DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Privacy nightmare for Toledo Public Schools: Hackers dumped student and employee data

Posted on October 15, 2020 by Dissent

By mid-September,  it was clear that school districts were under increased threat of ransomware attacks. In fact, when Clark County School District (CCSD) in Las Vegas and Fairfax County Public Schools (CFPS) in Virginia were added to the Maze cartel’s leak site, it seemed to portend potentially big data dumps.  Since that dump, Maze dumped data they claimed to have acquired from CCSD, and dumped some of the data they acquired from FCPS  (an action that was followed shortly thereafter by the FCPS listing disappearing from the leak site, which may indicate that FCPS is attempting to negotiate a ransom payment with the threat actors).

But there was another school district Maze hit around that time that didn’t get as much media attention — Toledo Public Schools (TPS) in Ohio.

On September 14, DataBreaches.net reached out to TPS to ask them to confirm or deny Maze’s claim of a successful attack.  TPS did not respond, and the data Maze dumped as “proof” was not proof of any attack on TPS at all — in fact, the “proof” data appeared to come from a construction firm, which is why DataBreaches.net referred to the breach claim but did not name the school district in the September post.

But now Maze has dumped all of the data they claim to have acquired from TPS, and the data appear real.  Worryingly, the more than 9 GB of compressed data contains a lot of personal and/or sensitive student and employee data.

A preliminary inspection of the data reveals that a lot of demographic information on current and former students was dumped. Looking at the plain text data in unencrypted tables, we could see:

  • first, middle, and last names
  • student ID numbers
  • gender
  • race
  • Social Security numbers
  • date of birth
  • grade
  • school
  • postal address,
  • phone numbers (home, work, cell)
  • dates of Individualized Education Plans
  • guardian’s name,
  • foster family information, and
  • special education information.
Fields in one of numerous spread sheets included first, middle, and last names, student ID numbers, gender, race, Social Security numbers, and phone numbers. Other records contained many more fields.

In some spread sheets, scores on standardized tests were included. Other documents related to student disciplinary actions including appeals over expulsions of named students and the basis for the expulsions.

The above is not an all-inclusive list.

According to online resources, TPS serves more than 23,000 students.  The readable files in the data dump are not necessarily the most current files on student records (one was last updated in 2017). But even if all students’ data was not in the accessible dumped files, it’s important to note that not only was data from more than 10,000 students readily viewable, we also saw files from past school years — students who likely graduated years ago.  For example, one file with student records was from 2008. That file contained personal information on students including their Social Security numbers. So the total number of students with personal information exposed will likely exceed 20,000 when all the past records are added in.

Employee Data Dumped, Too

It was not just students who had their personal information exposed. While DataBreaches.net has not yet found any files with completed W-2 forms or direct deposit information on employees, we did spot employment and personnel-related files, including evaluations of personnel and disciplinary reports about personnel.

Just as TPS did not respond to our inquiry of September 14, they have not  (yet) responded to our inquiry earlier today asking if they have notified parents, employees, and students of this breach or if they have offered them any mitigation services. This post will be updated if TPS sends a response or statement, but given that the data have been publicly available for more than 24 hours now, DataBreaches.net wanted to make sure that victims are alerted so that they can take steps to protect themselves.

If TPS has not reached out to current and former parents, employees, and students, then those possibly affected might be wise to assume that they are at risk and take steps to protect themselves and their children.   Ohio’s security freeze law can be found here.  A more user-friendly statement about the process and your rights can be found here.  While the federal education privacy rights law known as FERPA does not require schools to provide breach notifications, the state may require notification under state laws.

As an aside, I posted a question on Twitter asking who gets notified if a former student is now older than 18.  Does the district notify the parents of the former student, or do they have to try to track down the address of the former student, or just go to substitute/media notice?

 

Category: Breach IncidentsCommentaries and AnalysesEducation SectorMalwareOf NoteU.S.

