Minneapolis school district says data breach affected more than 100,000 people

Minneapolis Public Schools has begun notifying more than 100,000 people that their personal information may have been leaked after a cyberattack early this year.

The school system started sending letters late last week, according to local media reports, and on Tuesday a notice posted on Maine’s data breach notification site said that 105,617 people were affected.

The Medusa ransomware group claimed the attack on March 7, demanding $1 million to decrypt MPS systems. The school district did not pay up. Ten days later the gang leaked data — including what appeared to be highly sensitive student files — and it posted a 51-minute video that included screenshots of the allegedly stolen information.

In its notification letter, the school district said it would have informed victims earlier, but it needed time for a “comprehensive review” to determine “whether sensitive information was present” in the leak.

“This process was time-intensive and required both computer- assisted and manual review,” the letter said. “This process was completed on July 24, 2023. Although it has been difficult to not share more information with you sooner, the accuracy and the integrity of the review were essential.”

The Associated Press had reported in early July that students and families were frustrated with the lack of formal notification from the district. The Daily Dot reported Tuesday that families have emailed administrators about various examples of fraud and other abuses that seemed to stem from the data breach.

The breach began February 6 and continued until at least February 18, when MPS said it became aware of the “suspicious activity” and notified law enforcement. The district said a “preliminary review” had been completed on March 22, and on April 7 it “sent notice to a limited number of known impacted individuals.”

MPS said it is providing 24 months of credit monitoring and identity theft restoration services. It also has created a dedicated phone line for victims of the incident.

“As part of MPS’s ongoing commitment to the security of information, our policies and procedures regarding information security are being reviewed and enhanced, additional safeguards have been implemented, and additional training is being conducted to reduce the likelihood of a similar event in the future,” the letter said.

The incident, which MPS initially called an “encryption event,” disrupted systems for about a week in late February.

Since then, it’s been a tough year for school districts around the country as ransomware groups continue to target exposed systems. Recent victims include districts in Pennsylvania and Maryland. Another set of Minnesota schools — in the city of Rochester — faced a cyberattack not long after the Minneapolis incident.