The St. Paul Public Schools (SPPS) district has announced it had a data leak earlier this year where over 43,000 student names and email addresses were accessed by an unauthorized party.
The announcement was made the same week that Minneapolis Public Schools (MPS) sent letters to inform 105,000 students, staff, and community members that their data was stolen in a ransomware attack earlier this year. It comes only weeks after the University of Minnesota (U of M) announced a potentially large-scale data breach.
Saint Paul Public Schools said the district first spotted suspicious activity on their network in February but were only able to confirm the full scope of the malicious access in July. SPPS clarified that the cyberattack against their system did not involve ransomware, and that the district does not have evidence that any data obtained from the hack has been misused by the attackers.
Meanwhile, the U of M is working to verify a hacker’s claim to have stolen as many as seven million Social Security numbers from the university’s databases, going as far back as 1989. The university does not believe the threat to be ongoing, but data may have already been irrevocably obtained by the hacker.
“In late July, the University of Minnesota became aware that an unauthorized party claimed to possess sensitive data allegedly taken from the University’s systems,” a U of M spokesperson said in an email. “As soon as the claim was discovered, the University initiated an investigation and promptly retained outside global forensics professionals to help determine the validity of the party’s claims, and to ensure the security of the University’s systems.
“Alongside experts, the University has taken steps since 2021 to bolster its overall system security through actions such as enhancing multi-factor authentication capabilities and increasing the frequency of monitoring activities,” the U of M spokesperson said.
Minneapolis-based cybersecurity expert and professional hacker Ian Coldwater was skeptical of the U of M’s response and said they would need further details from the university to know if the university’s cyber security had actually improved.
“There’s vagueness in there,” Coldwater said. “What kind of monitoring? What does more frequent mean? Without more context it’s hard to comment on that.”
So far this year, there have been an unusually high number of data leaks and ransomware attacks aimed at data systems of Minnesota schools. Rochester’s school district had a data breach shortly after the MPS leak in spring of this year, and 95,000 foster children’s information was leaked in a cyberattack on the Minnesota Department of Education in late May. Coldwater said that Minnesota “has not had another year like this” in terms of the number of hacks of government systems.
Coldwater said educational institutions, along with hospitals and other public sector organizations, are popular targets for data breaches and ransomware attacks because they are often easier targets in that they lack the cybersecurity funding that other targets, such as large corporations, may have. He said schools and hospitals also have a lot of sensitive information that hackers may want, such as large numbers of client Social Security numbers, addresses, and other personal information.
In the MPS data leak earlier this year, the district was threatened with the public release of all stolen data if MPS did not pay a $1 million ransom, which the district did not pay. Coldwater said this situation is not necessarily a loss for the hackers, as they can show future victims the fallout caused by stolen data being released to the public, making future victims more likely to pay.
“If they can’t get any given group or organization to pay, they have that [cyberattack] as propaganda for future victims,” Coldwater said. “They’ll be like, ‘Look, we did it to these guys. That’s probably really scary. You probably don’t want that to happen to you. You’d better pay us, then.’”
Coldwater said an organization’s response to a data leak can be even more important than mitigations taken to prevent it. Organizations can take steps to become more resilient to hacks, such as having data retention policies where older sensitive data is deleted or archived after a certain period of time, and by segmenting data. They can make more sensitive data more secure by putting it on separate parts of the network, and/or encrypting the data.
“It’s really important to have data retention policies that do not necessarily involve keeping all data forever,” Coldwater said, noting that potentially affected data in the U of M leak dated as far back as the Reagan administration. “You want to have your data deletion policies as well as your data retention policies.”
For those whose data may have been affected by a data leak, Coldwater recommended changing all affected passwords, and if a password that was leaked is reused on other websites, to change it for those websites as well. Coldwater also recommended enabling two-factor authentication (2FA), a security measure where a user will need to approve sign-ins from their email or phone.
Those who suspect their Social Security number may have been compromised should closely monitor their credit and freeze it if they spot suspicious activity. Resources for those whose identities are stolen are available at www.identitytheft.gov.
Lastly, Coldwater recommended talking to potentially affected neighbors and family to make sure they are aware of the risks of the data leaks, especially elderly community members, who may not be as familiar with the internet or computer savvy.