On September 15, DataBreaches reported LockBit3.0 had added Hillsborough County Public Schools in Florida to their dark web leak site. There is currently less than two days left on their countdown clock to leak data, although LockBit3.0 does not always strictly follow up with their own deadlines.
While the district originally reported on September 5 that they had no evidence student data had been affected, they have now notified 254 families that personal data of students may have been accessed. WTSP reports:
An e-mail from the schools’ chief of communications said the data may have included a student’s name, date of birth, student ID and state ID number, which could correspond to the student’s social security number. The data may also have included information about visits to the school nurse’s office during the 2021-2022 school year.
The full text of the letter is reproduced on WTSP.
If 254 families are the full extent of student data involved, the district should consider itself somewhat lucky– or maybe they had decent security. LockBit claims to have 2 TB of files, but as DataBreaches reported after viewing the proof of claims files and the file tree, there did not seem to be a lot of current personal information. DataBreaches had reported seeing one file that would be consistent with what the district disclosed about visits to the school nurse.