DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two ransomware groups claimed they attacked Rutherford County Schools. One leaked sensitive records. (UPDATED)

Posted on January 7, 2025January 7, 2025 by Dissent

From the “Wait-What-Happened-Here Dept:”

On October 19, the Black Suit ransomware group announced that they had attacked Rutherford County Schools in Tennessee. Their listing, posted on their dark web site, included what appears to be an indication of what data and how much data they were able to exfiltrate. It did not indicate whether they encrypted the district’s files, or what any ransom demand amount was.

Listing on Black Suit’s leak site. Image: DataBreaches.net.

Unlike some groups that post proof of claims, Black Suit did not upload any screenshots or files to prove they had data.

More than two months later, the listing is still there, which suggests that district never paid any extortion demand, but there is no update and nothing to indicate that any data has been sold or leaked.

Did Rutherford County Schools ever make any statement about the October claims?  DataBreaches sent an email inquiry about that.

Shortly after publication of this article, DataBreaches received a reply to this site’s inquiry about the Black Suit listing. James Evans responded:

We were not involved in a cyber-attack from Blacksuit in October. That was a different Rutherford County Schools.

So even though Black Suit specifically linked to and named the Tennessee district, RCS says it wasn’t them. That’s another example of why it’s always important to look for proof of claims.

Rhysida leaks sensitive data

On December 11, the Rhysida group announced that they had attacked Rutherford County Schools in Tennessee.

Current listing on Rhysida’s leak site. Image: DataBreaches.net

The current listing indicates indicated that 60% of 1.2 TB of data they claimed to have acquired was being leaked with a message, “Not sold data was uploaded, data hunters, enjoy”

The leak contains a great deal of sensitive records on students and employees. Inspection of some of the more than 9,000 files in a health records folder uncovered reports on students who were seeking or referred for home study due to physical or psychiatric issues. The reports contained detailed information on the student, the family, the reason for the referral for home study, any medications the student was on, and other details. Other files were health information requests with reports from physicians, allergy action plans, and other medically- or health-related information on named students. The files that DataBreaches skimmed appeared to be from 2015 – 2022.

Other files in a folder of SPED (special education) records also contained a great deal of personal information on students and their families, as these records often contained reports with psychoeducational evaluations for students who had been referred for special education services and an Individualized Education Program (IEP) or 504 Accommodation plan. Such evaluations contain IQ testing, interviews, academic achievement tests, physical examination reports, and social histories. There appeared to be about 30,000 files in .pdf or .tif format. Many of the .pdf files had a coversheet that indicated the files were for scanning. The cover sheets conveniently provided the student’s name, date of birth, student ID number, and Social Security number.

There was also a folder from Human Resources that contained thousands of employee files such as contracts, direct deposit applications, and other employment-related information. DataBreaches spotted forms with employment contracts with full Social Security numbers, photo IDs, and transcripts. The files skimmed appeared to be from 2015 through October 2024. As a quick estimate, there appeared to be about 30,000 files.

The release of the student and personnel information is likely to cause significant distress to the students, parents, and employees. The data that DataBreaches skimmed were all in .pdf format or .tif (for the larger evaluation packets of students).  DataBreaches did not examine the entire tranche to see if there were any databases that might make misuse of information more convenient. But as inconvenient as .pdf files or .tif files might be for criminals, they still pose a significant risk to individuals whose information can be extracted and used for purposes of identity theft or to embarrass or extort families or former students.

Whether the threat actors have really sold any data or will be leaking any more data is unknown to DataBreaches at this time.

Protect Yourself

As a reminder: FERPA, the federal law protecting the privacy of education records, does not require a school district to send parents or students individual notifications of a breach involving a student’s personal information or education records. Nor does it require notification to employees of any breach of their information records.

Notifications may be required under Tennessee state law, however.

Former or current students over the age of 18, their parents, and current and former employees would be prudent to immediately place a security freeze on your credit report if you have not done so already. See this information on how to place a security freeze from USA.gov.

There is no fee to place a security freeze on your credit report, and if you ever need to lift it, it can usually be lifted over the phone quickly and then restored when you want it restored.  It will prevent criminals from opening accounts using your identity information if a credit check is required to open the account. It will not prevent criminals from opening accounts using your information if a credit check is not required. For that reason, everyone who had their information stolen should consider filing a police report so that there is a record that your information has been stolen. Current and former employees may also wish to notify their banks and credit card issuers that their information has been compromised so that they can update any passwords and put a flag on the account in case of suspicious behavior.

If you login to bank accounts online or conduct transactions online, this might a good time to run a security scan on your computers and devices to make sure they are clean. Then change your passwords on your important accounts and add two-factor or multi-factor authentication so that no one can access your bank account online without that second authentication protection.

Those under 18 years of age should not have any credit report unless they had been authorized to use a parents’ credit card at some point, but parents may want to verify that their minor child has no credit report. See this information on how to check from the Consumer Financial Protection Bureau.

Current Status of the Breach

The district reportedly first discovered the breach on November 25, when the district’s network system became disrupted. Anosha Shariq of VPNRanks  reports that the data were leaked after the district failed to comply with a $2 million BTC ransom demand.

The district reopens today after the winter break and classes for students resume tomorrow.

The most recent update on the district’s website was posted on December 27:

Latest updates: RCS network disruption

December 27, 2024

As you are aware, Rutherford County Schools experienced a network and systems disruption on November 25, 2024.  Our team has been investigating this matter, with the assistance of third-party cybersecurity specialists, to determine the nature and scope of the event.

The cybersecurity specialists have informed us that some employee personal information was subject to unauthorized acquisition. We do not believe it includes all of our employees, but we are conducting a thorough investigation. In addition, some student information was subject to unauthorized acquisition.

The investigation will include a thorough review of the data that was potentially impacted. Once our review is complete, we will notify affected individuals in accordance with applicable laws.

Thank you,
Jimmy Sullivan, Ed.D
Director of Schools
Rutherford County Schools

Category: Breach IncidentsEducation SectorMalware

Post navigation

← Many researchers are pseudonymous. That doesn’t justify ignoring their alerts.
HHS Office for Civil Rights Settles 8th Ransomware Investigation with Elgon Information Systems →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.