“I had my bank account drained last week and had $3 to my name,” wrote one complaint.
Another person woke up to several hundred dollar charges attempted on their bank account. A third saw Amazon orders from Mexico and Connecticut.
These are just a few of the 105,500 students, teachers, and alumni whose data was compromised as part of a cyberattack that hit Minneapolis Public Schools (MPS) earlier this year.
As the fallout unfolded, and in the wake of minimal response from the district, outrage flowed into the inboxes of school administrators.
Emails obtained by the Daily Dot revealed students, parents, teachers, and alumni panicking as they were hit with increased spam and phishing attempts after the February 2023 cyberattack.
People emailed MPS to say that after the cyberattack they received messages asking for TurboTax codes, Apple ID login requests from other parts of the country, and access requests from Microsoft Authenticator. Parents also reported receiving emails about their children’s college financial aid from unverified senders.
The emails came after MPS was hit with a ransomware attack that took down critical learning and administrative systems, as hackers gained access to personal data and caused havoc for the school district
A lax response from the school district’s interim superintendent helped fuel outrage.
“Last year in the U.S. there were 440 million such breaches,” interim superintendent Rochelle Cox said in one email to a member of the campus community, attempting to claim the increase in complaints had little or nothing to do with the attack.
A set of talking points sent to board members, however, conceded that the timing of the increased attacks “may seem suspicious.”
Though the school has said there is no proof that all attempted phishing emails and scam charges relate to the cyber attack, many members of the MPS community claimed that the level of potentially fraudulent emails they received after the cyberattack was substantially higher than it had been before the incident.
“I don’t know if this is helpful, but I’ve seen a HUGE increase in spam and phishing attempts in the last few days via the email address I use with MPS,” one member of the community said in an email to the school helpline.
Another member of the community said that they had received significantly more spam than usual in the aftermath of the cyberattack.
“Starting yesterday I started receiving 100+ spam / phishing texts with a dozen or so spam calls to my cell number,” they said.
Parents, after the cyberattack, also complained that they had been the victim of attempted fraud.
One member of the school community said in an email to MPS on March 9 that they’d been hit with a $2,500 charge. They said they had not been able to speak to a member of MPS technical support over the phone, with the call disconnecting after they waited on hold.
“Someone appeared to get my credit card information and personal information around the time I received notification of MPS public school tech incident, and charged my credit card over $2500,” they said in an email to the school.
Another person said that they also received fraudulent charges on their account.
“My debit card/bank account has been breached and I found three fraudulent charges on my account,” they said. “I had to contact my bank and immediately shut off my debit card.”
One member of the community, who also was the victim of financial fraud, said that the junk email they were receiving was so bad that they would need to change their contact information.
“Since this event, my debit card information has been compromised and I’m receiving 4x the amount of junk mail I usually receive,” they said. “I will likely have to change my email address.”
Teachers were extremely frustrated and reported being the victims of fraud efforts after the cyberattack, including receiving threats to share their personal data and getting fraudulent charges on their accounts.
One teacher received an email claiming to be from Medusa, threatening to leak their personal data.
“We will publish all your data and send a video review to all news agencies,” the email, which the teacher forwarded to the school, threatened.
One newly licensed teacher, who had woken up to several $100 attempted charges to their checking account, expressed concern about the school’s response.
They added that the charges were to a bank account that they had for 15 years prior to the incident that had never been compromised. They used the account to receive their MPS paychecks.
“I’m worried, as are my colleagues who’ve also discovered fraudulent charges in their primary bank accounts, that this will be a life-altering disaster that will have negative effects that I’ll suffer from for years or decades,” they said in an email to the school district.
Another teacher said that they had been the victim of fraudulent charges in an email to the school and their union representative. They added that they felt they didn’t get enough warning from the school district to protect themselves after the initial cyberattack.
“I have been a victim of fraudulent charges due to the Medusa hack,” they said in an email. “I wasn’t warned this could potentially happen before it was too late.”
Even teachers who were no longer at the school said they were affected. One retired teacher said they received phishing emails claiming to be related to an Amazon order they had placed on behalf of the school district, despite no longer working for the school.
Teachers also reported being overwhelmed because of the impact of the attack, asking for time off to change their personal account passwords and for extensions of their work deadlines.
Union representatives also emphasized the school’s contractual obligations to teachers, including in providing access to technology and consistent internet access, in emails to the district superintendent.
In an email, Greta Callahan, president of the Minneapolis Federation of Teachers, highlighted the school’s agreed contractual responsibility to give staff space to “fulfill their duties in an ethical, respectful, safe and confidential manner.”
Callahan did not respond to requests from the Daily Dot for comment. MPS did not respond to requests for comment from the Daily Dot. MPS has repeatedly denied it paid any ransom to the hackers.
According to a statement from MPS to KSTP, hackers first gained access to the MPS system on Feb. 6.
However, it wasn’t until Feb. 18 that MPS reported that they were suffering from a “systems incident” in an email to staff members. Later that day, IT representatives from the school asked for copies of the school’s million-dollar cyber insurance liability policy, indicating fears about the attack.
The school paid $156,825 to Tracepoint, a third-party cybersecurity firm, for help communicating with the attackers, assessing the damages, and de-encrypting the stolen data.
On Feb. 24, the district called for an emergency meeting. Following that meeting, MPS said in an email to staff that there had been no evidence of personal data being stolen in the attack.
But in March, emails complaining about the district’s response and asking for help dealing with the perceived impacts of the cyberattack began.
On March 7, the Medusa ransomware group claimed credit for the attack. Medusa has been operating since June 2021, though activity has increased from the group recently.
As reported by Axios, on March 7, the hackers published a video on Vimeo that included the personal information of students and teachers. The video allegedly included employee tax forms, the details of a student’s suspension and transfer to another school, and the resumes of potential job applicants.
The video also allegedly called for a ransom of $1 million to be paid to delete the video.
In a panicked email to colleagues on March 8, a principal at Washburn High School told the district’s senior leadership that one of her colleagues had found the video online.
“One of our principal colleagues has a teacher with dark web skills who found the video & says that [a] list of principal private contact info is in the video,” she said in the email.
However, on March 9, the school district still denied that it had any proof the attacks had been used to commit fraud.
“MPS has not found any evidence that any data accessed has been used to commit fraud,” it said in a statement posted online.
It then took over a week for MPS to report the video to its board, which happened on March 16, after the video was taken down.
On March 17, interim superintendent Rochelle Cox said she was not yet sure what the extent of the information leaked was.
“We can confirm that the cybercriminal who committed this crime is threatening to release data on March 17,” Cox said in an email to an external stakeholder. “At this point in time, the full extent of the potentially accessed data is unknown.”
Only last week did MPS begin notifying people whose data was compromised in the breach.
That lack of communication was an issue for employees throughout, the school district repeatedly accused of misleading members of the community regarding the scope and impacts of the cyberattacks.
One person complained on March 7 that the district’s labeling of the attack as an “encryption event” was wrong because they felt it minimized the severity of the impacts of the attack.
“What is with this mealy-mouthed language about the ransomware attack? Call it what it is,” they said in an email to Cox.
They added that they thought the school’s handling of the incident was “atrocious.”
One teacher appeared to acknowledge concerns about the school’s communication with external stakeholders. In an email to senior leadership colleagues in the school district on March 8, a principal said she thought the district should communicate more with parents and students.
“Parents are calling. Kids are asking. I think we need to admit that we know they’ve been compromised & give them the steps to take,” she said in the email. “We can’t just ignore them.”