On August 10, DataBreaches.net reported on several school districts hit by ransomware attacks. One of the districts discussed in that report was Palos Community Consolidated School District 118 in Illinois.
In that section of the report, DataBreaches.net summarized some of the personnel and student data we had found in the threat actors’ data dump:
There were dozens of scanned tax forms for federal and state returns that contained employee information such as SSN. We also noted a spreadsheet with names, addresses, birthdays, cell phone numbers, and home phone numbers of employees. Other files contained more sensitive personnel information such as complaints about harassment.
There were also files with student information for the past few years. Some of the information in these files would be education records that should be protected under FERPA. There was no indication of any student databases being dumped, however.
And we reported the district’s reply, which included the following statement:
Based on our investigation, we have no reason to believe that our student database or financial software system was breached or otherwise compromised. Likewise, based on our investigation, we have no reason to believe that personally identifiable student or staff information was breached or otherwise compromised.
The district had provided that same statement to this site in response to our first inquiry on April 8 and then in August.
DataBreaches.net commented on their statement:
Except…. we saw personnel and student information in the dump, so why are they saying that, ” we have no reason to believe that personally identifiable student or staff information was breached or otherwise compromised?”
On August 18, this site was contacted by Carol Thompson, Investigative Producer for WBBM-TV CHICAGO. She inquired about our report and asked if we had any proof or documentation. This site responded by sending her some screencaps taken from the data dump as well as a copy of the correspondence this site had received from the district. Because this site’s correspondence to the district has not been published before, and because CBS claimed that the district did not seem to realize personal information had been dumped until their reporter showed them, we are reproducing the content of the email that the district received in April and again on August 2 from DataBreaches.net — correspondence that they acknowledged receiving:
Dear Dr. Scarsella,
I report on cybercrime on DataBreaches.net and am doing an article on attacks on k-12 districts by threat actors known as Pysa.
I see that they attacked Palos 118 last year and dumped data from both employees and students. For the former, I noted personnel info that included their SSN. For students, I noted files that included information that would not be directory information under FERPA and should be protected.
Can you tell me how the district responded to this incident? I could find no notice on the web site (is there one?). Nor could I find any other notices or statements.
Did the district send letters by postal mail to all former and current employees whose personal and/or financial information was dumped? If so, did it offer them any credit monitoring and identity restoration services?
And what about the students? Were they or their parents sent any letters about the breach?
Thank you for your time. We plan to publish something within the week, so your prompt response would be greatly appreciated.
After receiving the screencaps of data, CBS’s Thompson thanked this site and wrote that “for vetting purposes,” they would need copies of tax returns so they could contact people to verify. I responded that if they wanted more screencaps, they should just send their reporter to the threat actors’ leak site to get it. I had also recommended they speak to Doug Levin. I did not respond to Thompson’s inquiry as to whether I would take a call from their reporter but did ask them to credit this site with first reporting the issue and any help we had given them.
Apparently that was too much to ask for.
CBS has published a news story that claims that parents and students weren’t aware of the dump of their data. That is likely accurate as parents may never have read this site’s coverage. And the story’s point about there needing to be a requirement for districts to disclose and notify is well taken. But it is not accurate to say that the district had no clue until their reporter contacted them as this site had told the district twice that PII was dumped.
One can and should ask the district why, when this site contacted them in both April and August to say we saw PII on the dark web, did they not follow up with us by having their investigators contact us to ask us for screencaps or to have their investigators take another look at Pysa’s leak site? DataBreaches.net generally does not attach screencaps to notifications or inquiries as entities may be afraid to open the emails or click on attachments. Had they responded with a request for more information, we would have happily provided it.
You’d sure think professional journalists would credit their sources. How infuriating.