A hacker posted documents containing social security numbers, student grades and other private information stolen from a large public school district in Las Vegas after officials refused a required ransom in exchange for unlocking the district’s computer servers.
The illegal release late last week of sensitive information from the Clark County School District in Las Vegas, with around 320,000 students, demonstrates an escalation of tactics for hackers who have taken advantage of schools heavily dependent on online learning and technology to perform operations during the coronavirus pandemic. The release of the district information is first reported by the Wall Street Journal.
Hackers attacked school districts and other institutions with sensitive information even before the pandemic, typically blocking users̵
“A big difference between this school year and last school year is that they didn’t steal data, and this year they do,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft, who claimed to be was able to easily access Clark County data on a hacker website. “If no payment is made, they post the stolen data online, and this happened to multiple districts.”
Some districts paid the ransom, with the Journal finding examples ranging from $ 25,000 to over $ 200,000 deciding that rebuilding servers is more expensive and could delay learning for weeks. Consultants often warn districts that hackers generally have a good track record of releasing server control for a fee to entice others to pay in the future.
Administrators of Clark County, the largest school district known to have been hit with ransomware since the start of the pandemic, on Monday provided a statement to the Journal, saying they will individually inform those affected as the district’s investigation continues. The district “values openness and transparency and will keep parents, employees and the public informed as new verified information becomes available,” the statement read.
The district had previously reported to the newspaper a notice that the district had published on 9 September.
The notice says that on August 27, three days after the online school started, some files could not be opened due to a virus later identified as ransomware. Some private information may have been read, the notice states, and advises people to review bank statements and monitor credit reports for suspicious activity. District officials did not notice any problems with online learning platforms on Aug.27, in a Facebook post confirming that there had been a data security incident.
The notice states that the district “notified law enforcement and initiated an investigation, which included working with third-party forensic investigators, to determine the full nature and extent of the incident and to protect the CCSD network.” . The district said it was working to restore all systems to ensure full functionality.
Some parents asked for more information in response to the August 27 Facebook post. “The safety of our children should be the # 1 priority !!! Give us some peace of mind,” wrote one.
The Federal Bureau of Investigation does not support paying a ransom, but says it understands that organizations facing an inability to function will consider all options to protect employees and customers. The agency says paying a ransom encourages hackers to target other organizations.
On September 14, the hacker sent a warning to Clark County by releasing on its website a file of stolen district information that appeared to be non-sensitive, said Mr. Callow, who could see what the hacker had posted. However, late last week, Mr. Callow said, the hacker uploaded files of a more sensitive nature, including employee social security numbers, addresses, and retirement files. For students, the information released includes a data file with names, grades, dates of birth, addresses and the school attended.
Mr. Callow said he didn’t need a password to access the information. He said he found links to stolen information on an area of the hacker’s site for “new customers,” as the organizations he holds hostage are called. He added that the hacker indicated that all of the stolen Clark County data was released.
Clark County did not answer questions about the amount of the ransom demanded by the hacker. It was not possible to determine whether the district has regained access to its systems.
Rebecca Garcia, president of the Nevada Parents-Teachers Association that has three children in Clark County schools, said Monday after the Journal reported the data breach that some of its members are concerned they haven’t heard from the district yet. school on the release of information.
“At this point, moving forward, we need transparency and we need to know what will be done to address it, from a data security perspective,” he said. “And as parents, what we need to be aware of as we monitor and track down our students’ identities as we move forward.”
School districts don’t always disclose ransomware attacks or payments, usually made in bitcoin or other cryptocurrencies, and disclosure requirements vary by state. Some admins say they just want to move on after being pushed into an unfamiliar world of dark criminals, cryptic notes in broken English, and the dark web.
The ransom amounts are often negotiated. In Texas, Houston’s 10,000-student Sheldon Independent School District paid $ 206,931 in bitcoin from its reserve fund after it was hacked in March, from an initial ransom amount of about $ 350,000, district officials said. . The district said the attack rendered him inoperable and even threatened an imminent salary distribution. According to the district, cyber insurance coverage paid for other costs related to the attack, such as a forensic review of the servers.
“People often wonder why we paid for it,” said Sheldon Superintendent King R. Davis. “It was very important for us to keep moving forward.”
Coveware, a ransom trading company, reported an increase in average ransom payments for all sectors, up 60% to $ 178,254, in the second quarter that ended in June. The company claims that the hackers had a roughly 99% rate of providing a decryption tool to hostage companies or organizations once the ransom was paid.
Write to Tawnell D. Hobbs at Tawnell.Hobbs@wsj.com
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8