"Worst-case scenario": Cybersecurity experts confirm school security blueprints stolen in MPS ransomware attack
MINNEAPOLIS -- It was known then but it's even more apparent now: the ransomware attack against Minneapolis Public Schools was massive.
Mark Lanterman, former member of the U.S. Secret Service Electronic Crimes Task Force, described it as a "worst-case scenario," and confirmed that highly sensitive security information, including campus blueprints, alarm schematics and the placement of surveillance cameras, were all among the documents stolen.
"My advice to the school district – get new IT staff because someone fell asleep at the wheel during this event," Lanterman said bluntly. "The faucet of data was on for a long time. This was not a transfer of data like downloading a movie on iTunes that took 10 minutes. This took hours if not days if not longer. There are hundreds of thousands of files here."
The leak of the security materials were first reported by education news blog The 74, which also cited an email from an MPS spokesperson that said a third-party company was "meticulously reviewing all the documents released by the threat actor."
MPS again chose not to make any administrator available for an interview with WCCO, as it has since news broke of the cyberattack. In a statement, a spokeswoman likewise shared that the district is reviewing the documents, but did not confirm whether a third party was involved.
"We have taken steps to mitigate any issues related to the documents highlighted by the reporter," the spokeswoman added. "If additional opportunities for improved protocols and practices appear, MPS will make those changes. As we have seen across the nation, no school, building or establishment can prevent every possible breach – physical or digital. We will continue to work with policymakers and stakeholders to put in place every possible preventative measure."
Emails from Minneapolis Public School officials obtained by WCCO show a nearly two-week delay before the district acknowledged that staff and family members' personal data could be compromised.
Hackers have since released information onto the dark web, where users are untraceable. Cybersecurity experts warn that anyone associated with the district -- current and former students, parents, staff and vendors -- should assume they have been compromised until they've been told otherwise, and take action to protect themselves.
"Understanding how this breach affects each specific family is important because it will either put your mind at ease or give you and your legal representative a course of action. This should not have happened," Lanterman added, while also urging parents to demand answers to a series of questions. "What information about my family are you currently storing and how are you storing it? Is it encrypted? Who has access? Is it being stored on a system that's connected to the internet?"
The breach was first discovered on Feb. 17. A short email sent to Interim Superintendent Rochelle Cox says there was a "system incident that has impacted many MPS systems." The district's IT services says it was "determining scope and restoring services as quickly as possible."
An email went out to district families on Feb. 21, which noted that "no data will be lost due to the incident."
On the morning of Feb. 24, the district's communications director outlined a message for Cox, in which she wrote that "In working with trusted external IT experts on how to handle this, I have learned that sharing the least amount of information regarding IT fixes is in the best interest of safely [sic] and security for our school district."
On Feb. 25, an internal email sent to principals and department heads noted that passwords must not be shared via text or email. Instead, passwords must be communicated verbally, and attempting to use someone else's login credentials is a fireable offense.
Then, on March 1, the district sent out an email to families acknowledging an "encryption event," though the investigation had not found evidence that data had been used to commit fraud. Hackers first posted data to the dark web on March 7, and again on March 17.
Medusa, the group claiming responsibility for the attack on MPS, released a video with information, setting the ransom at $1 million. A joint federal Cybersecurity Advisory (CSA) issued last year warned of Medusa's ransomware attacks and their pervasive methods of gaining access through remote access.
Federal cyber officials also offer these four critical steps everyone can take to protect themselves online:
- Protect your computer by using security software. Set the software to update automatically so it can deal with any new security threats.
- Protect your mobile phone by setting software to update automatically. These updates could give you critical protection against security threats.
- Protect your accounts by using multi-factor authentication. Some accounts offer extra security by requiring two or more credentials to log in to your account. This is called multi-factor authentication. The additional credentials you need to log in to your account fall into two categories:
-Something you have — like a passcode you get via an authentication app or a security key.
-Something you are — like a scan of your fingerprint, your retina, or your face.
Multi-factor authentication makes it harder for scammers to log in to your accounts if they do get your username and password. - Protect your data by backing it up. Back up your data and make sure those backups aren't connected to your home network. You can copy your computer files to an external hard drive or cloud storage. Back up the data on your phone, too.
If you believe you've been a victim of identity theft, click here.
