The headquarters of Tucson Unified School District.

Cybercriminals made off with confidential data about Tucson Unified School District employees and students and put it on the dark web for public access, Bloomberg News reports.

After the ransomware attack in late January, TUSD officials said for weeks that there was no proof sensitive data was stolen.

โ€œBut Bloomberg News found that cybercriminals made off with gigabytes of files, containing tens of thousands of current and former employeesโ€™ Social Security numbers and other confidential records. They then uploaded the information in February to the dark web for anyone to access with an easily downloadable browser,โ€ Bloomberg reporter Jack Gillum found.

โ€œExamples of the leaked files include a high schoolerโ€™s medical records; another detailed arguments for expelling several students,โ€ the report said.

Bloomberg found more than 16,000 numbers and birth dates tied to current and former employees on the dark web.

โ€œAnother leaked document included โ€˜confidential recordsโ€™ concerning a high school studentโ€™s diabetes diagnosis and instructions for their insulin injections,โ€ the Bloomberg report said, adding that the studentโ€™s parents did not respond to inquiries seeking comment.

TUSD data is still available on the dark web for downloading, Gillum confirmed to the Arizona Daily Star on Friday, May 5.

โ€œThere are documents showing a confidential settlement agreement with Joann Anderson, a former employee who had previously sued Tucson Unified School District in federal court, alleging discrimination,โ€ Bloombergโ€™s article said. It quoted Anderson as saying a school district lawyer had recently told her there was no evidence of a data breach and that nothing was taken.

District Superintendent Gabriel Trujillo was on personal leave and unavailable to comment, TUSD communications director Leslie Lenhart said.

When asked by the Star about Bloombergโ€™s findings, Lenhart provided an email Trujillo sent to staff and families on April 25, a week after the Bloomberg report, updating them on the situation.

Trujillo confirmed in the email that a large amount of sensitive and confidential employee data was accessed and taken.

โ€œOur cyber-security forensic experts are working to confirm, on a person by person, employee by employee basis, the validity of any personal and confidential information that has been posted or published online, particularly social security numbers, birth dates or any other personal health or financial information,โ€ Trujillo wrote.

โ€œThis requires the team to review tens of thousands of documents and files at a time as well as to determine if each file can be linked to a current or former TUSD employee, parent or student. This work, which is part of our ongoing investigation is time consuming and has not yet been completed. For this reason, we have made no further statements about the validity of any district information that may have been posted on the dark web.โ€

Trujillo encourages employees and families to โ€œremain vigilantโ€ and monitor all banking information, accounts and credit-related information, the email said. If the investigation determines that confidential information was compromised, those affected will receive individual communications on behalf of TUSD.

The district will also work with the Arizona Risk Retention Trust to determine the support and services that will be available if the investigation reveals Social Security numbers were breached, the email said.

Ravi Shah, president of the TUSD Governing Board, declined to comment to the Star on the Bloomberg findings and referred questions to district officials.

Lenhart said TUSD didnโ€™t engage with the attackers or pay a ransom.

A ransomware group called Royal, active internationally, was responsible for the โ€œcyberterrorismโ€ attack, Trujillo previously confirmed.

Trujillo told the district governing board in February he was asking โ€œthe community for patienceโ€ because, โ€œout of an abundance of caution ... we are very limited in what we can sayโ€ about specific security steps and other details.

Officials have high confidence two critical district systems, for finance/human resources and student information, are secure, the board was told then by Rabih Hamadeh, TUSDโ€™s executive director of technology services.

Hamadeh said TUSD did a โ€œmassive password changeโ€ for all teachers, students and staff after the attack, and would conduct training for all about new security measures.

He also said that as budget constraints allow, the district will start a phased approach to transition to more cloud computing and cloud storage, under which companies such as Amazon, Google and Microsoft are โ€œresponsible with us for protecting your data.โ€

CNET reports that on Jan. 26, the U.S. Department of Justice (DOJ) said it disrupted the operations of Hive, a ransomware group. The department began infiltrating the group in July 2022.


Become a #ThisIsTucson member! Your contribution helps our team bring you stories that keep you connected to the community. Become a member today.

Jamie Donnelly covers breaking news for the Arizona Daily Star. Contact her via e-mail at jdonnelly@tucson.com