When Minneapolis Public Schools canceled parent-teacher conferences last month, officials offered a single, opaque explanation: technical difficulties. Now we know MPS is suffering from a full-blown cyberattack, according to an update sent out Tuesday night to staff, parents, and students. “We want you to know that the threat actor who has claimed responsibility for MPS’s recent encryption event has apparently posted online some of the data they accessed from MPS,” the email warns.
A 51-minute Vimeo video had since emerged, showing a “threat actor” opening up all kinds of files, reports, and spreadsheets, including student disciplinary info, résumés from job applicants, and lists of children’s names and home addresses. The hackers, who go by Medusa, reportedly want a cool million-dollar ransom by March 17 to resolve the breach. MPS says it has contacted law enforcement, asked Vimeo to remove the content off its site, and is “working with IT specialists."
Where do things stand now? Unclear! Racket asked MPS for an update, but didn't hear back. (Update: We were directed to this new district memo late Thursday.) Ian Coldwater, on the other hand, has been on the information offensive, delivering invaluable Twitter threads that help contextualize the apparent ransomware attack and prepare those potentially affected by it. We reached the the cybersecurity expert/hacker/concerned MPS parent by phone Thursday a.m. for even more perspective.
So, you work in the cybersecurity field and you’re an MPS parent. You’re uniquely situated to comment on what’s going on.
I work in cybersecurity; I’m actually a professional hacker. I get paid to hack into organizations' and companies’ systems, and then tell them how I got in and how they can fix those problems, so that an actual bad actor who isn’t being hired with permission can’t get in next time. And I’m an MPS parent, I have a kid in high school in Minneapolis Public Schools.
Let’s take a linear approach, and start with when there were the first murmurs or signs that something was absolutely not right.
The first thing I heard about this was that parent-teacher conferences were supposed to be on February 21, and we got a late-night email the night before saying that they had to be rescheduled because of what, at the time, they were referring to as an IT failure. I had some educator friends who immediately started referring to it as a hack. They said systems weren’t working, they were having trouble getting into the buildings, accessing grade books...
Because I’m familiar with this stuff, it sounded immediately like it was a ransomware attack. That was the week before the big snowstorms, so the kids weren’t in school that week. The teachers, though, were saying that they couldn't do e-learning that week, since they couldn’t get into their systems. Which was, ya know, a little odd, but MPS wasn’t saying anything about it. They then put out a communication saying it was an “encryption event”—
Wait, what does that even mean?
Absolutely nothing! That phrase was widely mocked among people who work in cybersecurity. What they meant by that was ransomware. For some reason they’re not saying the word “ransomware.”
That seems so screamingly PR-conscious, to the point where you’re not actually telling people what’s going on.
Right. Communications from the district have been kinda weird in general. Their wording is very technical in some ways, kinda too technical for laypeople to understand. But also, if you do understand it, then the things they aren’t saying are raising even more questions. It’s like: What is happening here? Once they admitted it was an encryption event, they were like, “It’s fine, we’ve got it handled.” But again, this was what they were communicating to parents. But what I was hearing from teachers and my kid was that people were still having trouble getting into these systems. Basically, the tone of the communications from the district is, “It’s fine, we’ve got it handled, don’t worry about it, all is good, nothing to see here!”
The less they said, the more questions I had. Like, what are you trying to hide? Because ransomware happens. Data breaches happen. The important thing is the way you deal with it. And I don’t think the district has been dealing with it well.
To pump the brakes real quick: When we say “ransomware,” does that usually originate from, like, a phishing email? How did the system become infected, most likely?
I don’t personally know how it happened in this case, but in general, a lot of the time it starts with a phishing email. Because, frankly, it’s easy. Humans are inclined to want to be helpful, they’re busy, they get distracted. That makes us vulnerable to phishing, and hackers know how to take advantage of that.
