In January, the Griggsville-Perry School District in Illinois announced it had been hit with a ransomware attack. Now, two months later, Vice Society threat actors have added the district to their leak site and dumped files that they had infiltrated.
Inspection of the more than 3,000 files in the data dump revealed that most of them did not contain any personal information. Many were log files or other files relating to assignments or routine district and school functions. There were enrollment lists that named students but the lists did not include any SSN or date of birth or other information. Simply providing the names of students in each school is generally considered “directory information” under FERPA and hence, their leak would probably not be considered a breach (unless a particular student was not supposed to be named publicly for reasons of safety, but in those cases, students are often given aliases to be used).
Once again, however, we found old and no-longer needed files that did contain personal information such as a student sent for in-school suspension in December, 2014 for talking after being told not to.
Files like the suspension/disciplinary note are not considered directory information under FERPA, and although FERPA does not require the district to notify the now-former student of this exposure or breach, it’s a breach that didn’t have to happen if data were routinely purged or moved offline to storage.
Apart from some other scattered files that did contain some personal or personnel information such as W-9 forms and contract information, the only files that appeared to be of concern were more than 300 payment-related files that contained employee names and their payment information, including bank direct deposit information. The files were not recent, dating back to 2012 – 2015, but if any of those bank accounts might still in use by the employees or former employees, they need to be made aware of the breach.
DataBreaches.net sent an email inquiry to the superintendent earlier this week asking if there had been any notification sent to employees or students about this incident. No reply was received.
As far as education sector / k-12 breaches go, apart from the banking information, this appears to be a fairly low-impact breach in terms of personal information if the threat actors actually dumped all the data they exfiltrated (which they always claim that they do). If other findings emerge with additional investigation, this post will be updated.