This story was produced by The 74, a nonprofit, independent news organization focused on education in America.
It took two years of middle school girls accusing their Minneapolis teacher of eyeballing their bodies in a “weird creepy way,” for district investigators to substantiate their complaints.
Their drawn-out response is revealed in confidential and highly sensitive Minneapolis Public School District investigative records that are now readily available online — just one folder in a trove of tens of thousands of leaked files that outline campus rape cases, child abuse inquiries, student mental health crises and suspension reports.
The files, purportedly stolen from the Minneapolis school district, first appeared online in March, just days after a ransomware gang named Medusa announced the school system failed to pay $1 million to keep its information from getting posted to the web.
In a leaked 2018 email, a district official seems to make light of the frequency of civil rights complaints after several girls accused their high school foreign language teacher of inappropriate touching.
“When it rains, it pours, I guess!” the district official wrote. In other documents, an educator was accused of buying a colleague a lap dance during an afterwork outing to a strip club and, in a separate incident, a district employee was accused of hacking into a girl’s social media to stalk her on a date. The veracity of the files hasn’t been confirmed by Minneapolis schools but by all appearances, they expose a shocking degree of information about current students and staff.
The information is so searingly personal that attorney and student privacy consultant Amelia Vance said she would have a hard time strategizing a mitigation response.
“I’m an expert in this and I have no idea,” Vance, president of the Public Interest Privacy Center, told The 74.
The records were uncovered in an analysis by The 74 of a cache of files reportedly stolen from Minneapolis schools and uploaded to the internet after the district fell victim to what it euphemistically described as an “encryption event.” The Medusa gang, a burgeoning cybersecurity threat that adopts a clumsy, perhaps youthful online persona, ultimately took credit for the February breach that led to widespread digital disruptions.
The vast records — more than 189,000 individual files totaling 143 gigabytes — also offer a remarkable level of raw insight into the district’s civil rights investigation process for sexual assault and racial discrimination complaints, detailed campus security information and other district operations that many school systems seek to keep under wraps. In total, they highlight the attack’s severity and the extent to which students’ and employees’ sensitive information is vulnerable to abuse.
Minnesota-based student privacy advocate Marika Pfefferkorn said she’s already heard from multiple concerned parents whose children had their sensitive information caught up in the breach, but that district officials have failed to communicate with them about their concerns.
“One of the reasons we have had so many parents reach out to us is because the information (the district) has posted on their website is just like nothing,” Pfefferkorn said. “It’s like it was an afterthought.”
She’s also struggled to give meaningful advice to anxious parents who need help.
“The conversation that we’re having is like, ‘Your information is going to be out there forever, and the impression of you is also going to be out there forever,’” she said. “I don’t know the advice that I need to be giving them other than, ‘You need to be aware of what’s happening and communicate with the district what your expectations are.”
‘A rock over their head’
While the oldest breached records span back to at least 2018, the most recent files, including several related to confidential civil rights cases, are from earlier this year. Some of the files — which were previewed in a 50-minute video — can be read with little more than a Google search.
The way the files were uploaded is “part of what makes this incident so heartbreaking and extraordinary,” Vance said.
Breaking from standard procedure for data leaks, the stolen Minneapolis records weren’t published to the dark web. Instead, as The 74 first revealed, download links were published to Telegram, the encrypted instant messaging service, and a faux technology news blog that appears to have direct ties to the ransomware attackers. Unlike breaches posted to the dark web, which require special tools and some know-how to access, Vance said “this information is easier to access and potentially easier for people to have follow them around for the rest of their lives.”
The files include district financial records, educators’ Social Security numbers and other documents that have long been targets for cyber criminals looking to facilitate identity theft. Yet Vance said the real harm — and a distinguishing feature — of the Minneapolis breach is the sheer volume of compromising information about students and staff that has been exposed.
The district didn’t respond to a list of questions from The 74. In its most recent public statement, from April 11, interim Superintendent Rochelle Cox said it has completed a review of data “posted online on March 7 and has contacted many individuals whose information was accessible as a result of this event.” While a small subset of the data was previewed in a video in early March, a download link for the complete archive of stolen district records didn’t become available until late March. Cox said the district is working with “external specialists and law enforcement” to review data posted after March 7, but does “not have the results of that investigation.”
Because the harm from ransomware attacks have long been framed through the lens of identity theft and fraud, robust protections are now in place to help the victims of financial crimes, Vance noted. Parents can freeze their children’s credit. People can also cancel any credit cards that get caught up in a breach, and districts regularly provide identity theft protection to data breach victims.
After the release of highly sensitive information, she said there are no clear remedies for something that could be potentially life altering for victims.
“This becomes a rock over their head for their entire life: ‘When is someone going to find out about the worst thing that ever happened to me?’” Vance said. “If I were a parent dealing with this, what on earth do you do next?”
Federal law enforcement officials have long advised school districts and other cybercrime victims against paying ransom demands, but the sheer volume and sensitive nature of the breached Minneapolis files has left some experts questioning whether the district made the right call by refusing to pay up.
“There are circumstances where — if you’re looking at it from a question of, ‘How do you reduce potential harm and risk and danger to your school community,’ — then doing the unsavory is perhaps the correct choice,” said Doug Levin, the national director of the K12 Security Information eXchange.
Officials generally warn against paying ransoms for several reasons: Negotiating with known criminals may not produce the desired outcome, and offering payments helps finance future crimes. But in this case, Levin said the Minneapolis district was presented with a difficult choice. Even before the records were posted online, the group took extraordinary steps — including uploading a video to Vimeo — to publicize sensitive records in what appeared to be a particularly aggressive bid to coerce payment.
