This week, Minnesotans got a clearer picture of the “encryption event” that shut down many Minneapolis Public Schools systems three weeks ago. An active ransomware group—we’re not listing the name—claimed credit for the hack. On Tuesday, the group posted a 51-minute video to Vimeo showing samples of some of the data collected. The group also posted to the dark web an extensive list of file names, along with some screenshots of sensitive data.
Minneapolis Public Schools announced it was working with the hosting company—that is, Vimeo—to remove the data, and by late Tuesday afternoon Vimeo had taken down the video. But the information posted to the dark web remains. And the hackers have threatened to release the rest of the information if Minneapolis Public Schools does not pay a $1 million ransom by March 17.
So whose information was hacked? What information was it? What can (and should) you do to protect yourself? Do words like “ransomware” and “cybersecurity” make your brain freeze, or send you into a panic?
“Assume you’re in the breach,” said Ian Coldwater, a cybersecurity expert and Minneapolis Public Schools parent. “Don’t panic. But prepare yourself.”
We compiled some expert advice—and broke it down into layman’s terms—to help you navigate the data breach.
What actually happened here?
Minneapolis Public Schools has repeatedly called this incident an “encryption event.” But in plain English, that means a ransomware attack.
“An encryption event is a ransomware attack,” said Brett Callow, a threat analyst with Emsisoft, a cybersecurity firm with expertise in ransomware.
Over the last few years, ransomware attacks against schools have typically involved two phases. In the first phase, the attackers—often called a “ransomware gang”—destroy or encrypt data, and demand a ransom in order to return access to the data. That can be a problem unless a district can restore its systems from backups, which Minneapolis Public Schools says it was able to do.
The second phase is to threaten to release the data unless the district pays a ransom. That’s where we are now.
Is this type of data theft common?
Unfortunately, yes. Emsisoft counted 45 ransomware incidents directed at school districts nationwide in 2022. Hospitals and higher education institutions are also common targets.
“This is happening a thousand times a day,” said Bruce Schneier, a fellow at Harvard University’s Berkman Klein Center for Internet and Society. “This is a car crash. It’s a tragedy, but we have seven more tonight.”
Minneapolis Public Schools is not to blame, said Coldwater.
“There are school districts and hospitals all over the place that are being targeted by these groups with these kinds of attacks,” Coldwater said. “It’s not necessarily unusual to see these things, unfortunately. The important thing is how we respond to it.”
How much data did the hackers take?
A lot. A directory posted to the dark web with just a list of document names is itself a “very extensive text file,” Coldwater said. Meaning: many files were taken.
“I think anybody who has been affiliated with Minneapolis Public Schools for at least the last decade, in the absence of knowing otherwise, should assume that their data is in this somewhere,” Coldwater said.
“If I was a parent or a teacher or a student or a service provider to the district. I would assume that whatever information the district held about me was now in the hands of cybercriminals,” Callow said.
What kind of data is it, and whose is it?
The data includes records from current and former Minneapolis students, contractors, and staff. Some of the files taken appear to date back as far as 1995, which means data from some people who left the district long ago may be affected.
Data taken by the hackers includes payroll information, health records, disciplinary records, sensitive human-resources complaints, student addresses, name and gender-change petitions, parent contact information, and banking information, Coldwater said.
It’s not clear whether social security numbers may have been included, Coldwater said. But people should assume it is a possibility.
One screenshot posted on the dark web shows a sexual assault complaint against a student, including the names of the alleged victims and perpetrator.
Is Minneapolis Public Schools going to pay the ransom?
The district has not definitively said it will refuse to pay any ransom. But so far, Minneapolis Public Schools says it has made no payment, and most districts don’t pay out. The FBI recommends against paying ransom in situations like this.
“You negotiate with kidnappers, you make kidnapping a viable business,” Schneier said. “As a societal issue, we want no one to pay the ransom.”
“We have taken a stance against these criminals and are restoring our systems without the need to cooperate with them,” Minneapolis Public Schools said Thursday. “As our response continues, we continue to work with and align with the best practices provided by federal law enforcement.”
How could this data breach affect Minneapolis students, parents, and staff?
People who are part of a data breach could be at higher risk for identity theft. Hackers could get into their banking or email accounts. And they could see fraudulent financial charges, or credit accounts opened in their names, Coldwater said. Dealing with these issues can be inconvenient. But there are steps you can take to prevent and address identity theft (more on that in a minute).
“With this particular breach, that’s in some ways the easy part,” Coldwater said. “The really scary stuff here is the sensitivity of some of this data.”
So what can people do to protect themselves?
