More than six months after the hacker or hackers known as TheDarkOverlord hacked and terrorized School District 6 in Columbia Falls, Montana, the district has sent parents breach notification letters revealing what they were able – and not able – to determine.
Three versions of the March 19th letter, marked “Draft” and signed by Superintendent Steven Bradshaw, were submitted to the state. The versions vary in terms of what kinds of student data they report may have been accessed. Of note, the letters make clear that the forensic examiners could not determine whether student data was actually accessed or nor, and if it was accessed, whether any data was exfiltrated. That statement was also repeated to DataBreaches.net by the superintendent when we spoke recently about the hack and its aftermath.
One version of the letter explained that:
On January 31, 2018, the District concluded its investigation into the nature and extent of the incident as it related to students’ information, including the identification of potentially affected students, as a result of unauthorized access to a District server as part of the cyber extortion incident.
The District Administration Office maintained a database containing certain student records that included your child’s name and health-related information associated with their Individualized Education Program or visit to the District nurse’s office. The forensic investigation could not rule out the possibility that the perpetrators were able to access this database. Note that this incident did not involve your child’s Social Security number.
Even though, to date, we have no evidence that your child’s information in the database containing student records was accessed by the perpetrators, or has been misused as a result of this incident, we are notifying you out of an abundance of caution and assure you that we take this matter very seriously.
A second version of the letter was sent to parents of students whose name and Social Security number, but not health information, may have been accessed. And a third version was sent to parents of students who health information, name, and SSN may have been accessed.
Parents receiving the second or third versions were offered one year of complimentary services with an Experian product for their children.
The firm hired to do the forensics was not named in the notification letter, but given that the hackers appear to have quoted material about students in their ransom letter (material that was redacted before the ransom letter was made public), it would seem obvious that not only did they have access to some server(s), but they also accessed and exfiltrated at least some data. Indeed, in statements to DataBreaches.net, the hacker(s) routinely claim how when they hack an entity, they get “everything.”Columbia-Falls-School-District-2nd-Notice