Ransomware group posts Minneapolis Public Schools data to dark web

Minneapolis’ public school district is examining stolen data that was published on the dark web on Friday by the Medusa ransomware group.

On March 7, Medusa added Minneapolis Public Schools (MPS) to its list of victims, giving them 10 days to pay a $1 million ransom before it would leak files. The group officially published the information on Friday morning, the district confirmed, leaking troves of data that allegedly dates back to 1995.

Ian Coldwater, a cybersecurity expert and an MPS parent himself, said the data included current and former student records, parent contacts, home addresses, IDs with pictures, grades, sensitive disciplinary and health records, budgets, contracts, grant information, building layouts, payroll and human resources information, and more.

The school district serves about 34,500 students.

Minneapolis Public Schools data has been published by Medusa Team.

Data includes a child’s group pdf, 1099s, departmental funding… pic.twitter.com/uDldHdDMV3

— Dominic Alvieri (@AlvieriD) March 17, 2023

In a statement, MPS said it is working with cybersecurity specialists to “quickly and securely” download the data so that they “can conduct an in-depth and comprehensive review to determine the full scope of what personal information was impacted and to whom the information relates.”

“This will take some time. You will be contacted directly by MPS if our review indicates that your personal information has been impacted,” the district said.

MPS confirmed that it has already reviewed a sample of data leaked on March 7 and will be contacting those affected by email and physical mail. Victims are being offered free credit monitoring and identity protection services through Experian but they did not say how long the protection will last.

They urged anyone who accessed MPS devices from personal accounts to change passwords and warned all parents and employees to be wary of suspicious emails and phone calls.

“Please understand that MPS continues to provide information to the public as we learn and discover more. MPS has taken a stance against these criminals and has fully restored our systems without the need to cooperate with the criminal,” the school explained.

In its announcement of the attack — two weeks after it had occurred on February 18 — the Medusa ransomware group released a heavily-produced 51-minute video that showed the hackers sharing screenshots of the data they had stolen.

Emsisoft ransomware expert Brett Callow said it was the first time he recalled seeing a ransomware gang use this particular tactic during a negotiation.

The video included shots of stolen emails, student grades, building layouts, payroll information and more from MPS.

On Friday, MPS parent and cybersecurity expert Coldwater wrote on Twitter that the district had sent a letter to parents that he characterized as “dismissively flippant.” In the opening sentence, the letter described the dark web as “a part of the internet accessible only with special software that allows users to remain untraceable.”

The breached data for Minneapolis Public Schools was released this morning, and MPS sent out a dismissively flippant email about it.

Despite the district's attempts to downplay this, it is a really big deal. I'm not telling you to panic. I'm telling you to know and prepare. pic.twitter.com/kTp34Truto

— Ian Coldwater (@IanColdwater) March 17, 2023

Cox called “on policymakers and leaders to take swift and comprehensive action on a federal response to the growing number of these types of events.”

“While we will keep doing everything in our power to prevent and respond to these sort of events, districts, cities, and other public entities need support and expertise—both preventative and in response to these sorts of things,” she said.

The incident heightens concerns about the massive amount of data leaked onto the dark web when schools refuse to pay ransoms following cyberattacks. Last month, the mental health records of thousands of Los Angeles K-12 students were found leaked across the internet after a ransomware attack last year by the Vice Society ransomware group.

Education news outlet The 74 reported that the sample of data leaked by Medusa from MPS included records related to “student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.”