On November 2, DataBreaches reported that the same threat actors that had hacked and exfiltrated data from Clark County School District in Las Vegas had also hit Jeffco Public Schools in Colorado. In communications shared with DataBreaches, “SingularityMD” as the hackers call themselves gave the district until today at 5 pm today to pay them $15,000 in Monero cryptocurrency.
Unbeknownst DataBreaches until now was that the hackers had also sent an email to Jill Ibeck, the district’s Chief Information Office (CIO) and other staff members in response to a district email. In their email to the CIO, the hackers commented:
A global password reset for teachers is relevant and a step in the correct direction, however, if student accounts are still compromised due to the use of birthdates as passwords, and all the infinite campus for students is already leaked then, we, the hackers have access to most student accounts still, and can simply access the teacher network again as soon as a teacher makes a security blunder.
They also noted the district’s lack of response to them, adding:
Without some indication of cooperation, we have to assume that you are not planning on complying with our requests. In this case we may as well make more trouble for you to show the next school district that it makes more sense to work with us as opposed to against us.
It appears that the email did not produce the results they desired, and today, they sent another email to the CIO with an even bigger distribution list. Noting the district’s continued lack of response, they wrote:
Looking at your lack of cooperation, we anticipate that you are unlikely to cooperate with us.
We would like to make it clear that we do not want to upload all of your stolen information. We also would like to show other school districts and organizations that SingularityMD does keep its word with regards to destruction on payment.
Theirfore we are willing to reduce the fee for disposal of the stolen information down to $2,000 USD in Monero (XMR).
They also indicated a willingness to extend the deadline to enable them to consider their offer and to complete the password resets across the organization that still had not been completed.
The email also reminded the district what would happen if they didn’t hear from them by the 5 pm deadline.
Five minutes before the 5 pm deadline, the hackers emailed thousands of parents and sent them the correspondence between the hackers and the district. They then sent Jeffco another email saying:
We have notified 3k parents and some news outlets, providing full correspondance. As such, we will grant 24 hours extension to let parents weigh in on the matter.
As yet, we have not leaked any private information.
Will the district decide to pay $2000.00 to get the hackers not to leak data and to destroy what they have downloaded from the district or will they stand on principle and not pay? Will parents pressure the district to pay to protect their children’s personal information? Will teachers pressure them to pay to protect their information?
And even if they pay, what will prevent another breach if they don’t take significant steps to address security vulnerabilities?
DataBreaches will continue to monitor this incident.
Update 1: Based on questions DataBreaches received from readers, DataBreaches asked SingularityMD some additional questions.
First, in response to a question as to what they would do if a parent paid the $2,000.00 — whether they would still destroy all the data they had exfiltrated and not leak it, SingularityMD answered that yes, they would not leak the data and would destroy it.
Second, in response to whether they would still provide the district with a written report if they were paid $2,000.00 by a parent, they said that there would be no written report for that amount, but they would explain the issues.
Third, in response to DataBreaches mentioning that they have made an impact as this site is hearing that not only has Infinite Campus sent out a memo, but Google seems to have taken notice, too, they replied, in part,
We have seen google start to put captcha’s on google groups in what we perceive to be an attempt to prevent the extraction of a group as we have previously for CCSD and Jeffco.
They also wrote they
suspect IC know about it as they are recommending 2FA now for all accounts, as you pointed out. We have accessed yet another school district IC as a teacher this week and now it sends a login notice (You have logged in from a new device) to the associated email address. It did catch us out and one teacher changed their password as a result, but for the district in question, we already had access to another teachers email and in their case we could delete the notice before it was seen.
Update: See the latest developments in the new post, Time’s up: SingularityMD sets up to sell data from Jeffco Public Schools.