On October 7, the Manhasset Union Free School District revealed that it may have been the victim of a ransomware attack.
There can no longer be any doubt that they were attacked. Over the weekend, Vice Society threat actors dumped the district’s data on their dark web leak site. Inspection of some of the files suggests that the Long Island school district may have a lot of explaining and apologizing to do to worried or angry students, parents, and employees.
As DataBreaches.net observed in all too many breaches by now, in addition to more current files, there was a lot of old data in plain text that is now in the wild for anyone to download freely. There are numerous files involving current and former employees as well as current and former students (and in some cases, their parents). How old, you wonder? How about more than a decade?
In some respects, the records or files involving students are more sensitive or concerning. There are Individualized Education Programs (IEPs) for special education students — documents that are supposed to be confidential under the Individuals with Disabilities Education Act (IDEA). There are other old files with letters to parents explaining why their child has been suspended from school or how their child may not graduate if they don’t pull up their grades — education records that should not be publicly available under FERPA. There are also files with students names, date of birth, and allergies or health conditions, including one list with the entire 7th grade student names and medical conditions. Those records, too, should be protected under FERPA. Even material that may reflect positively on students — such as letters of recommendation for named students — contain personal information that should not be public.
With respect to personnel-related files, DataBreaches.net did not look through all of the files, but did not spot any major payroll or human resources databases, although some information on salaries could be found across various documents. There were also other employment-related documents, including some very sensitive personnel investigations and matters — files that are quite old.
DataBreaches.net is aware that under the federal Family Educational Rights and Privacy Act (FERPA), school districts do not have to notify students or parents of breaches involving education records, but they are required to make a note of the disclosure in the student’s records. Will the district have to access and annotate student records from more than a decade ago?
And apart from any considerations under FERPA, there is also New York State law that may apply in some cases to employee data.
So who will be notified of this incident, and how? Will any of those impacted be offered any mitigation services? And how will they deal with those whose files included serious allegations of misconduct or rumors of wrongdoing?
DataBreaches.net sent an email inquiry to the district asking them how they were responding to the incident in terms of notifying the many people whose personal information has been exposed, and will update this post if a reply is received.
DataBreaches.net also reached out to the threat actors to ask them if the district had responded to their extortion/ransom demands at all, and if so, with what result.
“Their offer was too low so we decided to publish it [the data],” Vice Society’s spokesperson wrote to this site. They did not reveal how much they had demanded or what the district’s alleged offer was.
Vice Society also declined to tell DataBreaches.net how they gained access to Manhasset School District or to comment on the district’s data security, other than to tell this site that “It wasn’t hard” [to successfully attack them].