These documents reveal cases of sexual assault, psychiatric hospitalizations, abusive parents, truancy, and even suicide attempts.
The Minneapolis Public Schools, with over 36,000 students, refused to pay a $1 million ransom, resulting in the release of more than 300,000 files online in March.
These files included not only sexual assault case files but also medical records, discrimination complaints, Social Security numbers, and contact information of district employees.
The digitization of data in schools has made them prime targets for criminal hackers who are actively seeking and acquiring sensitive files that were once stored in locked cabinets.
WATCH: BIDEN POLLS AMONG BLACK AND HISPANIC VOTERS
Cybersecurity expert Ian Coldwater, whose son attends a Minneapolis high school, describes the situation by saying, "In this case, everybody has a key."
However, school districts, often facing financial constraints, are ill-equipped to defend themselves against these attacks or respond effectively when they occur.
WATCH: WHEN MARIO ANDRETTI GAVE TRUMP A RIDE...
This is especially true as schools are already dealing with the challenges of helping students recover from the pandemic and managing shrinking budgets.
Months after the ransomware attack on Minneapolis Public Schools, administrators have failed to fulfill their promise of informing individual victims about the breach. Unlike hospitals, schools are not legally required to notify individuals in the event of a data breach.
FACE THE FACTS: TENNESSEE REPUBLICAN PROPOSES BILL THAT MAKES COMPLETE SENSE
The Associated Press reached out to the families of six students whose sexual assault case files were exposed and discovered that they had not been informed about the breach until the reporter contacted them.
One mother, whose son's case file contained 80 documents, expressed her frustration, saying, "Truth is, they didn't notify us about anything."
HERE'S SOME GOOD NEWS FOR THOSE SCREWED BY SAM BANKMAN-FRIED
Even when schools detect a ransomware attack in progress, it is often too late to prevent the theft of data. The Los Angeles Unified School District experienced this firsthand when they discovered an attack over Labor Day weekend.
Despite their efforts, the private records of over 1,900 former students, including psychological evaluations and medical records, were leaked online. The district did not disclose the full extent of the breach until February, citing the complexity of notifying victims whose files dated back several decades.
HIGHLY UNLIKELY ALLIES: WAIT, LIZ CHENEY AND DONALD TRUMP AGREE ON SOMETHING?
The consequences of school ransomware attacks extend far beyond school closures, recovery costs, and increased cyberinsurance premiums. The real impact lies in the emotional trauma experienced by staff, students, and parents due to the exposure of private records online.
THIS BLUE STATE IS NOWHERE NEAR THE BORDER, YET IT'S PAYING A HEFTY IMMIGRATION PRICE TAG
The AP found these records on both the open internet and the dark web. Analyst Brett Callow of the cybersecurity firm Emsisoft explains, "A massive amount of information is being posted online, and nobody is looking to see just how bad it all is. Or, if somebody is looking, they're not making the results public."
FORMER NY GOV. CUOMO MAKES STARTLING CONFESSION ON PANDEMIC
Several other large school districts, including San Diego, Des Moines, and Tucson, have also fallen victim to data theft. These districts have faced criticism for their slow response in acknowledging the attacks and notifying victims.
While other sectors have taken steps to fortify their networks and implement security measures such as data encryption and multi-factor authentication, school systems have been slower to react.
KENTUCKY WOMAN'S DEADLY SHOOTING SPREE: THESE DETAILS WILL SEND CHILLS DOWN YOUR SPINE
As a result, ransomware attacks have likely affected over 5 million students in the United States, with the number of attacks expected to rise this year.
According to a survey by the Center for Internet Security, nearly one in three school districts in the US had experienced a breach by the end of 2021. However, despite the growing need for increased security, funding remains a challenge.
Allan Liska, an analyst at the cybersecurity firm Recorded Future, explains, "Everyone wants schools to be more secure, but very few want to see their taxes raised to do it." Parents and educators often prioritize spending on other areas, such as hiring bilingual teachers or purchasing new sports equipment, rather than investing in cybersecurity measures.
In recent years, ransomware attacks have become more sophisticated, with criminals now routinely stealing data during these attacks. TJ Sayers, cyberthreat intelligence manager at the Center for Internet Security, notes that this stolen data is often sold on the dark web.
