Ransomware Threat Actors Dump Data on Clark County School District Employees and Students

Some of WSJ’s reporting may alarm employees and parents, so let’s dig into this one a bit more.

WSJ cites Brett Callow of Emisoft, who examined the latest data dump and informed WSJ that in its second dump, the hacker(s) uploaded files of a more sensitive nature, including employee Social Security numbers, addresses and retirement paperwork. For students, information released included a data file with names, grades, birth dates, addresses and the school attended.

What the CCSD attackers got — assuming for the moment that they really did dump everything they got and aren’t hanging on to some of it to sell it or misuse it — is nowhere near even a small amount of the personal and sensitive information that the district has almost certainly collected and stored on employees and students. Yes, there is some employee personally identifiable information like SSN and rates, and I don’t mean to minimize the risk of that data being dumped. But what got dumped does not include W-2 files or other personnel records. Nor are any of the truly sensitive student files in the data dump. The attackers may not have gotten the most sensitive files on employees or students. Which brings me to my next point:

A lot of the student data that was dumped is not sensitive information, although those who are not familiar with data protection of student data in the U.S. may understandably describe it as such.  Districts are allowed to make certain types of student information publicly available as “directory information” under the federal law that protects the privacy of education records (FERPA).  Districts get to decide what types of data they will consider “directory information” and publicly available. According to CCSD’s definition of “Directory Information,” all of the following can be made public by the district without the consent of the students or parents:

the student’s name, address, grade level, date and place of birth, participation in officially recognized activities and sports, weight and height if a member of an athletic team, years of attendance, degrees and awards received, and schools attended.

In light of the above, revealing some of the students’ data that was exposed would be or is a breach of  the student’s privacy of education records, but students’ names, grade levels, birth dates, and schools attended are not considered sensitive or protected information, however upsetting it may to be parents to hear about a breach. And in a “it could be worse” vein, I would point out that in going through the data, I have not seen any really sensitive student information so far — no student medical records, no student disciplinary records, no social work or psychological  records, and no special education assessments or records.

So was this a bad breach? Yes.  It interrupted functioning of the district and took up resources that could have been better spent on other things.  Are employees at some risk from the dumping of their data? Yes.  Are the students?  Not so much, unless some student’s family was trying to escape location by an abusive family member.

Each attack is different and each district may have different preparation for a breach and ability to recover from one. But let’s not assume that attackers have always gotten the sensitive data, because they may not have.  That said, it’s clear that all districts need to be proactive in trying to prevent attackers from gaining any foothold, and in detecting them quickly before they can exfiltrate data or trigger the release of ransomware.

This post was edited post-publication for clarity purposes.