The Vice Society added more schools to their “partners” leak site yesterday. One of them is the Mars Area School District in Pennsylvania.
According to niche.com, MASD is a k-12 district with 3,334 students. In a notice posted on the district’s website on October 3, Superintendent Gross described the progress the district was making in recovering from a ransomware attack they originally disclosed on September 27.
In their earliest announcement, the district had indicated that it did not have access to e-mail or to the District’s Internet network, but the phone system was unaffected and that schools would remain open as they worked through the recovery. They had also announced, “at this time, there is no evidence that student or employee records were compromised or at risk.”
As of October 3, the investigation was still in its early stages, and they no longer stated that there was no evidence of student or employee records being compromised. In that update, they wrote, “The District will give appropriate notice to those affected, in accordance with applicable data protection obligations, once we have completed our forensic review.”
A preliminary review by DataBreaches of the data leaked by Vice reveals that a lot of old files, some with personal information, have been dumped on the internet for anyone to download.
Of special note: a file with personnel information from 2016-2017 contains information on more than 350 employees with their Social Security Numbers, first and last names, date of birth, work and personal email addresses, and phone numbers.
No databases were noted in DataBreaches’ preliminary review, but a number of individual records on employees and students revealed sensitive information on named individuals. As a few examples, DataBreaches noted:
- files concerning the arrest and disciplinary action taken by the district with respect to an employee who was criminally charged for driving under the influence (2022);
- a report of an ambulance called for an employee who fainted in class (2012);
- a report on an ambulance called after a school bus driver discovered a student on the bus had lost consciousness and how the parents refused treatment for the child (2014);
- work complaints history about a custodian from 2006-2011 (2011);
- notice of a disciplinary hearing considering negligence charges against an employee (2021); and
- a letter to the state’s Chief Counsel responding to parent allegations about deprivation of their child’s rights in a disciplinary matter (2019).
How many notifications will the district need to make for older incidents with personal or sensitive information — files that didn’t need to be currently connected to the internet?
Earlier this year, the Pennsylvania legislature considered an act that would prohibit local governments and school districts from using taxpayer dollars to pay ransom unless the governor declared an emergency. Victims would also have to notify the state within an hour of discovery of an attack. The bill passed in the Senate, but stalled in the House, and there has been no further action on it.
DataBreaches sent an email inquiry to Vice Society to ask whether MASD had responded to their demands or communications at all, and whether such laws would have any impact on whether Vice attacked a district or not. If a reply is received, this post will be updated.
Updated October 14: A Vice Society spokesperson responded that the district had communicated for a while, but then stopped. In response to my question as to whether any law prohibiting ransom payments would influence their decision to attack a public school district or not, they replied:
We don’t care about laws. Any attacked company is glory or money. They can choose what to give us. We love both of it.