MPS data breach exposed student and staff personal information 

Minneapolis Public Schools (MPS) announced that the review it has been conducting of the data stolen from its servers in a cyber-attack this past spring will conclude “very soon.”

The data was stolen in March, by a ransomware group called Medusa, which demanded a $1 million ransom not to release the information. Similar cyber-attacks have occurred in school districts across the country. And like other districts, MPS did not pay. As a result, the group posted the stolen data online.

The MPS data breach was particularly damaging, revealing troves of personal information that compromised the privacy of its students and staff. The Associated Press reviewed the stolen files and reported that they contained everything from medical records, discrimination complaints, Social Security numbers and contact information for district employees, to student sexual assaults, psychiatric hospitalizations, abusive parents, truancy, and even suicide attempts.

Local cybersecurity expert and professional hacker Ian Coldwater says that it is a matter of debate within the cybersecurity field as to whether ransoms should ever be paid. Sometimes stolen data can be so damaging that it is worth it for affected organizations to pay. However, Coldwater says that paying helps fund future ransomware operations and that there is no guarantee the data will not be released anyway.  

MPS says it has implemented “additional security measures,” but declined to elaborate on those measures due to the risk of that information “falling into the wrong hands.” An MPS spokesperson clarified that the district had so far provided free credit-monitoring services for 350 people whose data it confirmed was compromised. 

Coldwater estimates that the number of people whose data was leaked greatly exceeds 350, estimating that many thousands of people were affected. MPS said it had not decided which additional individuals would receive free credit monitoring. 

Coldwater says organizations can reduce their risks from hackers by not retaining data for longer than is needed and by implementing data segmentation policies where more sensitive data is kept with stronger cybersecurity measures. Coldwater compared digital data segmentation to filing cabinet systems. 

While non-sensitive data may have been kept in any cabinet, Coldwater says that sensitive data would likely have been kept in a locked cabinet behind a locked door and that the same concepts would apply when storing digital data. As far as Coldwater can tell, MPS did not practice digital data segmentation at all.

“In this situation, this was the equivalent of not only having students’ records in an unlocked file cabinet but basically chucking all the records into a bankers storage-box and leaving it open in the middle of the hallway,” Coldwater said. 

“There wasn’t any delineation, as far as I can tell, between the data that was especially sensitive about things like sexual harassment, retaliation, complaints, financial information or healthcare information, and anything else. It’s all just out there on the server for anybody to find.”

In the meantime, Coldwater recommends that anyone who has attended, been employed, or in any way done business with MPS should assume their data was part of the leak. Also, those who believe they could be affected should “stay vigilant,” monitor their credit, and change any passwords of accounts that could have been compromised in the leak, says Coldwater.

MPS says no lawsuits have been brought against the district over the data leak so far. However, Coldwater says lawsuits are not often brought against ransomware groups due to the anonymous nature of their activities. They are often located in countries that would not cooperate with a United States-based lawsuit.