DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Clover Park School District notifies 1,583 impacted by ransomware incident

Posted on July 13, 2021 by Dissent

On May 26, DataBreaches.net reported on a ransomware attack on Clover Park School District in Washington state. The story had originally been broken by KIRO7, who had been sent screencaps by a district employee.

As of May 26, and even as of June 2 in its last posted update, the district referred to the incident as a “system outage,” but it was clear that this was a cyberattack and that the threat actor(s) claiming responsibility for it were calling themselves “Pay or Grief” (or just, “Grief”). The threat actors demanded $350,000 in monero.

When the district didn’t pay, the threat actors began dumping data, as they had threatened to do. As of yesterday, they had dumped a number of folders containing  employee/personnel information. Although there was a folder labeled “Students,” there was very little student-related personal information.

The information on employees or former employees included exit interviews and  approximately 50 files with disciplinary actions about named employees. Some files had plans of improvement or probationary information on named employees.

We also noted approximately 200 folders with workers compensation or injury-related files on employees. As would be expected, such files contain personal and medical/health-related information like name, date of birth, address, telephone number, Social Security number, date and description of accident, diagnosis, and  treatment information, activity prescription forms, and provider information. Some also contained health insurance claims forms and driver’s license numbers.

Insurance claim form
Insurance claim form, redacted by DataBreaches.net.

There was also a folder with unemployment claims-related information on former employees. We saw very little payroll records for named employees. Much of the payroll and budgetary files concerned salary schedules but not actual weekly payroll or W-2 information on employees. Retiree lists, however, contained SSN for retired employees.

The threat actors also dumped a list of what they claim is all of the district’s machines (25,941).

Perhaps one of the most concerning folders was one with almost 400 files containing sensitive matters involving employees. Many of these were older files, but unencrypted and with the employees’ names. DataBreaches.net is redacting one file from that folder to demonstrate how very sensitive material was on the server despite it being quite old.

Concerning behaviors by employees
File dumped by threat actors contained sensitive information and allegations. Redacted by DataBreaches.net.

In another old and unencrypted file, we found a list of named employees who had been investigated for off-duty conduct. The employees’ names and dates of termination or action are redacted by us:

Employees investigated for off-duty conduct and outcomes
Redacted by DataBreaches.net.

Yesterday, DataBreaches.net sent an inquiry to the district with a number of questions about this incident, but we got no reply. Today, however, we discovered that they filed a notification yesterday with the Maine Attorney General’s Office. That notification indicates that on May 17, 2021, they became aware of suspicious activity impacting their computer systems and immediately commenced an investigation.

The investigation determined that an unknown actor took and may have viewed certain information during a period of unauthorized access to our computer systems between May 12, 2021 and May 26, 2021. After conducting a thorough review of the potentially impacted computer systems, CPSD determined on or around June 22, 2021 that personal information pertaining to some individuals may have been included in the potentially impacted computer systems. The information that could have been subject to unauthorized access includes name, address, and Social Security number.

“Could have been subject to unauthorized access?” For some, it  was exfiltrated and dumped. And for some employees, it was not just those three elements, of course.

The district mailed notifications to 1,583 people.  The notification letter, which appears below, offers those affected 12 months of credit monitoring services. The district states that it is also working to implement additional safeguards and training to its employees.

The district’s notification does not (yet) appear on their web site.

At this point, the threat actors may have dumped all of the files they exfiltrated as what we looked at was about 5 GB of data, which is what they originally claimed to have exfiltrated.

Clover Park School District - Exhibit 1 - ME

Reporting by Dissent and Chum1ng0

Category: Breach IncidentsEducation SectorMalware

Post navigation

← Is REvil really gone? Lots of speculation, no confirmation of anything yet.
WV: Morgan County Schools’ computers hit by Kaseya attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.