麻豆精品

Get stories like this delivered straight to your inbox. Sign up for 麻豆精品 Newsletter

Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes 鈥� and subsequent data breaches 鈥� have played out in your own community. Here鈥檚 what we uncovered about a massive attack on Minneapolis Public Schools.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district鈥檚 computer network, accessing reams of students鈥� and educators鈥� sensitive information, officials contacted the FBI and laid out what happened. 

The district 鈥渋mmediately initiated an investigation鈥� after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker鈥檚 demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an 鈥渆ncryption event鈥� and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by 麻豆精品 through public records requests, the district told families in a Feb. 24 email that its investigation 鈥渉as found no evidence that personal information was compromised.鈥� 

The statement was sent after cybersecurity experts advised district communications staff that 鈥渟haring the least amount of information鈥� as possible was 鈥渋n the best interest鈥� of district security. 

Threat actors with the ransomware gang Medusa 鈥� known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what鈥檚 known as a 鈥渄ouble-extortion鈥� scheme 鈥� took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn鈥檛 acknowledge for nearly two weeks after the attack that sensitive records may have been compromised 鈥� and waited months to notify breach victims directly by letter. 

The district didn鈥檛 respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by 麻豆精品.  The cyber insurance provider will 鈥渇acilitate breach counsel and forensic investigation teams,鈥� the plan notes, and deploy 鈥渆xperienced negotiators鈥� to communicate directly with the hackers. The policy also states it would cover the district鈥檚 liability for bad press, fines and 鈥渞egulatory proceedings鈥� related to a cyberattack. 

鈥淭he insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,鈥� the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a 鈥減rivileged investigation,鈥� according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

鈥淧er [Minneapolis Public Schools鈥橾 request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,鈥� according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn鈥檛 respond to 麻豆精品鈥檚 request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed 鈥渢he world鈥檚 most profitable spy organization.鈥� The researchers prepared 鈥渁 report detailing the forensic analysis process and analysis鈥� at Mullen Coughlin鈥檚 direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went 鈥渢hrough the list of what TA [the threat actor] might鈥檝e accessed,鈥� and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the 鈥淢edusa contact team,鈥� urging the person to respond to the threat actors immediately or else 鈥渨e will ensure your popularity.鈥� 

In March, Medusa ransomware actors posted the district鈥檚 stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom 鈥� a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by 麻豆精品, include confidential and highly sensitive records about individual students and teachers. 

It wasn鈥檛 until September 2023 鈥� seven months after the attack 鈥� that 105,617 people were notified the 鈥渉acking鈥� incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general鈥檚 office. The notice states that the process to identify that information had been completed in July 鈥� a month and a half before officials notified victims.

鈥淎lthough it has been difficult to not share more information with you sooner,鈥� the letter to victims notes, 鈥渢he accuracy and the integrity of the review were essential.鈥�

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.

Did you use this article in your work?

We鈥檇 love to hear how 麻豆精品鈥檚 reporting is helping educators, researchers, and policymakers.