On October 7, the Manhasset Union Free School District revealed that it may have been the victim of a ransomware attack.
There can no longer be any doubt that they were attacked. Over the weekend, Vice Society threat actors dumped the district’s data on their dark web leak site. Inspection of some of the files suggests that the Long Island school district may have a lot of explaining and apologizing to do to worried or angry students, parents, and employees.
As DataBreaches.net observed in all too many breaches by now, in addition to more current files, there was a lot of old data in plain text that is now in the wild for anyone to download freely. There are numerous files involving current and former employees as well as current and former students (and in some cases, their parents). How old, you wonder? How about more than a decade?
In some respects, the records or files involving students are more sensitive or concerning. There are Individualized Education Programs (IEPs) for special education students — documents that are supposed to be confidential under the Individuals with Disabilities Education Act (IDEA). There are other old files with letters to parents explaining why their child has been suspended from school or how their child may not graduate if they don’t pull up their grades — education records that should not be publicly available under FERPA. There are also files with students names, date of birth, and allergies or health conditions, including one list with the entire 7th grade student names and medical conditions. Those records, too, should be protected under FERPA. Even material that may reflect positively on students — such as letters of recommendation for named students — contain personal information that should not be public.
With respect to personnel-related files, DataBreaches.net did not look through all of the files, but did not spot any major payroll or human resources databases, although some information on salaries could be found across various documents. There were also other employment-related documents, including some very sensitive personnel investigations and matters — files that are quite old.
DataBreaches.net is aware that under the federal Family Educational Rights and Privacy Act (FERPA), school districts do not have to notify students or parents of breaches involving education records, but they are required to make a note of the disclosure in the student’s records. Will the district have to access and annotate student records from more than a decade ago?
And apart from any considerations under FERPA, there is also New York State law that may apply in some cases to employee data.
So who will be notified of this incident, and how? Will any of those impacted be offered any mitigation services? And how will they deal with those whose files included serious allegations of misconduct or rumors of wrongdoing? DataBreaches.net sent an email inquiry to the district asking them how they were responding to the incident in terms of notifying the many people whose personal information has been exposed, and will update this post if a reply is received. [SEE BELOW FOR UPDATE.]
DataBreaches.net also reached out to the threat actors to ask them if the district had responded to their extortion/ransom demands at all, and if so, with what result.
“Their offer was too low so we decided to publish it [the data],” Vice Society’s spokesperson wrote to this site. They did not reveal how much they had demanded or what the district’s alleged offer was.
Vice Society also declined to tell DataBreaches.net how they gained access to Manhasset School District or to comment on the district’s data security, other than to tell this site that “It wasn’t hard” [to successfully attack them].
UPDATED OCTOBER 19: The following is the text of the letter sent home from the district, provided to DataBreaches.net by the district. Note that they say they had been able to restore from backup because they had segmented the network.
October 18, 2021
Dear Manhasset School Community,
As we have previously communicated, criminals encrypted the school district’s computer systems with ransomware last month. In response, we alerted law enforcement and worked with cybersecurity experts to investigate the incident. Due to security updates completed by our network engineers and IT staff that included network segmentation, we were able to restore our computer systems from backups. As such, the District did not make any ransom payment to the criminals.
We were notified that yesterday, the criminals posted certain files to the dark web that they stole from our servers. We are currently reviewing these files, and we will provide direct notification, in accordance with applicable laws, to any individual whose personal information was potentially acquired by these criminals. Direct notification will contain additional information about the incident and describe measures that can be taken to protect affected individuals from identity theft. For those individuals whose Social Security numbers and/or driver’s license numbers were contained in the stolen files the direct notification will also include instructions regarding how to enroll in complimentary credit monitoring.
In the interim, we encourage you to remain vigilant by regularly reviewing your credit reports and financial account statements for any unauthorized activity. If you see charges or activity that you did not authorize, please contact the relevant financial institution immediately.
Our District was the victim of a criminal enterprise, and we understand how upsetting this is for our community. Unfortunately, ransomware attacks have been on the rise. We are one of the latest victims in this growing trend which has targeted other school districts, hospitals, and municipalities across the country. The District takes data security very seriously, and we are implementing several additional measures to enhance our security in an effort to prevent an incident like this from reoccurring in the future.
Dr. Gaurav Passi
Acting Superintendent of Schools