�� a DataBreaches.net story by protest and Chum1ng0 �� In voice 1 of this series, DataBreaches.net described a number of attacks by Pysa (mespinoza) threat actors on medical entities in the U.S. In part 2, we look at eight k-12 public school districts in the U.S. who either appear on the threat actors� dedicated leak site or were known to have been attacked by them.� Some of the districts discussed in this post became victims before the FBI published an alert in march about Pysa hitting the teaching sector, but some became victims after the alert was published. as a preface, we mention that Pysa are not the only ransomware threat actors attacking the k-12 sector, which has a reputation of beingness “low-hanging fruit” for hacks. We have also seen many other groups attacking k-12 districts. A partial itemization of ransomware attacks on k-12 is embedded below this discussion of Pysa victims. Affton school District� (Missouri) Affton school District� was added to Pysa�s leak site with a date stamp of February 25, 2021. Pysa mocked the district, who had publicly acknowledged the transgress that day, because in a mark on the district�s site, they wrote: We do not believe any sensitive info has been accessed and no personal data, financial information, or grades experience been found to live compromised. As a routine layer of protection, this information is stored on offsite servers. — Dr. Travis Bracht The Affton data wasteyard was in two parts.� ace piece contained 1099 tax statements but the 1099�s seemed to be for a softball connection as the payor. There were .doc files, however, for district personnel that contained SSN, including new hires dated from 2010–2020 with employees’ name, address, engagement of birth, position, starting salary, and SSN. Another file from 2018 includes some of the same info but also included phone number and work email addresses. DataBreaches.net was unable to find any updates to the district�s february argument online, but on april 1, the territory filed a notification with Maine Attorney General�s office (because a me resident had been impacted by the breach).� as reported previously on this site , the territory reported that a number of 1,183 people were impacted by the breach. Since its earliest statement, we had not seen any argument from the district either denying or confirming whether any student or parent info was impacted, so DataBreaches.net sent an email inquiry. in response, Erica Chandler, the district�s director of Communications, responded that the district had notified employees, but had not notified students or parents �because pupil information was not compromised.� Gering public Schools (Nebraska) Gering Public Schools � was added to Pysa�s web site with a date stamp of February 24, 2021. The district subsequently reported a breach to the Montana Attorney General�s office on march 24, 2021. The metadata with the report (see image below) indicated that the round occurred� a year earlier (March 25, 2020). There was no explanation for a one-year delay in notification, and in its notification, the district claimed that it �recently learned� of a data certificate incident. Is it possible the territory only learned after february 24, 2021 if they were added to Pysa�s leak site then? Had their data been encrypted but they had not known they were the victims of a ransomware incident? Perhaps. The notification letter does not tell the recipients when the incident actually occurred. GPS�s notification says that the threat actor �accessed computer systems that contain some personnel information, which may have included your social Security number, financial account information, health indemnity information, or medical information.� DataBreaches.net could feel no mark on the district�s web site. The notification makes no mention of student data, but inspection of the data waste-yard revealed lists of students with 504 accommodation plans as well as four years of� master lists of IEP students with name, address, engagement of birth, parent information, typecast of educational disability, whether a behavior program was also being developed for the student, and post-school outcomes. The 504 data and IEP data contain pedagogy records that are protected under FERPA. piece FERPA does not hold a blanket requirement that students or their parents must be notified of data breaches, we would hope that the territory did make notifications. GPS did not respond to email inquiries sent this past week about that. Zionsville Community Schools (Indiana) Zionsville Community Schools was added to Pysa�s leak site with a date of May 2, 2021.� despite being added to Pysa�s site, however, Pysa�s data dump is not from Zionsville and appears to live from another single of Pysa�s victims. Pysa did not respond to an inquiry sent to them about the claimed attack.� Nor did the territory respond to a tangency organize inquiry of august 2 or an email of august 7. We can find no note on their web site, no media coverage, and no report to their commonwealth attorney general�s office. at this point then, we deal this claimed onset unconfirmed. Palos Community Consolidated schooltime district 118 (Illinois) Palos Community Consolidated school district 118 �was added to Pysa�s leak site on December 9, 2020. Most of the data in the data waste-yard appeared to relate to personnel.� There were dozens of scanned tax forms for federal and state returns that contained employee information such as SSN. We also noted a spreadsheet with names, addresses, birthdays, cell phone numbers, and home phone numbers of employees.� Other files contained more sensitive personnel information such as complaints about harassment. There were also files with student information for the past few years.� Some of the information in these files would be education records that should be protected under FERPA.� There was no denotation of any student databases being dumped, however. In response to inquiries from this site,� Yvonne Leschkies, the district�s FOIA Officer,� provided the following statement: On december 3, the school territory was the victim of a cyber-attack, the arcsecond such tone-beginning this year. as with the previous attack, with the assist of our cyber-insurance team, […]
