Records of Providence student and teacher exposed in cyberattack

An analysis by The 74 of the stolen records shows they contain details about the district’s investigations into serious complaints, as well as the names and addresses of students, teachers and parents.

In one complaint, a middle school student accused a classmate of showing her unsolicited sex videos on his cell phone, lifting up her skirt, breaking her bra strap and pulling her hair. In another, a mother accused two high school students of putting their hands in her disabled daughter’s underwear.

In a statement to 74 on Wednesday, Wégimont said the district “was able to confirm that certain files” stored on the district’s internal servers were accessed by an “unauthorized third party” and that “security consultants are subject to analysis in-depth”. review” to determine whether the disclosed files contain personal information “concerning individuals other than current and former staff members.”

Wégimont’s statement does not acknowledge that student records were compromised.

The district’s failure to acknowledge the breach affected students and parents — even after being told otherwise — is “a massive violation of trust with communities,” said privacy expert Amelia Vance students, at 74.

“People need to be aware, especially when particularly sensitive information is disclosed in a way that could make it accessible and searchable later,” said Vance, founder and president of Public Interest Privacy Consulting. As cybercriminals look beyond financial records to sensitive information such as allegations of sexual misconduct, breaches like Providence’s “are likely to have a substantial impact on people’s future lives, whether whether it is about their opportunities, their ability to find a job or their relationships. with the others. »

It’s unclear how the district determined that up to 12,000 current and former educators were affected. No one, including the school district, had previously been able to access the breached records, Victor Morente, a spokesman for the state Department of Education, said in a phone call Wednesday.

“No one had actually gone to look at the records,” he told 74, although the district said it was conducting an ongoing analysis.

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. Public education officials are “working closely with the district” to recover the ransomware, Morente said.

The leak includes the 2024-25 Individualized Education Program for a 4-year-old boy who kindergarten educators said had “significant difficulty maintaining attention on task” and who “wandered around the classroom aimlessly “. Another special education plan notes that a 3-year-old boy “ran randomly around the room humming the tune of ‘The Wheels on the Bus,’ pushing chairs and throwing things.”

A single spreadsheet lists the names of some 20,000 students and demographic information, including their disability status, home addresses, contact information and the names of their parents. Another includes information about their race and languages ​​spoken at home.

Under the state’s data breach notification law, schools and other municipal agencies are required to notify affected individuals within 30 days, but only after an investigation determines that the breach “presents a significant risk of identity theft. Covered records include individuals’ names, Social Security numbers, driver’s license numbers, financial information, medical records, health insurance information, and email login credentials.

A “termination list” included in the breach lists the names of more than 600 district employees who were fired between 2002 and 2024, including an art teacher who “retired in lieu of being terminated” and a college English teacher who “resigned for cause.” agreement.” Another set of documents revealed a fifth-grade teacher’s request — and denial — of workplace accommodations for obsessive-compulsive disorder, anxiety and panic attacks that made her “less effective as a as an educator if I am not supported with accommodations because I cannot sleep at night.”

In a leaked April 2024 email, a senior central office administrator asked the state attorney general for a concealed handgun permit, noting that they “have a safe at work as well as a safe at home.

Threat actors from the Medusa ransomware gang, which cybersecurity researchers believe to be Russian, took credit for the September attack. The group, which repeatedly used students’ highly personal records as part of its extortion scheme, posted about Providence Public Schools on its dark web blog where it demanded $1 million.

While ransomware gangs have long limited their activities to the dark web, Medusa is “fearless and flashy,” according to cybersecurity firm BitDefender. After Medusa reveals her latest target on her dark web “name and shame blog,” she then showcases the victim’s stolen recordings in a video on a fake tech blog that appears to be directly linked to the attackers.

The files are then made available for download on Telegram. While accessing the dark web requires special tools and some know-how, a download link to the Providence files and those of other Medusa victims is available with little more than a Google search.

Medusa’s attack and Providence’s response are similar to those of other school districts over the past two years. After Medusa claimed responsibility for a 2023 ransomware attack on the Minneapolis school district – what local officials loosely called an “encryption event” – threat actors disclosed vast archives of stolen files, including school-by-school safety plans and documents describing campus rape cases, child abuse investigations, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people that their information had been stolen in a Medusa cyberattack in July 2023 – and only after he joint investigation by The 74 and The Acadiana Advocate has triggered an investigation by the Louisiana Attorney General’s Office. .

The Providence District records available on Telegram are comprehensive, totaling more than 337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes a large amount of personally identifiable information. Although the group focuses on stealing sensitive records – such as those relating to student civil rights investigations, security plans and financial records – the total number of data breach victims in the Providence district is unknown .

The personally identifiable information is closely linked to more mundane documents hosted on the hacked school district’s server, including vet bills for a high school teacher’s German shepherd named Sheba and a recipe for barbecue pulled chicken sliders with salad pineapple cabbage.

The Providence school district shut down its network on September 11 after detecting “irregular activity” and has been working to restore it ever since. School officials confirmed it was a hack on September 25, the same day Medusa’s ransom deadline expired.

“Through the investigation, which is currently ongoing, we have recently obtained confirmation that unauthorized access occurred on our network,” Superintendent Javier Montañez wrote in a letter to families and staff on September 25 .

“While we cannot confirm the authenticity of these files and verify their claims,” Montañez wrote, “there may be concerns that these purported documents may contain personal information.”

Three days later, on September 28, hundreds of thousands of files were available for download on Telegram.

This story was reported by The 74 and supported by a grant from the Fund for Investigative Journalism.