DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IA: Union Community School District publicly silent after threat actors dump files on dark web

Posted on June 1, 2021 by Dissent

In a year when they were already dealing with COVID-19 and then accusations that a teacher had improper emails with students, Union Community School District in Iowa found itself with a third major challenge — a ransomware attack.  But whereas the district has publicly acknowledged and discussed its response to the first two challenges, they seem to have maintained radio silence about the cybersecurity incident. That may be about to change.

As best as DataBreaches.net can determine, the district experienced a cyberattack prior to April 19. How much before then is as yet unknown to this site. But now that the threat actors have dumped thousands of files with  employees’ and students’ personal information on the dark web, DataBreaches.net expects the district will issue some public notice. So far, however, this breach has not been confirmed by the district (unless this site missed some notice).

DoppelPaymer Added Union to their Leak Site
On April 19, threat actors added the district to a dark web leak site where victim data is dumped. Image: DataBreaches.net

On April 19, the DoppelPaymer ransomware threat actors added the school district to its list of victims who have not paid their ransom demand. DoppelPaymer threat actors, who are widely believed to be Russian, tend to use the “double-extortion” model that involves exfiltrating a copy of files and then encrypting the files on the server so that the victims needs to pay them to get a decryptor key to unlock their files. But even if the victim can unlock their files, the criminals still have a copy of the files that they will dump publicly or sell if their victim doesn’t pay them.

The threat actors do not indicate in the listing when they first attacked the district or contacted them with any ransom demand, but on May 28, the threat actors updated their listing of April 19 and dumped thousands of files. They also posted a list of every computer on the district’s network.

The file dump, compromising almost 2 GB of compressed files, contained numerous files with personal and personnel information on former and current employees as well as personal information on current and former students.

DataBreaches.net did not tabulate the number of unique employees or students who had personal information made publicly available on the dark web, but notes that the employee files included observtions of teachers and staff, including intensive assistance plans to address noted deficiencies and in some cases, termination letters. Files with employees’ personal addresses, phone numbers, name of spouse or partner, and their birthday were also in the dump, as were salary schedules with employees’ rate of pay, date of hire, Social Security numbers, and other types of certification data and expiration dates.

Student-related files include lists of all students in every class and grade, but also some disciplinary incidents involving named students. There were also files with named students and Student Reporting in Iowa (SRI) information, and thousands of transcripts of students who graduated between 2003 and 2019.

Redacted Directory of Files
Small portion of thousands of files with graduating senionrs’ transcripts. Credit: DataBreaches.net

Each transcript contained the student’s name, their date of birth, their full address, the date of their graduation, and all of the courses they took in high school with their grades and credits earned.

There were also a few files with more sensitive information on students, such as the 504 Accommodation Plan for a named student. The following image is a screencap of the top of a 504 Plan, redacted by DataBreaches.net:

504 Accommodation Plan
Image: Redacted by DataBraches.net. Typographical errors were in the original.

The files dumped by DoppelPaymer do not include all the files you would expect to find on a school district’s system. It may be that the threat actors are still holding out other records to try to get the district to pay them not to dump the data. Then again, it is possible that the threat actors did not get those files. Because the district has not issued any public statement that DataBreaches.net could find, it is not clear whether the district even knows the full scope of the breach.

DataBreaches.net reached out to the district’s superintendent, Travis Fleshner, to ask a number of questions about this incident, including whether it had impacted the district’s functioning at all, and whether the district has notified anyone whose personal information has been exfiltrated and dumped. No answer was immediately forthcoming, and none of the minutes from school board meetings over the past months mention any incident or incident response. If the district hired any external counsel or recovery services, it is not evident in the public records. DataBreaches.net has also emailed all of the current Board of Education members to ask them about the incident and their knowledge of it. This post will be updated if a reply is received.

DoppelPaymer also recently dumped files with sensitive information from the the Azusa Police Department.

Related posts:

  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Breach IncidentsEducation SectorMalware

Post navigation

← Babuk re-organizes as Payload Bin, offers its first leak
Meat Is Latest Cyber Victim as Hackers Hit Top Supplier JBS →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.