[BreachExchange] Major TPS data breach exposes personal information of students, staff

Destry Winant destry at riskbasedsecurity.com
Mon Oct 19 10:38:17 EDT 2020


https://www.13abc.com/2020/10/16/i-team-investigation-major-tps-data-breach-exposes-personal-information-of-students-staff/

TOLEDO, Ohio (WTVG) - 13abc has learned about a major data breach of
the Toledo Public School system, exposing huge quantities of personal
information, including social security numbers, for both students and
staff. The I-Team was first alerted to the breach by a tip sent to our
newsroom.

While it is unclear when this breach occurred, the Toledo Public
School system was attacked back in early September, forcing the
district to take down the system to protect it from harm. At the time,
that attack was described to the 13abc I-Team as what is referred to
as a Distributed Denial of Service (DDoS) attack, wherein hackers
bombard a website or server with requests in an effort to overwhelm
the system and knock it offline. These types of attacks are
inconvenient for the victims but usually do not involve the theft of
information.

The data discovered by the I-Team on Friday reveals that the district
was at some point subject to a much greater breach of security known
as a ransomware attack. This style of cybercrime occurs when a piece
of malware is introduced to a school or corporate server through
something as simple as an infected link or e-mail attachment disguised
as legitimate communication. Once downloaded to the system, the
perpetrators are able to use the malware to access and encrypt data,
including personal information store in secure files. The hackers then
hold that data ransom, demanding payment, usually in the form of
Bitcoin or other cryptocurrencies. If the victims fail to pay, the
hackers then dump that collected data online exposing huge amounts of
personal information, including social security numbers.

Brett Callow, a Threat Analyst with Emsisoft, tells 13abc that the
name “ransomware” has become a bit of a misnomer overtime. Hackers are
more likely to gain access to an organization’s system utilizing a
series of tools, then move throughout the network to find data before
ever deploying the ransomware program itself. According to Callow,
“attackers have access to a network for 56 days before they start
encrypting files - which is the point at which the org realizes it has
a problem.”

Callow also says Toledo Public Schools is one of 68 school districts
and colleges that have been the victim of a ransomware attack this
year, “potentially disrupting learning at up to 1,340 individual
schools.”

13abc has confirmed that data stolen from Toledo Public Schools is
among the most recent information dump from the hacker group known as
the Maze Cartel (named for the Maze ransomware used by the group).
That information includes the names and social security numbers of
students as well as faculty and staff in the district. Those are just
some of the databases the I-Team was able to view. Other information
13abc has found after looking at this breached data includes
information on alumni databases, homeschooling, and foster child
information.

While the I-Team cannot confirm when this data was initially accessed,
according to Callow, Toledo Public Schools first appeared on Maze’s
site on or shortly before September 14th, which means the attack
likely occurred a few days prior. He could not, however, confirm on
what date the data was published.

A representative from Toledo Public Schools released a statement on
Friday afternoon saying the district was alerted to a possible breach
of personal data by the media, including 13abc. The statement reads,
in part: “Upon learning of this information, TPS immediately notified
our legal team and cyber security experts to investigate the full
scope of this incident, including whether any TPS data was impacted.
We will follow all processes as required by law and support our staff,
students, and families in the event this breach has impacted them. We
will continue to be transparent and cooperate fully as more
information becomes available.”

Stick with 13abc on-air and online for further updates as this story develops.


More information about the BreachExchange mailing list