Mpls Public Schools data seized for ransom

Minneapolis Public Schools (MPS) has entered its third week of what it describes as an “encryption event,” where a ransomware group called Medusa managed to install an encryption virus on the district’s servers. 

The virus, which locked MPS students and employees out of several systems for multiple weeks, was first noticed on Feb. 18. MPS reported that most systems were back online by Feb. 28, but some teachers within the district said they were still unable to access their grade books or print documents from their computers at that time.

MPS announced on March 7 that some of the district’s data had been accessed during the encryption. Medusa is threatening to release the seized data to the public on March 17 if their ransom of $1 million is not met.

“MPS data that was shared and potentially accessed is currently undergoing an in-depth and comprehensive review,” the district stated in a March 9 update to its website. “This will take some time and individuals will be contacted directly by MPS if this review indicates personal information has been impacted.”

Related Story: Hackers release Minneapolis Public Schools data to dark web

MPS has pledged to provide free credit monitoring and identity-theft protection services for anyone whose personal information was accessed. MPS recommends changing passwords on any accounts that have been used on an MPS device or network.

Local professional hacker and cybersecurity specialist Ian Coldwater, who is hired by companies to break into their systems to help find and close vulnerabilities, says schools and hospitals are common targets of data breaches. 

“This is not unique to MPS, and I wouldn’t even say it’s the fault of MPS, but what’s important for organizations to know is how to respond to those things,” Coldwater said. In fact, school systems have become prime targets for hackers, having breached the Los Angeles and Chicago school systems, among many others.  

“Ideally in this situation, the district would be notifying people who are affected immediately telling them that they were affected, what kind of data was exposed,” said the cybersecurity expert. “Because the district isn’t doing that right now, it’s up to all of us to take these measures to protect ourselves and to let other people know this is going on and what kind of measures they can take.”

Coldwater says encryption events often start with someone in an organization clicking a phishing link from an email or text message. Phishing messages often spoof legitimate communications, such as telling victims their password needs to be changed, to get the recipient to click a malicious link.

Coldwater agreed with MPS that all users should change passwords for any account that has been recently used within the MPS network or any account that shared a password with an account recently used on the network. Coldwater also recommends using a password manager to create strong, unique passwords for every account, and activating two-factor authentication, which would require a user to approve all logins through an email, text message, or authenticator application.

Coldwater says that since data from the breach goes back as far as 1995, anyone who was a student or employee of MPS at any point in the past decade should assume their data may have been affected.

 “Keep an eye on your accounts, like your financial accounts and statements, for anything weird,” Coldwater said. “If you get any fraudulent charges, if you have people trying to sign into your account as you, trying to change your password, if you see anything weird, make sure to act on that right away.

Coldwater recommends reporting any suspicious activity on financial reports to the institution that issued the report, and for individuals to freeze credit if anything looks amiss on a credit report.

Some in the community have expressed frustration with the hack.

“Why is such old data even being stored? It’s ridiculous. This could impact me 20 years after I left MPS,” said former MPS student Taylor Dahlin, who last attended school in the district in 2003 before transferring to Arts High School in Eden Prairie.

Coldwater says the best cybersecurity practice a district can have is to design its systems assuming they will be breached. One example of this would be to use student ID numbers rather than names on sensitive files, so that a hacker would have to secure both the files and a list of student IDs to get any identifying information.

“Know that this kind of thing happens. You could talk to your local school district and ask, ‘What kind of measures are you taking? You should be aware of this happening,’” Coldwater said. “And maybe encourage them to bolster their security system and hope they take you up on it.”

Coldwater recommends talking to family and friends who may be affected to make sure they are aware of the hack, especially if they do not keep up with news through social media. Coldwater created a Twitter thread with detailed recommendations for those affected by the hack, which can be found on their profile, @IanColdwater.