Hackers Release Sensitive Data on Thousands of Students After US School District Refuses to Pay Ransom

Clark County School District was targeted by hackers last month and when it refused to pay the ransom, sensitive data including social security number and addresses were leaked

Hackers mostly target government agencies and large companies through phishing attacks to plant malware and steal data. However, of late, with educational institutions moving online due to the ongoing Coronavirus pandemic, hackers are taking advantage of the situation to launch cyberattacks.

In one of the incidents, a public school district in the U.S. was targeted with a ransomware attack and when officials refused to pay the ransom, the hacker group released the data containing sensitive information of students and employees.

The ransomware attack happened in August at Las Vegas' Clark County School District (CCSD) that has over 320,000 students. CCSD confirmed that data might have accessed and stolen during the attack. While previously schools had faced such cyberattacks, the data that was acquired was not leaked online even if the ransom wasn't paid.

But in the case of CCSD, in a first, hackers dumped 23 GB of sensitive information on students and employees including grades, social security numbers, names and addresses.

Clark County School District came under cyberattack last month (representational image) Pixabay

CCSD Notifies Parents

CCSD notified the parents and employees about the ransomware attack last month but couldn't verify whose data was stolen. But cybersecurity company Emsisoft verified the claims, first reported by Wall Street Journal. Now, that the hackers have posted the data on their website, CCSD said that it would cooperate with the law enforcement and would notify the victims of the data leak.

"National media outlets are reporting information regarding the data security incident CCSD first announced on Aug. 27, 2020. CCSD is working diligently to determine the full nature and scope of the incident and is cooperating with law enforcement. The District is unable to verify many of the claims in the media reports. As the investigation continues, CCSD will be individually notifying affected individuals," CCSD said in a statement on Monday (September 28).

Data leak
The hacker group leaked data of students and employees online Twitter/ Tan Yongrui

Should Victims Pay Ransom?

The incident brings to the question: should victims pay the ransom? However, it's a tricky one for many organizations. Often rebuilding a server involve huge cost and that compared to paying ransom in thousands of dollars seem like a better deal.

WSJ's investigation revealed that some districts that faced cyberattacks paid between $25,000 to $200,000 as rebuilding server could cost more and also delay classes for weeks. However, on the other hand, paying ransom motivates the hackers and cybersecurity experts discourage that strongly.

"If an organization pays, the criminals pinky promise to destroy the stolen data. These attacks happen for one reason and one reason only: they're profitable," Brett Callow told 8 News Now. He added that the only way to stop hackers from using ransomware attacks is to make them unprofitable by not paying ransom.

Callow said that the hacker group released some non-sensitive information on September 14 warning CCSD of the consequences but as it didn't pay the ransom, last week, the group uploaded more sensitive data on their website. "CCSD is to be commended for taking a stand," he added.

1 of 2

Parents, Teachers Concerned

With the data release, there is an obvious concern among teachers and students. Nevada Parent-Teacher Association president, Rebecca Garcia, said that some of the members of her group were concerned about the data breach as they didn't hear anything from CCSD.

However, CCSD has started sending emails to the victims and has also set up an assistance helpline (888-490-0594) for them. The school district has also urged parents and employees to contact credit bureaus to put a security freeze on the credit report. By using social security numbers, hackers or people with malicious intent can attempt to get credit reports.

"At this point moving forward, we need transparency, and we need to know what's going to be done to address it, from a data security standpoint. And as parents, what we need to be aware of in monitoring and tracking our students' identities moving forward," said Garcia, whose three children are in Clark County schools.

Related topics : Ransomware