Privacy nightmare for Toledo Public Schools: Hackers dumped student and employee data
By mid-September, it was clear that school districts were under increased threat of ransomware attacks. In fact, when Clark County School District (CCSD) in Las Vegas and Fairfax County Public Schools (CFPS) in Virginia were added to the Maze cartel’s leak site, it seemed to portend potentially big data dumps. Since that dump, Maze dumped data they claimed to have acquired from CCSD, and dumped some of the data they acquired from FCPS (an action that was followed shortly thereafter by the FCPS listing disappearing from the leak site, which may indicate that FCPS is attempting to negotiate a ransom payment with the threat actors).
But there was another school district Maze hit around that time that didn’t get as much media attention — Toledo Public Schools (TPS) in Ohio.
On September 14, DataBreaches.net reached out to TPS to ask them to confirm or deny Maze’s claim of a successful attack. TPS did not respond, and the data Maze dumped as “proof” was not proof of any attack on TPS at all — in fact, the “proof” data appeared to come from a construction firm, which is why DataBreaches.net referred to the breach claim but did not name the school district in the September post.
But now Maze has dumped all of the data they claim to have acquired from TPS, and the data appear real. Worryingly, the more than 9 GB of compressed data contains a lot of personal and/or sensitive student and employee data.
A preliminary inspection of the data reveals that a lot of demographic information on current and former students was dumped. Looking at the plain text data in unencrypted tables, we could see:
- first, middle, and last names
- student ID numbers
- Social Security numbers
- date of birth
- postal address,
- phone numbers (home, work, cell)
- dates of Individualized Education Plans
- guardian’s name,
- foster family information, and
- special education information.
In some spread sheets, scores on standardized tests were included. Other documents related to student disciplinary actions including appeals over expulsions of named students and the basis for the expulsions.
The above is not an all-inclusive list.
According to online resources, TPS serves more than 23,000 students. The readable files in the data dump are not necessarily the most current files on student records (one was last updated in 2017). But even if all students’ data was not in the accessible dumped files, it’s important to note that not only was data from more than 10,000 students readily viewable, we also saw files from past school years — students who likely graduated years ago. For example, one file with student records was from 2008. That file contained personal information on students including their Social Security numbers. So the total number of students with personal information exposed will likely exceed 20,000 when all the past records are added in.
Employee Data Dumped, Too
It was not just students who had their personal information exposed. While DataBreaches.net has not yet found any files with completed W-2 forms or direct deposit information on employees, we did spot employment and personnel-related files, including evaluations of personnel and disciplinary reports about personnel.
Just as TPS did not respond to our inquiry of September 14, they have not (yet) responded to our inquiry earlier today asking if they have notified parents, employees, and students of this breach or if they have offered them any mitigation services. This post will be updated if TPS sends a response or statement, but given that the data have been publicly available for more than 24 hours now, DataBreaches.net wanted to make sure that victims are alerted so that they can take steps to protect themselves.
If TPS has not reached out to current and former parents, employees, and students, then those possibly affected might be wise to assume that they are at risk and take steps to protect themselves and their children. Ohio’s security freeze law can be found here. A more user-friendly statement about the process and your rights can be found here. While the federal education privacy rights law known as FERPA does not require schools to provide breach notifications, the state may require notification under state laws.
As an aside, I posted a question on Twitter asking who gets notified if a former student is now older than 18. Does the district notify the parents of the former student, or do they have to try to track down the address of the former student, or just go to substitute/media notice?