In a year when they were already dealing with COVID-19 and then accusations that a teacher had improper emails with students, Union Community School District in Iowa found itself with a third major challenge — a ransomware attack. But whereas the district has publicly acknowledged and discussed its response to the first two challenges, they seem to have maintained radio silence about the cybersecurity incident. That may be about to change.
As best as DataBreaches.net can determine, the district experienced a cyberattack prior to April 19. How much before then is as yet unknown to this site. But now that the threat actors have dumped thousands of files with employees’ and students’ personal information on the dark web, DataBreaches.net expects the district will issue some public notice. So far, however, this breach has not been confirmed by the district (unless this site missed some notice).
On April 19, the DoppelPaymer ransomware threat actors added the school district to its list of victims who have not paid their ransom demand. DoppelPaymer threat actors, who are widely believed to be Russian, tend to use the “double-extortion” model that involves exfiltrating a copy of files and then encrypting the files on the server so that the victims needs to pay them to get a decryptor key to unlock their files. But even if the victim can unlock their files, the criminals still have a copy of the files that they will dump publicly or sell if their victim doesn’t pay them.
The threat actors do not indicate in the listing when they first attacked the district or contacted them with any ransom demand, but on May 28, the threat actors updated their listing of April 19 and dumped thousands of files. They also posted a list of every computer on the district’s network.
The file dump, compromising almost 2 GB of compressed files, contained numerous files with personal and personnel information on former and current employees as well as personal information on current and former students.
DataBreaches.net did not tabulate the number of unique employees or students who had personal information made publicly available on the dark web, but notes that the employee files included observtions of teachers and staff, including intensive assistance plans to address noted deficiencies and in some cases, termination letters. Files with employees’ personal addresses, phone numbers, name of spouse or partner, and their birthday were also in the dump, as were salary schedules with employees’ rate of pay, date of hire, Social Security numbers, and other types of certification data and expiration dates.
Student-related files include lists of all students in every class and grade, but also some disciplinary incidents involving named students. There were also files with named students and Student Reporting in Iowa (SRI) information, and thousands of transcripts of students who graduated between 2003 and 2019.
Each transcript contained the student’s name, their date of birth, their full address, the date of their graduation, and all of the courses they took in high school with their grades and credits earned.
There were also a few files with more sensitive information on students, such as the 504 Accommodation Plan for a named student. The following image is a screencap of the top of a 504 Plan, redacted by DataBreaches.net:
The files dumped by DoppelPaymer do not include all the files you would expect to find on a school district’s system. It may be that the threat actors are still holding out other records to try to get the district to pay them not to dump the data. Then again, it is possible that the threat actors did not get those files. Because the district has not issued any public statement that DataBreaches.net could find, it is not clear whether the district even knows the full scope of the breach.
DataBreaches.net reached out to the district’s superintendent, Travis Fleshner, to ask a number of questions about this incident, including whether it had impacted the district’s functioning at all, and whether the district has notified anyone whose personal information has been exfiltrated and dumped. No answer was immediately forthcoming, and none of the minutes from school board meetings over the past months mention any incident or incident response. If the district hired any external counsel or recovery services, it is not evident in the public records. DataBreaches.net has also emailed all of the current Board of Education members to ask them about the incident and their knowledge of it. This post will be updated if a reply is received.
DoppelPaymer also recently dumped files with sensitive information from the the Azusa Police Department.