Emails from Minneapolis Public School officials reveal timeline of data breach
MINNEAPOLIS -- Emails from Minneapolis Public School officials obtained by WCCO show a nearly two-week delay before the district acknowledged that staff and family members' personal data could be compromised.
Hackers have since released information onto the dark web, where users are untraceable. Cybersecurity experts warn that anyone associated with the district -- current and former students, parents, staff and vendors -- should assume they have been compromised until they've been told otherwise, and take action to protect themselves.
The breach was first discovered on Feb. 17. A short email sent to Interim Superintendent Rochelle Cox says there was a "system incident that has impacted many MPS systems." The district's IT services says it was "determining scope and restoring services as quickly as possible."
An email went out to district families on Feb. 21, which noted that "no data will be lost due to the incident."
On the morning of Feb. 24, the district's communications director outlined a message for Cox, in which she wrote that "In working with trusted external IT experts on how to handle this, I have learned that sharing the least amount of information regarding IT fixes is in the best interest of safely [sic] and security for our school district."
The same email references a data breach in Little Rock, Arkansas school district, which in December paid a $250,000 ransom after a cyberattack, according to the Arkansas Democrat Gazette.
Later that afternoon, Cox sent a copy of the email that will go out to family members to the district's union leaders. The email says the "investigation has found no evidence that personal information was compromised" and students will be guided through a process to reset their MPS accounts when they return to school the next Monday.
RELATED: What is the dark web?
Greta Callahan, the Minneapolis Federation of Teachers president says, in response, that "Monday morning will be chaos."
On Feb. 25, an internal email sent to principals and department heads noted that passwords must not be shared via text or email. Instead, passwords must be communicated verbally, and attempting to use someone else's login credentials is a fireable offense.
Then, on March 1, the district sent out an email to families acknowledging an "encryption event," though the investigation had not found evidence that data had been used to commit fraud. Hackers first posted data to the dark web on March 7, and again on March 17.
Minneapolis Public Schools said in the following statement:
MPS partnered with third-party legal and security specialists who have worked with hundreds (and growing) cyberattack cases like ours each year. Their advice related specifically to security practices and security actions being implemented. This advice was to ensure that not only the current threat actors, but potential future threat actors, would not have access to the security actions implemented to ensure the security of our systems as IT worked to restore systems to full functionality. That is the root of that statement. Additionally, we wanted to ensure the security of our buildings, so we limited information about what had been impacted.
Please know that whenever MPS had new, actionable information for the community, how the community was impacted and the scope of the event, we provided it as soon as possible.
For information on how to protect yourself from cybersecurity threats, click here.