It’s hard to give one-size-fits-all advice, Coldwater said. It’s still not totally clear what information was compromised. And the tens of thousands of people in the Minneapolis Public Schools community have different situations based on their access to technology, home language, and housing stability, among other factors.
The first two things you should do are change your passwords and use multi-factor authentication, Coldwater said. Multi-factor authentication means setting up an extra step to your accounts, so you need more than a password to log in. You have to approve a log-in on your phone, email, or authenticator app.
Assume any password used on a Minneapolis Public Schools computer or iPad was compromised. Did you log into Facebook, Amazon, your personal email, or your bank account on your school computer? “Change that password, change any passwords that are shared with other accounts, and don’t reuse passwords next time,” Coldwater said.
Using a password manager can be a helpful way to keep track of different passwords for different accounts. But Coldwater acknowledges that not everyone will do that—and people who don’t have their own computers may not be able to, and might prefer to write them down and keep them somewhere safe. “The important part is not to use the same passwords on different sites and to use strong passwords.”
Setting up multi-factor authentication on important accounts is also key, Coldwater said. That adds a second layer of protection in case someone tries to get into your account: It requires you to verify a sign-in. And it’s safer to use an authentication app, like Google Authenticator or Authy, than to use email or texting for authentication.
Barbara Howard from the ABC sitcom Abbott Elementary refused to use multi-factor authentication. Experts say: Don’t be like Barbara.
Coldwater said they’ve heard from some Minneapolis Public Schools staff who did not want to use the multi-factor authentication suggested to them by the district, because they feared the district might be using the technology to spy on them.
“If you just tell people these apps aren’t spyware—they do help keep you safer, here’s how they work—that can help reassure people who might be less tech-savvy, and help them understand what’s going on and why this stuff is important,” Coldwater said.
Where should you turn on multi-factor authentication? Prioritize any account that you may have accessed on a Minneapolis Public Schools device; financial accounts, like banks and credit cards; and email, Coldwater said.
“Email is the keys to the kingdom,” Coldwater said. “If I’m in your email, I know what accounts you have.”
What can I do to guard myself and my kids against identity theft?
Minneapolis Public Schools said Thursday it would provide free credit monitoring and identity theft protection to “individuals whose legally protected personal information has been accessed.” The district said it is conducting “an in-depth and comprehensive review” of the stolen data, and will contact people who are affected. “This will take some time,” the district acknowledged.
In the meantime, there are steps you can take to protect yourself. You can place a fraud alert, and consider placing a security freeze, on your credit report. A security freeze means a credit agency cannot release your information without your express written approval, causing delays for approvals of new loans. (That might not be a great option for you if you’ll soon be applying for an apartment, a loan, or another line of credit.)
Parents can also place a security freeze on the credit report for children under 16. The Minnesota Attorney General’s Office provides guidance on how to do that here. That office also provides guidance on how to prevent identity theft. You can also place a freeze on new utility accounts in your name.
Monitor your credit and your bank accounts. You can request a free credit report annually from each of three credit bureaus. (Go to www.annualcreditreport.com). Coldwater recommends free services like Credit Karma or Credit Sesame; both will let you know if new accounts are opened in your name.
And stay vigilant.
“Everything isn’t necessarily going to happen right away,” Coldwater said. “It might be that this data circulates, it goes around, people get a hold of it, it changes hands. Maybe the day that it gets released, you’re not going to get a weird charge, but maybe six months or two years from now you will.”
I’m worried that the hackers will leak sensitive information about me.
The leaked sexual assault allegation may provide an example of the most damaging type of information the hackers have, Coldwater said. But they may have other sensitive information, too—like disciplinary records for staff and students, and human resources complaints. Other people, like domestic violence survivors, may be particularly harmed by the release of their personal contact information.
In these cases, people may need to assess their own vulnerabilities and make their own plans, Coldwater said.
At this point, which threats can be prevented and which can’t be prevented? And is there really a point to taking these preventive steps?
You may not be able to stop the hackers from releasing data. But if you take protective steps, you may make that data less useful to anyone who can access it, Coldwater said.
Coldwater pointed out that the hackers literally set a ticking countdown for March 17, when they say they will release the data if the district has not paid. “All of us right now have this little window of opportunity to be able to take these measures to protect ourselves before this data gets released,” Coldwater said. If people take protective steps in the next week, “It’s going to be that much harder for anybody else who gets a hold of that data to do anything with it.”
Putting in this work now could save you headaches down the road, Coldwater said.
“Nobody wants to spend their day making phone calls to different credit agencies,” Coldwater acknowledged. However, they added, the protective measures you take now could save you from having to take more exhaustive measures down the road.