DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

IA: Union Community School District publicly silent after threat actors dump files on dark web

Posted on June 1, 2021 by Dissent

In a year when they were already dealing with COVID-19 and then accusations that a teacher had improper emails with students, Union Community School District in Iowa found itself with a third major challenge — a ransomware attack.  But whereas the district has publicly acknowledged and discussed its response to the first two challenges, they seem to have maintained radio silence about the cybersecurity incident. That may be about to change.

As best as DataBreaches.net can determine, the district experienced a cyberattack prior to April 19. How much before then is as yet unknown to this site. But now that the threat actors have dumped thousands of files with  employees’ and students’ personal information on the dark web, DataBreaches.net expects the district will issue some public notice. So far, however, this breach has not been confirmed by the district (unless this site missed some notice).

DoppelPaymer Added Union to their Leak Site
On April 19, threat actors added the district to a dark web leak site where victim data is dumped. Image: DataBreaches.net

On April 19, the DoppelPaymer ransomware threat actors added the school district to its list of victims who have not paid their ransom demand. DoppelPaymer threat actors, who are widely believed to be Russian, tend to use the “double-extortion” model that involves exfiltrating a copy of files and then encrypting the files on the server so that the victims needs to pay them to get a decryptor key to unlock their files. But even if the victim can unlock their files, the criminals still have a copy of the files that they will dump publicly or sell if their victim doesn’t pay them.

The threat actors do not indicate in the listing when they first attacked the district or contacted them with any ransom demand, but on May 28, the threat actors updated their listing of April 19 and dumped thousands of files. They also posted a list of every computer on the district’s network.

The file dump, compromising almost 2 GB of compressed files, contained numerous files with personal and personnel information on former and current employees as well as personal information on current and former students.

DataBreaches.net did not tabulate the number of unique employees or students who had personal information made publicly available on the dark web, but notes that the employee files included observtions of teachers and staff, including intensive assistance plans to address noted deficiencies and in some cases, termination letters. Files with employees’ personal addresses, phone numbers, name of spouse or partner, and their birthday were also in the dump, as were salary schedules with employees’ rate of pay, date of hire, Social Security numbers, and other types of certification data and expiration dates.

Student-related files include lists of all students in every class and grade, but also some disciplinary incidents involving named students. There were also files with named students and Student Reporting in Iowa (SRI) information, and thousands of transcripts of students who graduated between 2003 and 2019.

Redacted Directory of Files
Small portion of thousands of files with graduating senionrs’ transcripts. Credit: DataBreaches.net

Each transcript contained the student’s name, their date of birth, their full address, the date of their graduation, and all of the courses they took in high school with their grades and credits earned.

There were also a few files with more sensitive information on students, such as the 504 Accommodation Plan for a named student. The following image is a screencap of the top of a 504 Plan, redacted by DataBreaches.net:

504 Accommodation Plan
Image: Redacted by DataBraches.net. Typographical errors were in the original.

The files dumped by DoppelPaymer do not include all the files you would expect to find on a school district’s system. It may be that the threat actors are still holding out other records to try to get the district to pay them not to dump the data. Then again, it is possible that the threat actors did not get those files. Because the district has not issued any public statement that DataBreaches.net could find, it is not clear whether the district even knows the full scope of the breach.

DataBreaches.net reached out to the district’s superintendent, Travis Fleshner, to ask a number of questions about this incident, including whether it had impacted the district’s functioning at all, and whether the district has notified anyone whose personal information has been exfiltrated and dumped. No answer was immediately forthcoming, and none of the minutes from school board meetings over the past months mention any incident or incident response. If the district hired any external counsel or recovery services, it is not evident in the public records. DataBreaches.net has also emailed all of the current Board of Education members to ask them about the incident and their knowledge of it. This post will be updated if a reply is received.

DoppelPaymer also recently dumped files with sensitive information from the the Azusa Police Department.

Category: Breach IncidentsEducation SectorMalware

Post navigation

← Babuk re-organizes as Payload Bin, offers its first leak
Meat Is Latest Cyber Victim as Hackers Hit Top Supplier JBS →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.