at a future date, if you're going to go get a loan for a home or a car, you'll unlock that credit for a period of time and you can specify that time. You essentially unfreeze that credit for that period of time to get your loan. 

Once you do that, the other really important thing to do is to make sure that you're using a password manager, and you're not reusing passwords across multiple sites. And that's really where a lot of these malicious actors can compromise multiple pieces of our information because we're reusing our passwords.

Are there agencies that you could report to if something might be putting people at risk?

It's a particularly tough question. Depending on the business, there are some enforcement agencies that may be interested in learning, whether that's HHS (

U.S. Department of Health & Human Services

). That tends to be for private companies, particularly larger ones, or maybe healthcare institutions or hospitals or financial institutions, basically regulated industries. But it does, I think, underscore that this is a leadership and governance issue. 

Ultimately, an organization is only going to take it as seriously as that organization values that issue and unfortunately, we see too many cases that leaders either don't understand these issues very well or appreciate these risks, or are not willing to spend the money and time to put in place a training regime across an organization and ensuring that the practices are being audited and up to snuff. 

Subscribe to the MPR News with Angela Davis podcast on: 

Business and Economic News

Shows

MPR News with Angela Davis

Host

Author

Learn everything you need to know about school cybersecurity attacks, what to do if your information has been compromised and how to keep your digital information safe.

School districts in Minnesota are getting hacked and private student and parent information has been stolen. MPR News host Angela Davis finds out what went wrong and how people can keep their digital information safe.

MPR News with Angela Davis - How to keep online information safe after Minnesota schools hacked

Man Holding Laptop Computer With Both Hands

How to keep your information safe in wake of school cybersecurity attacks

Go Deeper.

Like this?