Post navigation

← Twitter hackers trick employees by posing as IT workers, NY probe finds
Florida Resident Sentenced To 2 Years Probation after Previously Pleading Guilty To Accessing a Protected Computer without Authorization and Recklessly Causing Damage →

13 thoughts on “Privacy nightmare for Toledo Public Schools: Hackers dumped student and employee data”

  1. fred says:
    October 16, 2020 at 9:11 am

    Not worried about the schools, it is the students and employees that have the nightmare!

  2. AB says:
    October 16, 2020 at 2:39 pm

    My partner works for TPS so I can answer one looming question: TPS did NOT inform any of the families and staff of the breach or its nature, they only found out when the local news channel’s investigators dropped the story an hour or so ago.

    https://www.13abc.com/app/2020/10/16/i-team-investigation-major-tps-data-breach-exposes-personal-information-of-students-staff/

    1. Dissent says:
      October 16, 2020 at 3:24 pm

      I emailed them on Sept. 14 to ask about the ransomware attack. They didn’t reply. Maybe if they had read their email and followed up, they would have known then. I also emailed them yesterday morning. Again, no reply. I finally just went ahead and published and then tipped news stations in Toledo so they can follow up.

      1. AB says:
        October 16, 2020 at 5:56 pm

        FYI: TPS is claiming (to both the public and their employees) TPS was made aware the first time by the local media from an “outside source”, though the Toledo Blade has cited you as a source. I wouldn’t be surprised if local media outlets or the unions ask for emails (with the ever lovely time stamps) proving otherwise. I know I certainly would.

        1. Dissent says:
          October 16, 2020 at 6:21 pm

          I’ve already given one news outlet partial proof. 🙂
          The real question is whether TPS received any ransom demand from Maze. Hard to believe that there was none. Easier to believe that it was ignored, not read, or viewed as a scam. It will all come out eventually in discovery if the district winds up getting sued.

      2. SJ says:
        October 19, 2020 at 10:33 am

        Can you identify who you contacted at TPS with this information? At least the title of the individuals?

        1. Dissent says:
          October 19, 2020 at 3:51 pm

          Sure.

          On September 14, I sent an inquiry to the district. I got an auto-response from “Toledo Public Schools” , but then no real response.
          On September 14, I also DM’d TPS’s Twitter team (@TPSProud). They didn’t respond at all.

          On October 15, I emailed Superintendent Durant and cc:d his assistant, Ms. Jordan, in the morning. Neither responded.
          On October 15, I also DM’d TPS’s Twitter team again. Again, they didn’t respond at all.

          Four attempts on two dates. No responses. So I went ahead and published and then reached out to a few local news outlets to alert them.

  3. Withheld says:
    October 16, 2020 at 7:33 pm

    So, spouse (a teacher) got an email from district AFTER news report went out.

    We found out just today, and were unable to get confirmation before the news reported it. We are sorry you had to find out this way. It is still unclear what, if any, information was leaked.

    Followed by the typical: we are conferring with legal team and experts to do ..blah blah .in a ccordance, blah blah

    1. Dissent says:
      October 16, 2020 at 9:11 pm

      Jeez. Thank you for letting us all know.

    2. Julie Billings says:
      October 17, 2020 at 11:44 am

      Starting the wk of 09/21/2020 till now I have received well over 60 scam calls, all different numbers ( because I blocked them) ) that my
      S S # was hacked!!!! I never had that scam call before. This is probably why!!

      1. Dissent says:
        October 17, 2020 at 12:25 pm

        As far as I know, the data had not been dumped by September 21.

  4. Amanda Schaffner says:
    October 17, 2020 at 11:08 pm

    I’m a TPS parent with 4 students in TPS. As of today the only info I have came from the news I have not hear from the district and do not know if any of my children’s information was involved!

    1. Dissent says:
      October 18, 2020 at 7:16 am

      It will take them some time to go through and compile all of the data/files to figure out who was affected, etc.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.