k-12 school districts fall prey to Pysa ransomware

—– A DataBreaches.net report by Dissent and Chum1ng0 —– In Part 1 of this series, DataBreaches.net described a number of attacks by Pysa (mespinoza) threat actors on medical entities in the U.S. In Part 2, we look at eight k-12 public school districts in the U.S. who either appear on the threat actors’ dedicated leak site or were known to have been attacked by them.  Some of the districts discussed in this post became victims before the FBI published an alert in March about Pysa hitting the education sector, but some became victims after the alert was published. As a preface, we note that Pysa are not the only ransomware threat actors attacking the k-12 sector, which has a reputation of being “low-hanging fruit” for hacks. We have also seen many other groups attacking k-12 districts. A partial listing of ransomware attacks on k-12 is embedded below this discussion of Pysa victims. Affton School District  (Missouri) Affton School District  was added to Pysa’s leak site with a date stamp of February 25, 2021. Pysa mocked the district, who had publicly acknowledged the breach that day, because in a notice on the district’s site, they wrote: We do not believe any sensitive information has been accessed and no personal data, financial information, or grades have been found to be compromised. As a routine layer of protection, this information is stored on offsite servers. — Dr. Travis Bracht The Affton data dump was in two parts.  One part contained 1099 tax statements but the 1099’s seemed to be for a softball association as the payor. There were .doc files, however, for district personnel that contained SSN, including new hires dated from 2010–2020 with employees’ name, address, date of birth, position, starting salary, and SSN. Another file from 2018 includes some of the same information but also included phone number and work email addresses. DataBreaches.net was unable to find any updates to the district’s February statement online, but on April 1, the district filed a notification with Maine Attorney General’s Office (because a Maine resident had been impacted by the breach).  As reported previously on this site , the district reported that a total of 1,183 people were impacted by the breach. Since its earliest statement, we had not seen any statement from the district either denying or confirming whether any student or parent information was impacted, so DataBreaches.net sent an email inquiry. In response, Erica Chandler, the district’s Director of Communications, responded that the district had notified employees, but had not notified students or parents “because student information was not compromised.” Gering Public Schools (Nebraska) Gering Public Schools   was added to Pysa’s web site with a date stamp of February 24, 2021. The district subsequently reported a breach to the Montana Attorney General’s Office on March 24, 2021. The metadata with the report (see image below) indicated that the attack occurred  a year earlier (March 25, 2020). There was no explanation for a one-year delay in notification, and in its notification, the district claimed that it “recently learned” of a data security incident. Is it possible the district only learned after February 24, 2021 if they were added to Pysa’s leak site then? Had their data been encrypted but they had not known they were the victims of a ransomware incident? Perhaps. The notification letter does not tell the recipients when the incident actually occurred. GPS’s notification says that the threat actor “accessed computer systems that contain some personnel information, which may have included your Social Security number, financial account information, health insurance information, or medical information.” DataBreaches.net could find no notice on the district’s web site. The notification makes no mention of student data, but inspection of the data dump revealed lists of students with 504 accommodation plans as well as four years of  master lists of IEP students with name, address, date of birth, parent information, type of educational disability, whether a behavior plan was also being developed for the student, and post-school outcomes. The 504 data and IEP data contain education records that are protected under FERPA. While FERPA does not have a blanket requirement that students or their parents must be notified of data breaches, we would hope that the district did make notifications. GPS did not respond to email inquiries sent this past week about that. Zionsville Community Schools (Indiana) Zionsville Community Schools was added to Pysa’s leak site with a date of May 2, 2021.  Despite being added to Pysa’s site, however, Pysa’s data dump is not from Zionsville and appears to be from another one of Pysa’s victims. Pysa did not respond to an inquiry sent to them about the claimed attack.  Nor did the district respond to a contact form inquiry of August 2 or an email of August 7. We can find no notice on their web site, no media coverage, and no report to their state attorney general’s office. At this point then, we consider this claimed attack unconfirmed. Palos Community Consolidated School District 118 (Illinois) Palos Community Consolidated School District 118  was added to Pysa’s leak site on December 9, 2020. Most of the data in the data dump appeared to relate to personnel.  There were dozens of scanned tax forms for federal and state returns that contained employee information such as SSN. We also noted a spreadsheet with names, addresses, birthdays, cell phone numbers, and home phone numbers of employees.  Other files contained more sensitive personnel information such as complaints about harassment. There were also files with student information for the past few years.  Some of the information in these files would be education records that should be protected under FERPA.  There was no indication of any student databases being dumped, however. In response to inquiries from this site,  Yvonne Leschkies, the district’s FOIA Officer,  provided the following statement: On December 3, the school district was the victim of a cyber-attack, the second such attack this year. As with the previous attack, with the help of our cyber-insurance team,DataBreaches.netRead More