On May 26, DataBreaches.net reported on a ransomware attack on Clover Park School District in Washington state. The story had originally been broken by KIRO7, who had been sent screencaps by a district employee.
As of May 26, and even as of June 2 in its last posted update, the district referred to the incident as a “system outage,” but it was clear that this was a cyberattack and that the threat actor(s) claiming responsibility for it were calling themselves “Pay or Grief” (or just, “Grief”). The threat actors demanded $350,000 in monero.
When the district didn’t pay, the threat actors began dumping data, as they had threatened to do. As of yesterday, they had dumped a number of folders containing employee/personnel information. Although there was a folder labeled “Students,” there was very little student-related personal information.
The information on employees or former employees included exit interviews and approximately 50 files with disciplinary actions about named employees. Some files had plans of improvement or probationary information on named employees.
We also noted approximately 200 folders with workers compensation or injury-related files on employees. As would be expected, such files contain personal and medical/health-related information like name, date of birth, address, telephone number, Social Security number, date and description of accident, diagnosis, and treatment information, activity prescription forms, and provider information. Some also contained health insurance claims forms and driver’s license numbers.
There was also a folder with unemployment claims-related information on former employees. We saw very little payroll records for named employees. Much of the payroll and budgetary files concerned salary schedules but not actual weekly payroll or W-2 information on employees. Retiree lists, however, contained SSN for retired employees.
The threat actors also dumped a list of what they claim is all of the district’s machines (25,941).
Perhaps one of the most concerning folders was one with almost 400 files containing sensitive matters involving employees. Many of these were older files, but unencrypted and with the employees’ names. DataBreaches.net is redacting one file from that folder to demonstrate how very sensitive material was on the server despite it being quite old.
In another old and unencrypted file, we found a list of named employees who had been investigated for off-duty conduct. The employees’ names and dates of termination or action are redacted by us:
Yesterday, DataBreaches.net sent an inquiry to the district with a number of questions about this incident, but we got no reply. Today, however, we discovered that they filed a notification yesterday with the Maine Attorney General’s Office. That notification indicates that on May 17, 2021, they became aware of suspicious activity impacting their computer systems and immediately commenced an investigation.
The investigation determined that an unknown actor took and may have viewed certain information during a period of unauthorized access to our computer systems between May 12, 2021 and May 26, 2021. After conducting a thorough review of the potentially impacted computer systems, CPSD determined on or around June 22, 2021 that personal information pertaining to some individuals may have been included in the potentially impacted computer systems. The information that could have been subject to unauthorized access includes name, address, and Social Security number.
“Could have been subject to unauthorized access?” For some, it was exfiltrated and dumped. And for some employees, it was not just those three elements, of course.
The district mailed notifications to 1,583 people. The notification letter, which appears below, offers those affected 12 months of credit monitoring services. The district states that it is also working to implement additional safeguards and training to its employees.
The district’s notification does not (yet) appear on their web site.
At this point, the threat actors may have dumped all of the files they exfiltrated as what we looked at was about 5 GB of data, which is what they originally claimed to have exfiltrated.
Clover Park School District - Exhibit 1 - MEReporting by Dissent and Chum1ng0