In a letter sent to families last week, St. Paul Public Schools disclosed a February “data security incident” that resulted in the exposure of students’ names and email addresses.
The hack exposed 43,727 student names and email addresses, said district spokesperson Erica Wacker. That number includes all students enrolled in St. Paul Public Schools during the 2022–2023 school year, as well as students at private and charter schools where the district provides services and email addresses. No staff data were affected. The incident did not involve ransomware, Wacker said.
“The only data that was subject to unauthorized access were names and student email addresses,” Wacker said.
The letter to families specifies that the district has no reason to believe that any passwords, physical addresses, social security numbers, or financial information was exposed. It also says the district has been working with state and federal law enforcement and that “a suspect has been reasonably identified.”
The St. Paul Public Schools data breach marks the sixth such incident at a Minnesota educational institution over the past 12 months. Elk River, Minneapolis, and Rochester schools all experienced ransomware attacks; the Minnesota Department of Education had some records exposed in a global data breach; and the University of Minnesota confirmed over the summer that it had been hacked.
But the breaches have differed in scope and impact. The Minneapolis Public Schools hack contained 189,000 files that included sensitive information like detailed sexual assault reports, psychological reports, and school security maps. The University of Minnesota has yet to confirm the scope of its data breach, but a hacker claimed to have obtained 7 million social security numbers dating back to 1989.
By contrast, the St. Paul Public Schools breach is “relatively minor,” said Brett Callow, a threat analyst with Emsisoft.
“Somebody purloined the school database—names and emails—and seems to have shared it in a since-deleted post on a hacker forum,” he said. “Certainly not in the same league as MPS [Minneapolis Public Schools].”
A delay in reporting the breach
Ian Coldwater, a cybersecurity expert and Minneapolis Public Schools parent, said that they appreciated the St. Paul district’s transparency in letting people know what had happened. This, despite the seven-month delay between the hack and the notification process.
“I’m not bugged by that,” said Coldwater. “It seems like they’re doing due diligence.”
For some students, having their name and email address exposed “might not be as big a deal,” Coldwater said. But for others, this information might pose more of a threat—say, a student whose family has escaped domestic violence, and who might not want it publicly known where they attend school.
Cyber safety: what families should do now
“This is clearly a less severe breach in scope than, for example, the MPS one was,” Coldwater said. “But it’s still going to be important for folks who know that they’ve been affected by this breach to keep an eye out on their data, their accounts, see if they see anything weird happening. Accounts that they didn’t make, logins that they didn’t initiate, that kind of thing.”
Phishing attempts and “weird spam” can be an issue with a leak of email addresses, Coldwater said. If students get a suspicious-looking email that purports to be from their bank or from tech support, they should call the bank or the tech company to confirm before clicking on the link.
Coldwater stressed that students should not reuse passwords from one account to the next, and suggested they keep track of them in a password manager. Turning on multi-factor authentication can also help keep accounts safe, Coldwater said.
“Keep an eye out, and just stay vigilant,” said Coldwater.
