A group of hackers, identified as SingularityMD, has breached the JeffCo Public Schools system, stealing sensitive information on employees and students. The hackers have demanded a $15,000 ransom in cryptocurrency to destroy the data, threatening to release it to the dark web if their demands are not met.
“Your overall approach to cyber security is too relaxed,” Anihi Blep, likely an alias, wrote in an Oct. 31 email to several district executives, including Superintendent Tracy Dorland.
According to emails obtained by The Denver Gazette, the hackers gained access to a trove of personal information, including:
- Staff phone numbers, home addresses, titles, and other undisclosed information
- Student information, including school email addresses, emergency contact names, phone numbers, emails, and birthdates
- Individualized Education Program (IEP) documents, which contain sensitive healthcare information, such as prescribed medication and clinical diagnoses
The hackers claim that the cyberattack was not politically motivated but rather a “business transaction.” They have provided JeffCo officials with a 1-gigabyte sample of the stolen 40-gigabyte dataset.
According to the complaint, the Clark County officials did not acknowledge the security breach “was a ransomware attack, that the information is being publicly released, that it includes highly sensitive information, including medical information, or that the third-parties responsible for the attack may still have access to all of the District’s information,” per the Denver Gazette.
District’s Response
“Jeffco’s Information Technology team is working together with cybersecurity experts and law enforcement to determine the credibility of the attack and scope of the incident,” officials said in a Nov. 1 statement.
Legal Implications
The cyberattack on JeffCo Public Schools could have significant legal repercussions for the district. In Nevada, parents of Clark County School District students filed a class-action lawsuit against the district after it suffered a similar cyberattack in October. The lawsuit alleges that the district failed to implement adequate security measures to protect student data.
Colorado Law
Colorado law requires government agencies to report data security breaches within 30 days of discovery to the Attorney General’s Office if the breach affects 500 or more Coloradans. It is unclear how many data breaches have occurred among Colorado agencies.