Given how current and diverse the stolen records are, Levin and other experts suspect Medusa infiltrated multiple live computer systems. The freshness of the files, Levin said, means their content may still be accurate and, for bad actors, actionable.
Calling the Minneapolis breach a “worst-case scenario,” he said, “The amount of information that was taken and the recency and the scope of it is certainly deeply troubling.”
Minneapolis may be a cautionary tale for districts nationwide who have fallen prey to money-hungry ransomware gangs leveraging “double-extortion” attacks against schools, hospitals and businesses. In such incidents, which present an alarming evolution from previous strategies, threat actors gain access to a victim’s computer network, download compromising records and lock the files with an encryption key. Criminals then demand their victim pay a ransom to regain control of their files. Then, if the money doesn’t materialize, they sell the data or publish it to a leak site.
Ransomware attacks on U.S. schools have become a primary concern for federal law enforcement officials this year. In January, the federal Cybersecurity and Infrastructure Security Agency warned that school districts were being targeted in attacks with “potentially catastrophic impacts on students, their families, teachers and administrators.” Since the pandemic forced students into remote learning, district cyber attacks have been particularly acute. The number of publicly disclosed cybersecurity incidents affecting schools grew from 400 in 2018 to more than 1,300 in 2021, according to federal data.
Federal law enforcement officials have had several recent victories in tracking down cybercriminals. BreachForums, a popular dark web marketplace where people could buy stolen data, was shuttered after Federal Bureau of Investigation agents arrested its top administrator in March. The capture of the 20-year-old, who authorities allege operated the forum from his parents’ Peekskill, New York, house, sent shock waves through the cybersecurity community and disrupted the global cybercrime ecosystem. In January, federal authorities took control of a prolific ransomware gang’s leak site and in February announced sanctions against seven men connected to a Russian-based ransomware group known to target schools.
In Washington, pending federal legislation introduced last month seeks to better track cyber incidents in schools and would provide $20 million over two years to help affected systems recover.
Last year, the school district in Los Angeles, the country’s second largest, suffered a massive ransomware attack that exposed a trove of compromising information about educators, students and district contractors. In response to investigative reporting by The 74, the Los Angeles district acknowledged the breach included the sensitive mental health records of at least 2,000 current and former students after publicly denying those records were exposed. Last month, data from the Rochester, Minnesota school district was breached after it suffered a ransomware attack that forced leaders to cancel classes. A similar attack shuttered Des Moines, Iowa, schools in January.
Swift action needed
Taken together, the leaked Minneapolis records offer a startling quantity of compromising information about students and teachers. They also include detailed records about campus security systems that school officials said could place children and educators at a heightened risk of physical danger.
A single spreadsheet details 699 disciplinary incidents from the 2015-16 school year, listing students’ names and a brief description of incidents. One entry claimed a student was “threatening other students’ mothers,” and another claimed a student put his hands together in the shape of a gun and said “I’m bringing a gun to school tomorrow and shoot.”
Each of the spreadsheet entries contain pinpoint demographic information about individual students, including their race, gender, whether they’re in special education, if they’re homeless or are learning English as a second language.
One group of files include letters informing disciplined students they could face trespassing charges if they show up on campus, while another includes reports of student maltreatment, including allegations a bus driver hit a student and that a teacher used excessive force.
Such records could be valuable for blackmail — and for the police. In 2020, for example, a newspaper investigation revealed a Florida county sheriff’s office used sensitive student records to predict which ones were likely to “fall into a life of crime.” In other cases, police agencies have purchased sensitive data leaked in data breaches to conduct investigations.
A separate group of Minneapolis records, purportedly from 2015 to earlier this year, outline nearly 300 individual district equity and civil rights investigations.
In one case, district investigators found that over the course of several years, a boy coerced a classmate into sexual encounters in exchange for $5 and, in another case, a high school girl reported getting raped in a campus bathroom. In a detailed 2018 complaint, a high school girl accused a male classmate of raping her in a car after a home football game. Yet a district investigator ultimately dropped the complaint because the girl declined an interview and the official was “unable to ascertain her credibility based only on her written statement,” according to breached files.
In multiple complaints, educators were accused of being racist. Just last year, a teacher at a Minneapolis high school was accused of racial harassment when she reportedly used the name of a Somali student and a cartoon of a woman wearing a hijab in a class presentation. The slide defined the idiom “to have a bone to pick” and the teacher reportedly asked the student to read to the class a description of the term with her name attached: “(redacted) never comes to class on time; she leaves class without permission, is affecting her peers, her grades and is disrespectful to her peers.”
In January, a complaint accused a high school coach of making a transphobic joke and openly discussed his genitals. While he was stretching in front of a group of female athletes, the complaint alleges, he warned them that he was wearing “very short shorts” and instructed them to “let me know if my junk falls out.”
In a case from January, the middle school teacher accused of gazing at students’ bodies and touching them inappropriately was placed on paid administrative leave while district investigators conducted their inquiry. Investigators determined the complaint was substantiated, but the middle school’s website still lists the teacher in its staff directory. A district spokesperson did not respond to questions about whether the teacher faced disciplinary action or his current status.
Given the many ramifications, Levin said the breach demands swift action to ensure the safety of the school community and to prevent something like this from happening again. He said the Minneapolis school board — or even state authorities — need to launch a prompt investigation.
“States do intervene in school systems when they’re being financially irresponsible or even academically irresponsible,” Levin said. “It may be that Minneapolis is not equipped to deal with the fallout from an incident like this.”