The criminals behind the Minneapolis theft were particularly aggressive, sharing links to the stolen data on various platforms, including Facebook, Twitter, Telegram, and the dark web. In contrast, the cybercrime syndicate responsible for the Los Angeles Unified attack was less brazen but still made the stolen data freely available for download on their dark web "leak site."
The public disclosure of psychological records and sexual assault case files, complete with students' names, can have severe consequences for individuals. Psychologists warn that it can cause emotional distress and hinder future career prospects. The mother of a 16-year-old with autism received a letter from the San Diego Unified School District informing her that her daughter's medical records may have been leaked online.
She expressed concern about the potential impact on her daughter's privacy, asking, "What if she doesn't want the world to know that she has autism?"
The families of the Minneapolis students whose sexual assault complaints were leaked online feel doubly victimized. Their children have already endured the trauma of sexual assault and its aftermath, including post-traumatic stress disorder (PTSD).
Now, their private information is available on the internet for anyone to discover. Jeff Storms, an attorney representing one of the families, expresses their horror, saying, "The family is beyond horrified to learn that this highly sensitive information is now available in perpetuity on the internet for the child's future friends, romantic interests, employers, and others to discover."
Teachers, too, are frustrated by the lack of transparency and support from school districts. After their Social Security numbers were leaked, they were promised free credit monitoring and identity theft protection. However, many teachers have had to rely on news reports for information about the breach and have not received the promised assistance.
Greta Callahan of the Minneapolis Federation of Teachers explains, "Everything they've learned about this is from the news."
Minneapolis Schools spokeswoman Crystina Lugo-Beach has refused to provide information about the attack or answer questions from the AP. School nurse Angie McCracken, on the other hand, has already received alerts about her Social Security number and birth date circulating on the dark web. She worries about the potential consequences for her graduating 18-year-old and asks, "If their identity is stolen, just how hard is that going to make my kid's life?"
Despite the frustrations expressed by parents and teachers, school districts are often advised by incident response teams to be cautious about transparency due to legal liability concerns and ransom negotiations.
Minneapolis school officials initially described the attack cryptically as a "system incident" and later as "technical difficulties" and an "encryption event." It was only when a ransomware group posted a video of the stolen data that the full extent of the breach became clear. The district chose not to pay the ransom, following the advice of the FBI, which discourages paying ransoms as it encourages further attacks.
During the COVID-19 pandemic, schools prioritized spending on internet connectivity and remote learning, often at the expense of cybersecurity. Researchers from the University of Chicago and New York University found that IT departments invested in software to track student engagement and performance, compromising privacy and safety.
A survey by the Consortium for School Networking revealed that only 16% of districts had full-time network security staff, with nearly half allocating 2% or less of their IT budgets to security.
The shortage of cybersecurity talent in the private sector also affects school districts. Even when districts manage to hire cybersecurity professionals, they often lose them to businesses that can offer higher salaries. Keith Krueger, CEO of the Consortium for School Networking, explains the challenge, saying, "Districts who do hire someone often see them snatched away by businesses that can double their salaries."
Funding for cybersecurity in public schools is limited, and districts can only expect a fraction of the $1 billion in cybersecurity grants distributed by the federal government over four years. Minnesota received $18 million of this funding in 2022, which had to be divided among 3,600 different entities, including cities and tribal governments.
State lawmakers also provided an additional $22.5 million in grants for cyber and physical security in schools. However, schools are also seeking to tap into the federal E-Rate program, which aims to improve broadband connections in schools and libraries.
Over 1,100 individuals wrote to the Federal Communications Commission following the Los Angeles Unified breach, requesting that E-Rate funds be allocated for cybersecurity. The FCC is currently considering this request.
For one mother of a Minneapolis student whose confidential sexual assault complaint was released online, it is already too late. She feels violated all over again, knowing that private information she had kept hidden is now freely available. She laments, "All the stuff we kept private, it's out there. And it's been out there for a very long time."
Discover alternative ideas that will make you think
Engage in mind bending debate
Earn points, rise in rank, have fun
