I-TEAM INVESTIGATION: Major TPS data breach exposes personal information of students, staff
School district confirms communication with hackers.
TOLEDO, Ohio (WTVG) - 13abc has learned about a major data breach of the Toledo Public School system, exposing huge quantities of personal information, including social security numbers, for both students and staff. The I-Team was first alerted to the breach by a tip sent to our newsroom.
While it is unclear when this breach occurred, the Toledo Public School system was attacked back in early September, forcing the district to take down the system to protect it from harm. At the time, that attack was described to the 13abc I-Team as what is referred to as a Distributed Denial of Service (DDoS) attack, wherein hackers bombard a website or server with requests in an effort to overwhelm the system and knock it offline. These types of attacks are inconvenient for the victims but usually do not involve the theft of information.
The data discovered by the I-Team on Friday reveals that the district was at some point subject to a much greater breach of security known as a ransomware attack. This style of cybercrime occurs when a piece of malware is introduced to a school or corporate server through something as simple as an infected link or e-mail attachment disguised as legitimate communication. Once downloaded to the system, the perpetrators are able to use the malware to access and encrypt data, including personal information store in secure files. The hackers then hold that data ransom, demanding payment, usually in the form of Bitcoin or other cryptocurrencies. If the victims fail to pay, the hackers then dump that collected data online exposing huge amounts of personal information, including social security numbers.
Brett Callow, a Threat Analyst with Emsisoft, tells 13abc that the name “ransomware” has become a bit of a misnomer overtime. Hackers are more likely to gain access to an organization’s system utilizing a series of tools, then move throughout the network to find data before ever deploying the ransomware program itself. According to Callow, “attackers have access to a network for 56 days before they start encrypting files - which is the point at which the org realizes it has a problem.”
Callow also says Toledo Public Schools is one of 68 school districts and colleges that have been the victim of a ransomware attack this year, “potentially disrupting learning at up to 1,340 individual schools.”
13abc has confirmed that data stolen from Toledo Public Schools is among the most recent information dump from the hacker group known as the Maze Cartel (named for the Maze ransomware used by the group). That information includes the names and social security numbers of students as well as faculty and staff in the district. Those are just some of the databases the I-Team was able to view. Other information 13abc has found after looking at this breached data includes information on alumni databases, homeschooling, and foster child information.
While the I-Team cannot confirm when this data was initially accessed, according to Callow, Toledo Public Schools first appeared on Maze’s site on or shortly before September 14th, which means the attack likely occurred a few days prior. He could not, however, confirm on what date the data was published.
A representative from Toledo Public Schools released a statement on Friday afternoon saying the district was alerted to a possible breach of personal data by the media, including 13abc. The statement reads, in part: “Upon learning of this information, TPS immediately notified our legal team and cyber security experts to investigate the full scope of this incident, including whether any TPS data was impacted. We will follow all processes as required by law and support our staff, students, and families in the event this breach has impacted them. We will continue to be transparent and cooperate fully as more information becomes available.”
In a statement released November 5, TPS officials confirmed they had received “communication from the hackers which referenced a ransom but we can’t provide further details at this time due to the ongoing investigation.”
Copyright 2020 WTVG. All rights reserved.