Minnesota Now with Cathy Wurzer

After hacker group posts Minneapolis school data online, residents have questions

Network cables are seen going into a server in an office building.
Network cables are seen going into a server in an office building in Washington in 2017. Security experts worked then to contain the fallout from attacks that affected systems in dozens of countries. Minneapolis Public Schools is struggling now with the aftermath of a cyber attack against its systems.
Andrew Caballero-Reynolds | Getty Images 2017

The fallout continues in a cyber attack that has affected the IT for Minneapolis Public Schools and apparently exposed student and staff data, including email and home addresses.

First, hackers shut down district systems for over a week. And now, a hacker group called The Medusa Media Team has taken responsibility for the event, posting data from students and employees in a video online.

How often are schools the target of a data breach like this? Mark Keierleber is an investigative reporter for The 74, an online news site focused on education. He joined MPR News host Cathy Wurzer to talk about what it all means.

Use the audio player above to listen to the full conversation. 

Subscribe to the Minnesota Now podcast on Apple PodcastsGoogle PodcastsSpotify or wherever you get your podcasts.   

We attempt to make transcripts for Minnesota Now available the next business day after a broadcast. When ready they will appear here. 

Audio transcript

[THEME MUSIC] CATHY WURZER: And the fallout continues in a cyber attack that's affected IT for Minneapolis Public Schools and apparently has exposed student and staff data, including email and home addresses. First, hackers shut down district systems for more than a week. And now a hacker group called the Medusa Media Team has taken responsibility for the event, posting data from students and employees online. How often are schools the target of a data breach like this? Mark Keierleber is an investigative reporter for The 74, an online news site focused on education. Mark, thanks for joining us.

MARK KEIERLEBER: Hey, thanks for having me on.

CATHY WURZER: Minneapolis Public Schools has continued to call this an "encryption event." It called Medusa a "threat actor." I mean, the language is not very descriptive. It's pretty vague. From where you sit, is it accurate to say this was a cybersecurity or ransomware attack by a hacker?

MARK KEIERLEBER: At this point, all signs point to, yeah, correct, this being a ransomware attack. So certainly, the Minneapolis School District has used the phrasing "encryption event," which cybersecurity experts are saying maybe the district's coined that term. It's not something that they've previously heard as a description for attacks like this. But all signs point to, yeah, the Medusa ransomware group conducting what's called "double extortion" on the school district-- downloading data, locking the district out of systems, and threatening to release that data on the dark web if they don't pay what appears to be a million dollar ransom.

CATHY WURZER: OK. I was going to ask you, do we know if a ransom has been demanded of the Minneapolis Public Schools? We haven't really heard that.

MARK KEIERLEBER: Yeah, so right on the Medusa Group's dark web leak site, their blog, they have a ticker, and it's counting down from now until next Friday with a $1 million price tag. So basically, if you pay a million dollars in Bitcoin, if the school district wants to pay a million dollars in Bitcoin between now and March 17, the data can be deleted and not uploaded to the dark web for anybody to download. Or other people who might be interested in that data, the group is giving them an opportunity to also spend a million dollars to basically beat the school district to the punch.

CATHY WURZER: Say, remind folks about ransomware, a ransomware attack. How does this type of attack work, broadly speaking?

MARK KEIERLEBER: Yeah, broadly speaking, so the idea being that a threat actor or a ransomware gang infiltrates into a school or a business or a hospital's computer systems. They exploit vulnerabilities within a school system. And how this kind of ransomware attack works is they then lock the data, the school's data, behind an encryption key and say, hey, give me a million dollars, and we'll unlock this data and you'll be able to access it again.

But there's also another layer. It's double extortion, right? They, in the last few years, have been tacking on another threat-- oh, and also, by the way, if you don't give us that money, we'll post the sensitive information on the dark web leak site, which can make its way to marketplaces where people sell all kinds of shady shenanigans, like passports and Social Security cards. So there's certainly some risk for identity theft here, a risk for embarrassment, and all kinds of public harm for victims without any recourse for having their information removed from the internet.

CATHY WURZER: We were doing a little research here today. Looks like at least 11 US school districts, including some 350 schools, have been hit by ransomware this year. I guess some folks might say, well, gosh, why would they target a school district? Is that a target-rich environment, or what?

MARK KEIERLEBER: Well, it's really [INAUDIBLE]. I would say that, historically, you think about large organizations being the victims of ransomware attack because they have access to a bank that might have more money. But a school district or a hospital presents these threat actors with an interesting opportunity. Public institutions like schools, they don't have the same level of cybersecurity protections that a federal law enforcement agency might have or a corporate company might have. So generally, schools have weaker cybersecurity protections.

And they're also sitting on an increasingly large amount of data about students, about employees. And so there's a lot of information about thousands of people that could be really highly sensitive that ransomware actors can exploit to try to leverage a demand for cash. In the Los Angeles Unified School District, for example, I recently uncovered thousands of students' confidential and highly sensitive psychological evaluations published to the dark web. So for those victims, this has a pretty significant serious cost.

CATHY WURZER: Wow. What group took responsibility for that?

MARK KEIERLEBER: Yeah, that was another group that's called Vice Society. And Vice Society is one of the ransomware groups-- they're a Russian speaking group. And they're one of the groups that has been particularly known in the last few years of targeting schools and hospitals.

CATHY WURZER: So parents and students in the district and staffers have been told to change passwords. I mean, at this point, does that help at all?

MARK KEIERLEBER: Yeah, I mean, I would say that at this point, the best recourse that parents and educators and students really have is to really look at bolstering your own security protections. Don't reuse the same passwords, maybe implement a password manager two-factor authentication. Yeah, I mean, this is really a wake-up call for people to really shore up their own digital security protections.

CATHY WURZER: So what happens next? I mean, once a district-- and you reported on the LA School District, which, boy, that's frightening. Once a district is hit, what happens? Can there be long-term ramifications? How can they clean up this mess?

MARK KEIERLEBER: I mean, you're right, there are going to be long-term ramifications. We'll use Los Angeles as an example. I think the school district refused to pay an undisclosed ransom demand, and as a result, had a large trove, about 500 gigs, of its records posted on a dark web leak site. I mean, at this point, the gang has moved on to other targets. I would say that they probably considered that a bit of a defeat for them because, OK, hey, we didn't get the money that we wanted. So here's the stuff. We've posted it on the web. Other cyber criminals can do with it what they want, and we're just going to move on.

Now, for the long-term ramifications for families, yeah, I mean, it's difficult for any of these dark web leak sites to be taken down, in a way. It's not like you can request the removal of information from Facebook. These are not exactly the same kinds of websites. So yeah, school employees and students who've had their information leaked onto the dark web, they really don't have very much that they can do to get it removed.

CATHY WURZER: And because many districts are dealing with financial shortfalls, I'm wondering just about, do they have the money to bolster their cyber security moving forward?

MARK KEIERLEBER: Yeah, that's exactly the dilemma that many schools are in, right? There have been calls at the federal level certainly for-- federal law enforcement officials have really marked ransomware threat actors as a priority for them to target in the next year, given the impact that it's had on the education sector and on other companies and hospitals.

But you're right, the school districts are really in a tough place here where they're being asked to have high-end cybersecurity protections to adequately protect the large trove of records and information that they have. But yeah, schools are not flowing with cash. So it really does present a challenge for them.

CATHY WURZER: Mark, I appreciate your reporting on this, and thank you for joining us.

MARK KEIERLEBER: Thank you.

CATHY WURZER: Mark Keierleber is an investigative reporter for The 74. That's an online news site focused on education.

Download transcript (PDF)

Transcription services provided by 3Play Media.