The #Medusa #ransomware gang appears to have hit the Bishop Luffa School in the U.K. Proof of claim screenshots have been posted, and the school supposedly has 7 days to cooperate before data are leaked.

#EduSec #infosec #dataprotection #databreach #GDPR #cybersecurity

@douglevin @brett

Really have no idea how the heck I missed this one, but....

UChicago, NYU team find online education tools pose privacy risks.

News release (Feb. 21): https://cs.uchicago.edu/news/uchicago-and-nyu-research-team-finds-edtech-tools-could-pose-privacy-risks-for-students/

Paper: https://bpb-us-w2.wpmucdn.com/voices.uchicago.edu/dist/1/2826/files/2023/02/CHI23_Chanenson_EdTech.pdf

#EdTech #EduSec #Infosec #privacy #dataprotection #online #virtual #learning

@douglevin @funnymonkey who probably laughing hysterically at how late I am at spotting this one.

Oh ugh ugh ugh.

In early February, Berkeley County Schools in West Virginia experienced a ransomware attack.  On March 3, the district issued a notice on its website that stated their investigation determined "some data stored in Berkeley County Schools’ network may have been accessed that included employee Social Security numbers and direct deposit
information."

That notice makes no mention of any student information being involved.

But Vice Society has added Berkeley County Schools to their leak site and has dumped a LOT of personal and sensitive info on students. Some of it goes back years, too.

Read my post at
https://www.databreaches.net/highly-sensitive-files-from-berkeley-county-schools-dumped-by-ransomware-gang/

That district has a LOT of accounting to do, and a lot of changes to their data retention and protection. And of course, FERPA doesn't actually require them to notify the students or families -- only to make notations in their records that the files were disclosed without authorization.

#databreach #ransomware #EduSec #dataprotection #incidentresponse #FERPA #infosec

@douglevin @brett @allan @BleepingComputer @AlvieriD

So Merced College has now reported the malware/encryption incident that occurred Oct 25 - Nov 3, 2022:

https://oag.ca.gov/system/files/Merced%20College%20-%20Notification%20Letter%20Template.pdf

#databreach #dataprotection #malware #EduSec #infosecurity #cybersecurity

They had disclosed an incident at the time, but the formal notification to the state seems .... late?

@brett @allan @funnymonkey

So I recently told you all that the Southeastern Louisiana University #databreach is the work of BianLian. They still haven't actually named them on their site, but there's a teaser/placeholder for them. There's also a placeholder for the other uni I was told BianLian had hit: Tennessee State University.

My source is someone involved in one of the two investigations and who has some knowledge of the other investigation.

@brett @BleepingComputer @campuscodi @allan @vxunderground

#EduSec #ransomware #cybersecurity #incidentresponse #infosec

Hacker stole bank account, Social Security numbers, and health plan info of Denver Public School employees:

https://www.9news.com/article/news/crime/denver-public-schools-cybersecurity-incident/73-5a79182e-4b9d-49b0-ab32-5dfe98b269ee

The incident was between Dec. and January, but employees are first being sent letters now. No student info has been identified as involved so far.

#databreach #dataprotection #EduSec #infosec #cybersecurity

Scoop: a source with knowledge of the investigation tells DataBreaches that the Southeastern Louisiana University security incident was an attack by the BianLian group.

#databreach #dataprotection #ransomware #infosec #EduSec #cybersecurity

@brett @allan

Elmbrook School District in Wisconsin #databreach
notification concerning breach of August 23 – August 27, 2022 where data was exfiltrated: https://ago.vermont.gov/sites/ago/files/2023-03/2023-02-24%20School%20District%20of%20Elmbrook%20Data%20Breach%20Notice%20to%20Consumers.pdf

@douglevin @brett @funnymonkey

#EduSec #infosec #cybersecurity #dataprotection

Add West Virginia University to any list of uni's reporting data leaks or breaches. This was a file with some patient-related info left exposed on a site used for their software development: https://health.wvu.edu/finance-and-business/risk-management/data-incident-management/

@brett @douglevin

#EduSec #infosec #dataleak #databreach #HIPAA #PHI

"The Little Rock School District is continuing to seek an attorney general’s opinion on the legality of holding private school board meetings when reacting to a cyber- or ransomware attack on a district’s electronic information systems: "

https://www.arkansasonline.com/news/2023/mar/01/lr-district-seeks-cyberattack-guidance/

In this case, the board met privately and decided to pay ransom of $250k, which they then voted on publicly.

Now they ask, "Can a school board meet privately to discuss how best to respond to a threat actor when the alternative is to risk the disclosure by the threat actors of the personal information of school district patrons and employees?”

