A portion of what appears to be data hacked from the district was posted online in a nearly hour-long video by the ransomware group Medusa on Tuesday — it has since been removed.
“All signs point to the Medusa ransomware group, conducting what's called double extortion on the school district,” said Mark Keierleber, an investigative reporter at The 74.
“They are downloading data, locking the district out of systems and threatening to release that data on the dark web if [Minneapolis school officials] don't pay what appears to be a million dollar ransom.”
Minnesota’s third-largest district had also warned families, students and staff that private information hacked from its computer system had been posted online. A statement from a district spokesperson did not offer details about what kind of information was posted or where it was posted to.
Grow the Future of Public Media
MPR News is supported by Members. Gifts from individuals power everything you find here. Make a gift of any amount today to become a Member!
Public schools often have sensitive data on families and students, including financial information, health and discipline records and other identifying material.
The data in question, according to Brett Callow a threat analyst for the cybersecurity firm Emsisoft, can be used by ransomware attackers for illegal means.
“If their data has been compromised, there is a real risk it could be misused for the purposes of identity fraud, for extortion attempts against those individuals, or the ransomware gang could try to weaponize those individuals,” Callow said.
“In other cases, people have been contacted by email or phone in some cases and the attackers have said, ‘We have all your personal information. We suggest you contact the organization and tell them that they need to pay us.’”
The Minneapolis district said they have reported the incident to law enforcement and are working with IT specialists to review the data in order to contact impacted individuals.
It’s also warning families not to respond to suspicious emails or phone calls and to report any threats or suspicious messages to the district by emailing: firstname.lastname@example.org
A district spokesperson says its communications to families about the breach are transmitted in English, Spanish, Somali and Hmong.
District officials are advising students, staff and families to change all passwords for any online personal accounts that may have been accessed on MPS devices. They’re suggesting families reach out to credit reporting bureaus such as Equifax, Experian and TransUnion to freeze their minors’ credit accounts to prevent identity theft.
“The best recourse that parents and educators and students really have is to look at bolstering your own security,” Keierleber said. “Don’t reuse the same passwords, implement a password manager, two-factor authentication.”
Attacks like this one have become more common in recent years. Callow said close to 100 similar events have happened in school districts around the country every year since 2019.
But it can be difficult for districts to deal with the threats.
“Cybersecurity spending isn't always a top priority for districts. They want to spend money on educating kids,” Callow said. “The ideal solution to my mind would be for the federal government to roll out a centrally managed solution that all schools could use because all schools need to do basically the same things.”
(This story has been updated to include a district spokesperson’s response to an MPR News question about which languages the district uses to communicate messages with families.)