**School Ransomware Attacks: Exposing Sensitive Student Data**
*Confidential Documents Exposed*
Confidential documents stolen from schools by ransomware gangs and dumped online reveal horrifying details of student sexual assaults, psychiatric hospitalizations, abusive parents, truancy, and even suicide attempts. These documents, which include complete sexual assault case folios, were among more than 300,000 files leaked online after the Minneapolis Public Schools refused to pay a $1 million ransom. The exposed data also included medical records and discrimination complaints.
*Schools as Prime Targets for Criminal Hackers*
The digitized data within the nation’s schools make them prime targets for criminal hackers who are actively seeking out and stealing sensitive files. However, school districts are often ill-equipped to defend themselves against such attacks, leaving them vulnerable. This is especially concerning as schools are already struggling with the aftermath of the pandemic and facing budget cuts.
*Victims Left Uninformed*
Months after the Minneapolis attack, school administrators have failed to deliver on their promise to inform individual victims about the exposure of their private information. Unlike hospitals, there is currently no federal law in place to require schools to notify individuals in such cases. As a result, families of students whose sexual assault case files were exposed only learned about the breach when contacted by reporters.
*Insufficient Response to Attacks*
Even when schools detect a ransomware attack in progress, the data is usually already lost. An example of this is the Los Angeles Unified School District, which discovered an attack last Labor Day weekend but had already lost the private paperwork of over 1,900 former students by the time it detected the breach. The long-term effects of school ransomware attacks go beyond closures and recovery costs, causing significant trauma to staff, students, and parents due to the exposure of private records.
*Schools Lag Behind in Cybersecurity Measures*
While other targets of ransomware attacks have implemented robust cybersecurity measures, school systems have been slower to react. Ransomware attacks have significantly impacted over 5 million U.S. students, and the number of district attacks is expected to rise. School districts need to prioritize the implementation of stronger cybersecurity measures to protect student data.
*Lack of Transparency and Slow Response Time*
Schools are often advised not to be transparent about these attacks due to concerns about legal liability and ransom negotiations. This lack of transparency causes frustration among parents and teachers. School systems, such as Minneapolis, initially described the attack as a “system incident,” “technical difficulties,” and later an “encryption event.” This delayed response can have severe consequences, as ransomware groups often share stolen data online, putting pressure on schools to pay the ransom to avoid further exposure.
*Underinvestment in Security*
During the COVID-19 pandemic, school districts prioritized spending on internet connectivity and remote learning, while neglecting to invest in cybersecurity measures. IT departments focused on tools to track student engagement and performance, sometimes compromising privacy and safety. Cybersecurity funding for public schools is limited, with only a small portion of the $1 billion in cybersecurity grants distributed by the federal government available for schools.
The leaked confidential information from ransomware attacks has lasting impacts on the victims. Families of the Minneapolis students whose sexual assault complaints were exposed feel violated, as this sensitive information is now available online indefinitely. The lack of adequate cybersecurity measures leaves students and their families vulnerable to severe breaches of privacy and potential harm.