That seems to be predicated on the assumption that if they pay the attackers, the data will not be disclosed. I would be asking, "Can a school board meet privately and keep employees and families in the dark that their personal information may be in the hands of criminals who may already be misusing it?"

@douglevin @brett @funnymonkey

#databreach #ransomware #transparency #FreedomofInformation #FOI #EduSec #infosec #cybersecurity

Today's FERPA questions:

Part 1:

Assume parents of students sign a media release like the one attached to this post where the release mentions specific activities but also a more general release to promote the program.

Now assume that the district is the victim of a cyberattack and the attackers dump all the school photos with the students' names and student ID numbers.

Does the release allowing pictures of the student mean that there was no FERPA breach? I would say that the release is restricted to the activities mentioned in the release and that a data dump on the internet would still be a #FERPA breach.

Agree or disagree?

Part 2. Now assume that the district's "Directory Information" exemptions include student photos unless the parent opts out. Assume the same attack and data dump.

Now is it a #FERPA breach?

#FERPA #dataprotection #students #privacy #EduSec #DirectoryInformation #databreach #cyberattack #infosec

White Settlement Independent School District in Texas sent DataBreaches a copy of the notice they sent to staff and families concerning a breach that has since been claimed by LockBit:

https://www.databreaches.net/another-texas-school-district-with-a-data-breach/

@douglevin @brett @funnymonkey @allan #ransomware #databreach #infosec #EduSec #dataprotection #cybersecurity

Minneapolis Public Schools still investigating what caused ‘encryption event’ https://therecord.media/minneapolis-public-schools-still-investigating-what-caused-encryption-event/ #edtech #k12cybersecure #edusec @PogoWasRight @brett

Trove of L.A. Students’ Mental Health Records Posted to Dark Web After Cyber Hack: https://www.the74million.org/article/trove-of-l-a-students-mental-health-records-posted-to-dark-web-after-cyber-hack/

@mkeierleber is singing my tune about the need for entities to disclose when sensitive data has been leaked. There is no requirement under #FERPA to notify of that.

We need a federal law requiring notification in the event of a data dump or leak of personal and sensitive information, and not just for the education sector -- for ALL sectors.

Y'all can just wait until I rule the world, or we can keep encouraging legislators to do what should have been done years ago.

@brett @douglevin @allan @funnymonkey

#databreach #dataprotection #EduSec #Notification #incidentresponse #ransomware #cyberattack #dataleak #transparency #infosec

Another day, another school district hit. This time, it's the Wawasee Community School Corporation in Indiana. BlackCat has leaked almost 10 GB of files.

There doesn't seem to be any notice on Wawasee's website.

#Edusec #ransomware #databreach #infosec #cybersecurity

@brett @douglevin @funnymonkey

California Northstate University student and employee data stolen:

AvosLocker added the listing yesterday and dumped a file with 393 employees' 2022 W-2 files. They also claim to have student info.

https://www.databreaches.net/california-northstate-university-student-and-employee-data-stolen/

#EduSec #infosec #cybersecurity #IDtheft #TaxRefundFraud #hack #databreach #dataprotection

@brett @douglevin @jgreig

If you're going to "attack" a public school district, learn what FERPA permits districts to make public anyway:

https://www.databreaches.net/if-youre-going-to-attack-a-public-school-district-learn-what-ferpa-permits-districts-to-make-public-anyway/

#FERPA #EduSec #DirectoryInformation #Infosec

@douglevin @brett @funnymonkey

In December, NOLA had reported a November #databreach involving Xavier University in Louisiana:

https://www.nola.com/news/education/xavier-university-hit-by-cyberattack-in-november/article_0575824e-823e-11ed-9dd3-17717ab3199c.html

The uni has now submitted its notification to state attorneys general:
https://ago.vermont.gov/sites/ago/files/2023-02/02-11-2023%20Xavier%20University%20Data%20Breach%20Notice%20to%20Consumers.pdf

#databreach #infosec #EduSec

@douglevin @brett

New kids on the ransomware block or state actors pretending?

"DarkBit" locks the Technion in Israel with a hodgepodge of alleged motives:

https://www.databreaches.net/technion-university-hacked-and-locked-previously-unknown-attackers-demand-80-btc/

#databreach #ransomware #Technion #dataprotection #EduSec #cybersecurity

Personal information exposed during breach in Edmonds School District's network:

https://komonews.com/news/local/hack-data-breach-edmonds-school-district-social-security-number-medical-information-internet-network-washington-snohomish-county

#databreach #dataprotection #EDUsec #infosec #cybersecurity

@douglevin @brett