Student And Staff Data From Area School District Were Dumped On The Dark Web, And Parents And Staffers Had No Clue
CHICAGO (CBS) -- If your child's school gets hacked and their personal information gets stolen, you might never hear about it.
CBS 2 found one southwest suburban school district that was targeted. Private information was taken, with parents and staff caught completely off guard. That is -- until CBS 2 Investigator Dana Kozlov told them.
Kozlov cold-called suburban strangers from names on a list the CBS 2 Investigators pieced together. She called to alert them to some of their most private details CBS 2 found publicly exposed on the dark web.
Everyone reached had no idea their information was stolen, or how it happened.
"Think of it as a cyber bomb," said Crane Hassold, Director of Threat Intelligence at Abnormal Security. "It goes off, locks up all the data, shows the ransom note, and the situation goes from there."
Hassold is explaining ransomware. He said it is a kind of cyberattack that holds sensitive and personal data hostage until payment is made. Hard-to-trace cyber swindlers are the culprits.
"They also say if you don't pay us by a certain date, they will expose all of the information they've locked up to everyone on the internet," said Hassold.
It's a dark web data dump, if you will, often following a ransom note. School districts have become prime targets.
"We launched just last year, because of the threats facing the school sector," said Doug Levin, who heads the non-profit K12 Security Info Exchange (K12 SIX). He has documented nearly 1,200 school cyber incidents since 2016 nationwide.
All of those attacks were publicly exposed. However, Levin said, "What those practitioners told me is that what I am seeing in publicly disclosed incidents is only the tip of the iceberg."
It is the tip of the iceberg when it comes to the actual number of cyber threats facing school districts. But why?
"Student data itself is considered among the more valuable things that criminals can get a hold of, because they have pristine credit records," said Levin.
The CBS 2 Investigators submitted public records requests to 60 of Illinois' 850 school districts, asking for any correspondence about cyber breaches – including ransomware. Palos Community Consolidated School District 118 acknowledged two cyber-attacks in September and December of last year.
The district's internal emails and a notice on its website mention the attacks and report that security audits were conducted and there was "no reason to believe that personally identifiable student or staff information was breached or otherwise compromised."
However, it didn't take the CBS 2 Investigators long to find out that's wrong.
"You can see these are all of the different files," said Hassold.
His data dive on the dark web turned up dozens of internal District 118 files – all the result, he said, of a ransomware attack. He found especially sensitive information among the files.
"There's a big, whole bunch of data here around testing scores," he said.
That's not all. We found even more private information about new and old students. Some files reveal their names, addresses, and birthdates. Then there were the employee W-4 tax forms, which include Social Security numbers. Some of those forms go back all the way to 1988 – more than 30 years.
"It also shows you that it's likely not just current employees of the school district that have been victimized," said Hassold.
Name, address, birthdate, Social Security number – some combination of those is all a bad actor needs to begin the process of stealing an identity.
"Yeah, absolutely," Hassold said. "So these specific pieces of information can be used to do things like file fraudulent tax returns. They can be used to file fraudulent unemployment claims."
CBS 2 alerted the district to the exposure of sensitive data. In a Sept. 9 email reply, a district spokesperson said once again they knew of no personal information compromised during the two breaches last year. Perhaps that's why when we reached out to several parents, they told us they had no idea their children's information had been stolen. Former staff members we called also had no clue.
It's clear Palos didn't realize just how bad their data breaches were. Yes, they put a notice up about it on the district website. But school districts in Illinois don't actually have to tell the state Board of Education or the state Department of Innovation and Technology about cyberattacks – making them tough to trace.
"This is a huge issue," said Illinois state Rep. Lamont J. Robinson (D-Chicago), who chairs the Cybersecurity Data and Analytics Committee.
After the CBS 2 Investigators told Robinson about the lack of transparency and tracking, he took steps to up the state's school cyber security game.
Rep. Robinson plans to introduce legislation in November requiring all districts report cyber breaches to Springfield.
"Students' grades, someone's Social Security information or home address should not get out in the wrong hands," Robinson said. "That information should be secure."
He believes mandatory reporting will help reveal the true scope of cyber-attacks, ransomware incidents, and other cyber security gaps when it comes to K-12 education. With more awareness and tracking, then the state's experts could help local districts – many of them small and rural – protect against and recover from the breaches.
State experts could also help districts discover if sensitive information was taken.
As for Palos, we sent screenshots of the district's dark web data files to Supt. Anthony Scarsella. He thanked us, adding they'd be turning over the information our investigation uncovered to their insurance carrier for review with the team that conducted those audits.
A District 118 spokesperson would not say whether the criminals demanded a ransom or if one was paid. Our cyber expert says one way to stop ransomware attacks is to regulate cryptocurrency, which is the attackers' preferred method of payment.