DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IA: Union Community School District publicly silent after threat actors dump files on dark web

Posted on June 1, 2021 by Dissent

In a year when they were already dealing with COVID-19 and then accusations that a teacher had improper emails with students, Union Community School District in Iowa found itself with a third major challenge — a ransomware attack.  But whereas the district has publicly acknowledged and discussed its response to the first two challenges, they seem to have maintained radio silence about the cybersecurity incident. That may be about to change.

As best as DataBreaches.net can determine, the district experienced a cyberattack prior to April 19. How much before then is as yet unknown to this site. But now that the threat actors have dumped thousands of files with  employees’ and students’ personal information on the dark web, DataBreaches.net expects the district will issue some public notice. So far, however, this breach has not been confirmed by the district (unless this site missed some notice).

DoppelPaymer Added Union to their Leak Site
On April 19, threat actors added the district to a dark web leak site where victim data is dumped. Image: DataBreaches.net

On April 19, the DoppelPaymer ransomware threat actors added the school district to its list of victims who have not paid their ransom demand. DoppelPaymer threat actors, who are widely believed to be Russian, tend to use the “double-extortion” model that involves exfiltrating a copy of files and then encrypting the files on the server so that the victims needs to pay them to get a decryptor key to unlock their files. But even if the victim can unlock their files, the criminals still have a copy of the files that they will dump publicly or sell if their victim doesn’t pay them.

The threat actors do not indicate in the listing when they first attacked the district or contacted them with any ransom demand, but on May 28, the threat actors updated their listing of April 19 and dumped thousands of files. They also posted a list of every computer on the district’s network.

The file dump, compromising almost 2 GB of compressed files, contained numerous files with personal and personnel information on former and current employees as well as personal information on current and former students.

DataBreaches.net did not tabulate the number of unique employees or students who had personal information made publicly available on the dark web, but notes that the employee files included observtions of teachers and staff, including intensive assistance plans to address noted deficiencies and in some cases, termination letters. Files with employees’ personal addresses, phone numbers, name of spouse or partner, and their birthday were also in the dump, as were salary schedules with employees’ rate of pay, date of hire, Social Security numbers, and other types of certification data and expiration dates.

Student-related files include lists of all students in every class and grade, but also some disciplinary incidents involving named students. There were also files with named students and Student Reporting in Iowa (SRI) information, and thousands of transcripts of students who graduated between 2003 and 2019.

Redacted Directory of Files
Small portion of thousands of files with graduating senionrs’ transcripts. Credit: DataBreaches.net

Each transcript contained the student’s name, their date of birth, their full address, the date of their graduation, and all of the courses they took in high school with their grades and credits earned.

There were also a few files with more sensitive information on students, such as the 504 Accommodation Plan for a named student. The following image is a screencap of the top of a 504 Plan, redacted by DataBreaches.net:

504 Accommodation Plan
Image: Redacted by DataBraches.net. Typographical errors were in the original.

The files dumped by DoppelPaymer do not include all the files you would expect to find on a school district’s system. It may be that the threat actors are still holding out other records to try to get the district to pay them not to dump the data. Then again, it is possible that the threat actors did not get those files. Because the district has not issued any public statement that DataBreaches.net could find, it is not clear whether the district even knows the full scope of the breach.

DataBreaches.net reached out to the district’s superintendent, Travis Fleshner, to ask a number of questions about this incident, including whether it had impacted the district’s functioning at all, and whether the district has notified anyone whose personal information has been exfiltrated and dumped. No answer was immediately forthcoming, and none of the minutes from school board meetings over the past months mention any incident or incident response. If the district hired any external counsel or recovery services, it is not evident in the public records. DataBreaches.net has also emailed all of the current Board of Education members to ask them about the incident and their knowledge of it. This post will be updated if a reply is received.

DoppelPaymer also recently dumped files with sensitive information from the the Azusa Police Department.

Category: Breach IncidentsEducation SectorMalware

Post navigation

← Babuk re-organizes as Payload Bin, offers its first leak
Meat Is Latest Cyber Victim as Hackers Hit Top Supplier JBS →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Department of Justice says Berkeley Research Group data breach may have exposed information on diocesan sex abuse survivors
  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • ARC sells airline ticket records to ICE and others
  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.