麻豆精品

Get stories like this delivered straight to your inbox. Sign up for 麻豆精品 Newsletter

Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes 鈥� and subsequent data breaches 鈥� have played out in your own community. Here鈥檚 what we uncovered about a massive attack on the school district in Somerset, Massachusetts. 

When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate 鈥� unsuccessfully 鈥� with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by 麻豆精品 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn鈥檛 hand over 60 bitcoin which, at the time, was worth about $660,000. 

鈥淚f we don鈥檛 reach an agreement we will start leaking your private data,鈥� the hacker wrote, noting that for bitcoin they would also offer 鈥渁 list of security measures鈥� to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by 麻豆精品 describes the ransom payment as being for 鈥渢echnical consultant services and remediation.鈥�

鈥淭ypically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,鈥� Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn鈥檛 respond to requests for comment for this story. 

Records show that Beazley, the school district鈥檚 cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack鈥檚 impact and its data breach reporting obligations, but it wasn鈥檛 until November 鈥� four months later 鈥攖hat the firm told them a 鈥減rogrammatic review of the files鈥� had been completed. 

鈥淏aker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,鈥� staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would 鈥渃onduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.鈥� 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,鈥� said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district鈥檚 lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: 鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

Tedford asked if the accusation was legitimate and if the police had been notified.

鈥淚 need to cover these bases now that we have been made aware of this claim,鈥� Tedford wrote in an Aug. 3 email. 鈥淚t鈥檚 clear the attorneys don鈥檛 want law enforcement involved, and that鈥檚 fine, but this is a different issue.鈥�

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is 鈥渨ell aware of that situation,鈥� which was related to an incident during an out-of-town show choir event. 

鈥淎fter a thorough investigation, no charges were filed,鈥� Shoonover wrote, adding in a later email that an officer 鈥渋nterviewed dozens of kids鈥� in response to 鈥渢his entire unfortunate event.鈥� 

In August 2020, the district was working on its talking points to the public and it鈥檚 clear the consultants weren鈥檛 far away. 麻豆精品 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would 鈥渉ave preferred to notify the public earlier鈥� but couldn鈥檛 鈥渢o ensure the privacy of student records,鈥� that they were unsure what, if any, records may have been compromised and that they were encouraged to 鈥渨ait to release any information until the investigation鈥� was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was 鈥渦nable to provide any further information鈥� about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized 鈥� but he didn鈥檛 divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 鈥� five months after the incident 鈥� and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver鈥檚 license and credit card numbers. 

Get stories like these delivered straight to your inbox. Sign up for 麻豆精品 Newsletter