A hacker published documents containing Social Security numbers, student grades and other private information stolen from a large public-school district in Las Vegas after officials refused a ransom demanded in return for unlocking district computer servers.
The illegal release late last week of sensitive information from the Clark County School District in Las Vegas, with about 320,000 students, demonstrates an escalation in tactics for hackers who have taken advantage of schools heavily reliant on online learning and technology to run operations during the coronavirus pandemic. The release of the district’s information is being reported for the first time by The Wall Street Journal.
Hackers have attacked school districts and other institutions with sensitive information even before the pandemic, typically blocking users’ access to their own computer systems unless a ransom is paid. In those instances, the so-called ransomware crippled the district’s operations but hackers didn’t usually expose damaging information about students or employees.
“A big difference between this school year and last school year is they didn’t steal data, and this year they do,” said Brett Callow, a threat analyst for cybersecurity company Emsisoft, who said he was able to easily access the Clark County data on a hacker website. “If there’s no payment, they publish that stolen data online, and that has happened to multiple districts.”
Some districts have paid ransoms, with the Journal finding examples ranging from $25,000 to over $200,000, deciding that rebuilding servers is more costly and could delay learning for weeks. Consultants often advise districts that hackers generally have a good record of releasing control of the servers upon payment to entice others to pay in the future.
Administrators at Clark County, the largest school district known to be hit with ransomware since the pandemic began, didn’t comment on the data release but referred the Journal to a notice the district posted on Sept. 9.
The notice says that on Aug. 27, three days after school began online, certain files couldn’t be opened due to a virus later identified as ransomware. Some private information may have been accessed, the notice says, and advises individuals to review account statements and monitor credit reports for suspicious activity. District officials on Aug. 27 noted no problems to online learning platforms, in a Facebook post confirming there had been a data security incident.
The notice said that the district “notified law enforcement and began an investigation, which included working with third-party forensic investigators, to determine the full nature and scope of the incident and to secure the CCSD network.” The district said it was working to restore all systems to secure, full functionality.
Some parents demanded more information in response to the Aug. 27 Facebook post. “Our children’s security/safety should be #1 priority!!! Give us some peace of mind,” one wrote.
The Federal Bureau of Investigation doesn’t support paying a ransom, but says it understands that organizations faced with an inability to function will evaluate all options to protect employees and customers. The agency says paying a ransom emboldens hackers to target other organizations.
On Sept. 14, the hacker sent Clark County a warning by releasing on its website a file of stolen district information that looked to be nonsensitive, said Mr. Callow, who could see what the hacker had posted. However, late last week, Mr. Callow said, the hacker loaded files of a more sensitive nature, including employee Social Security numbers, addresses and retirement paperwork. For students, information released includes a data file with names, grades, birth dates, addresses and the school attended.
Mr. Callow said he didn’t need a password to access the information. He said that he found links to the stolen information on an area of the hacker’s site for “new clients,” as it calls the organizations it holds hostage. He added that the hacker indicated all the stolen Clark County data has been posted.
Clark County didn’t respond to questions about the amount of ransom sought by the hacker. It couldn’t be determined whether the district has regained access to its systems.
Rebecca Garcia, Nevada Parent-Teacher Association president who has three children in Clark County schools, said Monday after the Journal reported the data breach that some of her members are concerned they have yet to hear from the school district on the release of information.
“At this point moving forward, we need transparency, and we need to know what’s going to be done to address it, from a data security standpoint,” she said. “And as parents, what we need to be aware of in monitoring and tracking our students’ identities moving forward.”
School districts don’t always disclose ransomware attacks or payments, usually done in bitcoin or other cryptocurrencies, and the disclosure requirements vary by state. Some administrators say they just want to move on after being thrust into an unfamiliar world of shadowy criminals, cryptic notes in broken English and the dark web.
Ransom amounts are often negotiated. In Texas, the 10,000-student Sheldon Independent School District in Houston paid $206,931 in bitcoin from its reserve fund after being hacked in March, from an initial ransom amount of about $350,000, district officials said. The district said the attack rendered it inoperable and even threatened an upcoming paycheck distribution. Cyber insurance coverage paid for other costs related to the attack, such as a forensic review of the servers, according to the district.
“Oftentimes people wonder why we paid it,” said Sheldon Superintendent King R. Davis. “It was very important to us to keep moving forward.”
Coveware, a ransom negotiating firm, reported an increase in average ransom payments for all industries, up 60% to $178,254, in its second quarter ending in June. The firm says hackers had about a 99% rate of delivering a decryption tool to the hostage companies or organizations once the ransom was paid.
Write to Tawnell D. Hobbs at Tawnell.Hobbs@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8