DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Mars k-12 district in Pennsylvania victim of ransomware attack; data leaked

Posted on October 12, 2022 by Dissent

The Vice Society added more schools to their “partners” leak site yesterday. One of them is the Mars Area School District in Pennsylvania.

According to niche.com, MASD is a k-12 district with 3,334 students.  In a notice posted on the district’s website on October 3, Superintendent Gross described the progress the district was making in recovering from a ransomware attack they originally disclosed on September 27.

In their earliest announcement, the district had indicated that it did not have access to e-mail or to the District’s Internet network, but the phone system was unaffected and that schools would remain open as they worked through the recovery. They had also announced, “at this time, there is no evidence that student or employee records were compromised or at risk.”

As of October 3, the investigation was still in its early stages, and they no longer stated that there was no evidence of student or employee records being compromised. In that update, they wrote, “The District will give appropriate notice to those affected, in accordance with applicable data protection obligations, once we have completed our forensic review.”

A preliminary review by DataBreaches of the data leaked by Vice reveals that a lot of old files, some with personal information, have been dumped on the internet for anyone to download.

Of special note: a file with personnel information from 2016-2017 contains information on more than 350 employees with their Social Security Numbers, first and last names, date of birth, work and personal email addresses, and phone numbers.

No databases were noted in DataBreaches’ preliminary review, but a number of individual records on employees and students revealed sensitive information on named individuals. As a few examples, DataBreaches noted:

  • files concerning the arrest and disciplinary action taken by the district with respect to an employee who was criminally charged for driving under the influence (2022);
  • a report of an ambulance called for an employee who fainted in class (2012);
  • a report on an ambulance called after a school bus driver discovered a student on the bus had lost consciousness and how the parents refused treatment for the child (2014);
  • work complaints history about a custodian from 2006-2011 (2011);
  • notice of a disciplinary hearing considering negligence charges against an employee (2021); and
  • a letter to the state’s Chief Counsel responding to parent allegations about deprivation of their child’s rights in a disciplinary matter (2019).

How many notifications will the district need to make for older incidents with personal or sensitive information — files that didn’t need to be currently connected to the internet?

Earlier this year, the Pennsylvania legislature considered an act that would prohibit local governments and school districts from using taxpayer dollars to pay ransom unless the governor declared an emergency. Victims would also have to notify the state within an hour of discovery of an attack. The bill passed in the Senate, but stalled in the House, and there has been no further action on it.

DataBreaches sent an email inquiry to Vice Society to ask whether MASD had responded to their demands or communications at all, and whether such laws would have any impact on whether Vice attacked a district or not. If a reply is received, this post will be updated.

Updated October 14: A Vice Society spokesperson responded that the district had communicated for a while, but then stopped.  In response to my question as to whether any law prohibiting ransom payments would influence their decision to attack a public school district or not,  they replied:

We don’t care about laws. Any attacked company is glory or money. They can choose what to give us. We love both of it.
If other groups feel the same way, then state laws prohibiting ransom payments may not deter attacks. In time, we’ll see if they do.
Category: Breach IncidentsCommentaries and AnalysesEducation SectorMalware

Post navigation

← Aesthetic Dermatology Associates notifies patients of breach, but data already leaking on dark web
Quarter of Healthcare Ransomware Victims Forced to Halt Operations – Report →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.