DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Clover Park School District notifies 1,583 impacted by ransomware incident

Posted on July 13, 2021 by Dissent

On May 26, DataBreaches.net reported on a ransomware attack on Clover Park School District in Washington state. The story had originally been broken by KIRO7, who had been sent screencaps by a district employee.

As of May 26, and even as of June 2 in its last posted update, the district referred to the incident as a “system outage,” but it was clear that this was a cyberattack and that the threat actor(s) claiming responsibility for it were calling themselves “Pay or Grief” (or just, “Grief”). The threat actors demanded $350,000 in monero.

When the district didn’t pay, the threat actors began dumping data, as they had threatened to do. As of yesterday, they had dumped a number of folders containing  employee/personnel information. Although there was a folder labeled “Students,” there was very little student-related personal information.

The information on employees or former employees included exit interviews and  approximately 50 files with disciplinary actions about named employees. Some files had plans of improvement or probationary information on named employees.

We also noted approximately 200 folders with workers compensation or injury-related files on employees. As would be expected, such files contain personal and medical/health-related information like name, date of birth, address, telephone number, Social Security number, date and description of accident, diagnosis, and  treatment information, activity prescription forms, and provider information. Some also contained health insurance claims forms and driver’s license numbers.

Insurance claim form
Insurance claim form, redacted by DataBreaches.net.

There was also a folder with unemployment claims-related information on former employees. We saw very little payroll records for named employees. Much of the payroll and budgetary files concerned salary schedules but not actual weekly payroll or W-2 information on employees. Retiree lists, however, contained SSN for retired employees.

The threat actors also dumped a list of what they claim is all of the district’s machines (25,941).

Perhaps one of the most concerning folders was one with almost 400 files containing sensitive matters involving employees. Many of these were older files, but unencrypted and with the employees’ names. DataBreaches.net is redacting one file from that folder to demonstrate how very sensitive material was on the server despite it being quite old.

Concerning behaviors by employees
File dumped by threat actors contained sensitive information and allegations. Redacted by DataBreaches.net.

In another old and unencrypted file, we found a list of named employees who had been investigated for off-duty conduct. The employees’ names and dates of termination or action are redacted by us:

Employees investigated for off-duty conduct and outcomes
Redacted by DataBreaches.net.

Yesterday, DataBreaches.net sent an inquiry to the district with a number of questions about this incident, but we got no reply. Today, however, we discovered that they filed a notification yesterday with the Maine Attorney General’s Office. That notification indicates that on May 17, 2021, they became aware of suspicious activity impacting their computer systems and immediately commenced an investigation.

The investigation determined that an unknown actor took and may have viewed certain information during a period of unauthorized access to our computer systems between May 12, 2021 and May 26, 2021. After conducting a thorough review of the potentially impacted computer systems, CPSD determined on or around June 22, 2021 that personal information pertaining to some individuals may have been included in the potentially impacted computer systems. The information that could have been subject to unauthorized access includes name, address, and Social Security number.

“Could have been subject to unauthorized access?” For some, it  was exfiltrated and dumped. And for some employees, it was not just those three elements, of course.

The district mailed notifications to 1,583 people.  The notification letter, which appears below, offers those affected 12 months of credit monitoring services. The district states that it is also working to implement additional safeguards and training to its employees.

The district’s notification does not (yet) appear on their web site.

At this point, the threat actors may have dumped all of the files they exfiltrated as what we looked at was about 5 GB of data, which is what they originally claimed to have exfiltrated.

Clover Park School District - Exhibit 1 - ME

Reporting by Dissent and Chum1ng0

Related posts:

  • Forbes Breach Email Statistics
  • TeamGhostShell posts “master list” of 548 leaks (so far)
  • A further 512 websites hacked and defaced by HaX.R00T
  • k-12 school districts fall prey to Pysa ransomware
Category: Breach IncidentsEducation SectorMalware

Post navigation

← Is REvil really gone? Lots of speculation, no confirmation of anything yet.
WV: Morgan County Schools’ computers hit by Kaseya attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.