People who use ransomware will encrypt data you have in your system. Then they’ll say, “OK, we have the encryption keys for this, if you want to get back into your system, you have to pay us this amount of money by this date.” It used to be that you’d either have ransomware or a data breach. In the last couple years, it’s become in vogue for some ransomware gangs to do both, kinda like double-dipping—demanding ransom to get back into encrypted systems and also demanding ransom not to publicly release the data they got. It’s two different ways for them to make money, which is generally what motivates these groups. Schools and hospitals have been increasingly targeted for ransomware groups because they have lots of sensitive data and, frankly, because they might have more lax security practices than large corporations. They’re easy targets.
The scope of this breach is so vast, going all the way back to '95. Can you give an idea of what sort of information has been compromised?
This ransomware group put out, on their website on the dark web, that they have data for Minneapolis Public Schools, with a ticking clock and a million dollar price tag. To prove that they have the data, they put out some example data with screenshots and a video and a list of file names. All of the data hasn’t been released, but they’re threatening to go public if the ransom they’re demanding isn’t paid by March 17. At this point, we can get an idea of what data they’re sitting on by looking at the example data and the file names they’ve made public.
How freaked out should people who’ve been in the system be?
Well, to be honest, there’s a lot of data in there, and some of it is quite sensitive. There’s data from payroll/HR, benefit information, student records, disciplinary records, health records. There’s really sensitive stuff in there like harassment complaints, name and gender change petitions. One of the pieces of example data that got posted was a handwritten note about a sexual assault complaint that had student names in it. It’s pretty bad. I say that in my full professional opinion. It also includes student home addresses, IDs with pictures, parent contact info… anything you’ve given to the school district may or may not be in there. We don’t know exactly what’s in there right now. We only have access to the example data and the names of the files they’ve posted, but those pieces themselves are pretty damning. This data breach is clearly nasty even if you’re only looking at those file names.
You’ve alluded to how the district response has been lacking in terms of messaging. Any idea how they’re doing from a technical, back-end IT sense?
I don’t know that, to be honest. They said in the vague communication that they’ve given to parents that they’re working closely with internal and third-party IT specialists to address it. People are back in the systems now; I’ve heard people in MPS IT were working around the clock to make that happen. Anybody in MPS IT who’s reading this: Much love to you, I hope you’re getting some sleep.
But the communication about the extent of this data breach—or frankly that it’s a breach at all—has not come from the district. They’ve not told anybody who’s affected that they’re affected. They haven’t admitted there’s been a breach. They’re not saying anything to anybody—staff, parents, students. I think they’re probably worried about liability, but there are commonly accepted best practices for how you respond to these things, and those include communicating about what happened and notifying people about whether or not they were affected and what data was exposed. At this point, we have no idea. We can maybe get a bit of an idea of some people who were affected, because you can see their names in screengrabs of the files that were shared.
As bad as the potential data breach might be, it almost feels like the fumbling of the messaging from one of our public institutions is an equally important story.
I don’t want to speculate too much on what’s going on over there, but they need to tell people what’s going on. Because people need to know if their or their kids’ information is in there. They can then use that information to take measures to protect themselves.
How does this get resolved? Is there a scenario where they pay the ransom? Do they program their way out of the sticky situation? What happens next here?
I’ve heard they’ve been trying to get the information taken off the dark web, which is like… If you’re not familiar with the dark web, it’s inherently an unregulated Wild West. If you want to buy drugs, hire a hitman, or find all sorts of nefarious content or information, you go to the dark web for it. There’s no central authority that’s going to take your stuff down off the dark web; that’s why it goes on there. I’m not sure that strategy is going to work for them.
It’s a matter of some debate within the cybersecurity field about whether or not anyone should pay a ransom at all. It’s controversial. In this particular case, I’m not even sure MPS even has $1 million to spend on that, and if they did, they’d be funding future operations for these groups to target future schools. Which is not great, you know? I think it makes sense to assume this data is already out there, and that at the end of that deadline, all of it will be out there. If we make that assumption, where do we go from there? I am personally talking to other parents, students, and staff to try and tell them what measures they can take to protect themselves. Because people need to know.
Click here to read Coldwater’s advice to students, teachers, and parents who might be impacted by the ransomware attack.