By mid-September, it was clear that school districts were under increased threat of ransomware attacks. In fact, when Clark County School District (CCSD) in Las Vegas and Fairfax County Public Schools (CFPS) in Virginia were added to the Maze cartel’s leak site, it seemed to portend potentially big data dumps. Since that dump, Maze dumped data they claimed to have acquired from CCSD, and dumped some of the data they acquired from FCPS (an action that was followed shortly thereafter by the FCPS listing disappearing from the leak site, which may indicate that FCPS is attempting to negotiate a ransom payment with the threat actors).
But there was another school district Maze hit around that time that didn’t get as much media attention — Toledo Public Schools (TPS) in Ohio.
On September 14, DataBreaches.net reached out to TPS to ask them to confirm or deny Maze’s claim of a successful attack. TPS did not respond, and the data Maze dumped as “proof” was not proof of any attack on TPS at all — in fact, the “proof” data appeared to come from a construction firm, which is why DataBreaches.net referred to the breach claim but did not name the school district in the September post.
But now Maze has dumped all of the data they claim to have acquired from TPS, and the data appear real. Worryingly, the more than 9 GB of compressed data contains a lot of personal and/or sensitive student and employee data.
A preliminary inspection of the data reveals that a lot of demographic information on current and former students was dumped. Looking at the plain text data in unencrypted tables, we could see:
- first, middle, and last names
- student ID numbers
- gender
- race
- Social Security numbers
- date of birth
- grade
- school
- postal address,
- phone numbers (home, work, cell)
- dates of Individualized Education Plans
- guardian’s name,
- foster family information, and
- special education information.
In some spread sheets, scores on standardized tests were included. Other documents related to student disciplinary actions including appeals over expulsions of named students and the basis for the expulsions.
The above is not an all-inclusive list.
According to online resources, TPS serves more than 23,000 students. The readable files in the data dump are not necessarily the most current files on student records (one was last updated in 2017). But even if all students’ data was not in the accessible dumped files, it’s important to note that not only was data from more than 10,000 students readily viewable, we also saw files from past school years — students who likely graduated years ago. For example, one file with student records was from 2008. That file contained personal information on students including their Social Security numbers. So the total number of students with personal information exposed will likely exceed 20,000 when all the past records are added in.
Employee Data Dumped, Too
It was not just students who had their personal information exposed. While DataBreaches.net has not yet found any files with completed W-2 forms or direct deposit information on employees, we did spot employment and personnel-related files, including evaluations of personnel and disciplinary reports about personnel.
Just as TPS did not respond to our inquiry of September 14, they have not (yet) responded to our inquiry earlier today asking if they have notified parents, employees, and students of this breach or if they have offered them any mitigation services. This post will be updated if TPS sends a response or statement, but given that the data have been publicly available for more than 24 hours now, DataBreaches.net wanted to make sure that victims are alerted so that they can take steps to protect themselves.
If TPS has not reached out to current and former parents, employees, and students, then those possibly affected might be wise to assume that they are at risk and take steps to protect themselves and their children. Ohio’s security freeze law can be found here. A more user-friendly statement about the process and your rights can be found here. While the federal education privacy rights law known as FERPA does not require schools to provide breach notifications, the state may require notification under state laws.
As an aside, I posted a question on Twitter asking who gets notified if a former student is now older than 18. Does the district notify the parents of the former student, or do they have to try to track down the address of the former student, or just go to substitute/media notice?
Not worried about the schools, it is the students and employees that have the nightmare!
My partner works for TPS so I can answer one looming question: TPS did NOT inform any of the families and staff of the breach or its nature, they only found out when the local news channel’s investigators dropped the story an hour or so ago.
https://www.13abc.com/app/2020/10/16/i-team-investigation-major-tps-data-breach-exposes-personal-information-of-students-staff/
I emailed them on Sept. 14 to ask about the ransomware attack. They didn’t reply. Maybe if they had read their email and followed up, they would have known then. I also emailed them yesterday morning. Again, no reply. I finally just went ahead and published and then tipped news stations in Toledo so they can follow up.
FYI: TPS is claiming (to both the public and their employees) TPS was made aware the first time by the local media from an “outside source”, though the Toledo Blade has cited you as a source. I wouldn’t be surprised if local media outlets or the unions ask for emails (with the ever lovely time stamps) proving otherwise. I know I certainly would.
I’ve already given one news outlet partial proof. 🙂
The real question is whether TPS received any ransom demand from Maze. Hard to believe that there was none. Easier to believe that it was ignored, not read, or viewed as a scam. It will all come out eventually in discovery if the district winds up getting sued.
Can you identify who you contacted at TPS with this information? At least the title of the individuals?
Sure.
On September 14, I sent an inquiry to the district. I got an auto-response from “Toledo Public Schools”, but then no real response.
On September 14, I also DM’d TPS’s Twitter team (@TPSProud). They didn’t respond at all.
On October 15, I emailed Superintendent Durant and cc:d his assistant, Ms. Jordan, in the morning. Neither responded.
On October 15, I also DM’d TPS’s Twitter team again. Again, they didn’t respond at all.
Four attempts on two dates. No responses. So I went ahead and published and then reached out to a few local news outlets to alert them.
So, spouse (a teacher) got an email from district AFTER news report went out.
We found out just today, and were unable to get confirmation before the news reported it. We are sorry you had to find out this way. It is still unclear what, if any, information was leaked.
Followed by the typical: we are conferring with legal team and experts to do ..blah blah .in a ccordance, blah blah
Jeez. Thank you for letting us all know.
Starting the wk of 09/21/2020 till now I have received well over 60 scam calls, all different numbers ( because I blocked them) ) that my
S S # was hacked!!!! I never had that scam call before. This is probably why!!
As far as I know, the data had not been dumped by September 21.
I’m a TPS parent with 4 students in TPS. As of today the only info I have came from the news I have not hear from the district and do not know if any of my children’s information was involved!
It will take them some time to go through and compile all of the data/files to figure out who was affected, etc.