Update: Norman Public Schools’ employee and student leaked on dark web by ransomware gang

On Nov 4,  DataBreaches noted that Norman Public Schools (NPS) in Oklahoma reported what they described as a “malicious ransomware attack.”  Since then, the district has worked to restore all services.

Because the district did not respond to the threat actors’ ransom demands, this week the Hive ransomware team publicly claimed responsibility for the attack and has now started leaking data.

Yesterday, NPS posted an update. The November 23 update stated, in part:

WHAT INFORMATION WAS INVOLVED?
NPS collects the following types of information relating to staff: names, addresses, Social Security numbers, and financial account numbers for payroll purposes. This information, which NPS collected from current and former NPS employees – including substitute teachers and summer staff – was potentially impacted.

For the 2022-2023 school year, NPS collected names and Social Security numbers for enrollment purposes. Please note that not all families provided that information to NPS during enrollment. However, if provided to NPS for this year’s enrollment, Social Security numbers of students were also potentially impacted. The investigation is still underway to determine if other student information was potentially impacted.

From data that Hive provided DataBreaches to preview — data that they have now leaked online — and Hive’s answers to DataBreaches’ questions, below, it seems clear that student information was impacted. It also seems clear that some employees’  had their names and Social Security numbers stolen and leaked.  Whether more data remains to be leaked is unknown to DataBreaches, but given Hive’s claims and their usual methods, it seems likely.

On November 22, Hive contacted news outlets to claim responsibility for the attack on NPS. They claimed to have acquired more than 311 GB of data, including what they described as

– backups made up-to-lock-date
– contracts, nda and other agreements documents
– company private info (budgets, plans, evaluations, school buildings floor and wire blueprints etc.)
Employee info (social security numbers, emails, addresses, phone numbers, photos, insurance info, payments, etc.)
– students info (social security numbers, emails, addresses, phone numbers, photos, insurances info, payments, etc.)

DataBreaches responded to Hive’s email with some very specific questions. The questions, and Hive’s emailed answers, have been edited lightly for brevity and clarity:

DataBreaches (DBN): How did you gain access?
Hive (H): Norman Public Schools fell victim to a phishing attack.

DBN: When did you first gain access?
H: October 16, 2022.

DBN: How long were you in there before the ransomware was deployed?
H: 18 days before we crypt this network.

DBN: Did they detect you at all or not until ransomware was deployed?
H: NPS IT-department didn’t detect us at all before ransomware attack.

DBN: You said you downloaded “backups made up-to-lock-date.” Did you lock or delete their backups? Have you deleted any files?
H: Yes, backup servers has been locked also. We didn’t delete any files from their network except those we made for our work.

DBN: Do you still have any access/backdoor?
H: We don’t have access/backdoor to this network anymore.

DBN: Did you get access to any folders or systems that have sensitive info on students?
H: Yes, we had access to files that contains sensitive info on students, such as vaccination records, insurance records, household info,
parents income statements, address, etc.

DBN: Can you estimate how many unique employees you got info on? How many unique students?
H: Estimate number of unique employee records we have is about 3850 pcs. Estimate number of student records is above 5000.

DBN: How much did you demand in ransom?
H: $950 000. We were ready to negotiate, but NPS management refused to collaborate.

DBN: If you know, how much cyberinsurance for a breach does NPS have?
H: We don’t have such information about insurance.

After receiving the above from Hive, DataBreaches contacted NPS via email to ask them about Hive’s specific claims. No reply was received, but NPS posted the November 23 update shortly thereafter. Whether NPS saw DataBreaches’ email and/or the data leak before posting their update is unknown to DataBreaches.

As suggested above, however, preliminary inspection of the leaked data supported several of Hive’s claims. For example, there are a number of files with student information that appear to be records for students who had either been classified with an educational disability or as qualifying for an accommodations plan (a “504 Plan”). A file skimmed by DataBreaches seemed to be a follow-up analysis that listed the students, their educational disability category, some personal information, and what happened to them (e.g., “transferred to another school,” “graduated with a diploma,” etc.). The following represents the fields/column headers in a file with records on numerous students (not all fields were populated):

DistCode DistName BillingCode SchoolName SchoolCode Grade PrimaryDisability PrimaryDisabilityCode SecondaryDisability SecondaryDisabilityCode Age Gender StudentCode STN SSNumber StudentsFirstName StudentsMiddleName StudentsLastName DateOfBirth Race ReferralDate EligibilityDate LastIEPDate IEPEndDate PrivateSchool TeacherOfRecord TeacherOfRecordCode MedicaidNumber DateExited ExitReason ExitReasonCode NumOfIEPS DaysUntilElig DaysUntilIEP Eligible InstrPercent RelPercent TotPercent Transportation HoursOfService Status DateAdded WeeklyServiceHours NextSchool NextSchoolCode 504Eligible Last504EligibilityDate 504EligibilityEndDate Last504PlanDate 504PlanEndDate ELL SuspectedDisability SuspectedDisabilityCode

Other files skimmed by DataBreaches included students’ date of birth, guardians’ names and telephone numbers, and other details such as response to a household survey that inquired about family income.

DataBreaches also noted a file with employees’ names and social security numbers that matched Hive’s estimate to DataBreaches of about 3,850 employees’ SSNs. DataBreaches did not see any payroll databases or files with employees’ direct deposit account information. Nor did DataBreaches spot any files with W-2 information, although it is not clear how much more data Hive may still be holding back.

In its update yesterday, NPS indicated it is offering those affected mitigation services:

Additionally, NPS is offering identity theft protection services to all potentially impacted individuals for twelve (12) months, through IDX, the data breach and recovery services expert. IDX identity protection services include credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, IDX will help you resolve issues if your identity is compromised.

These services will be made available starting next week in addition to a call center for support and assistance with enrolling in these services. We will supplement this notice with the appropriate information once the services are available.

NPS’s updates on this incident can be found on their website. In light of the data leak, those affected would be wise to enroll in any services, and to also consider placing a security freeze on their credit reports so that anyone trying to open a new account that requires a credit report would not be able to do so. A credit report freeze will not stop bad actors from opening accounts that do not require a credit report check, however.

To be on the safe side, parents of minor children may wish to file inquiries with credit reporting agencies such as Equifax, Experian, and TransUnion to make sure that there is no credit report in their child’s name that they did not previously authorize. If a credit report is found, inform the credit reporting agency that it is your minor child and the report should be removed.

DataBreaches will continue to monitor this incident for updates and will post updates as indicated.

About the author: Dissent

Leave a Reply

Your email address will not be published.Email address is required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.