Tucson Unified School District officials continued investigating Tuesday but refused to disclose information about a “cybersecurity incident” that caused an outage of the district’s internet and network services Monday morning.
But Margaret Chaney, president of the Tucson Education Association, said teachers were notified Monday evening that internet and network access would likely not be restored on Tuesday.
She said she believes some of the employee information stored in the district’s network includes phone numbers, addresses, Social Security numbers, and certification and disciplinary records. She added that more sensitive material, like student medical records, are likely stored in different servers.
“I’m not so concerned about that because I know that the district is well aware of the issues that are ongoing with that ... and they’re doing whatever they can to keep that safe, I’m sure,” Chaney said.
TUSD administrators declined to respond to questions about the nature of the incident and whether student or employee data was breached. The district also declined to answer a question about the kind of data stored in its network services.
District leaders sent parents an email Monday evening stating classes would continue on regular schedules Tuesday, but administrators would not confirm whether the services were still down on Tuesday.
“At this time there are no new updates,” Superintendent Gabriel Trujillo told the Arizona Daily Star in an emailed statement Tuesday. “For the moment under the direction of legal counsel, we are unable to comment further.”
“We hope to have a more detailed update for the public and the media, inclusive of the information your questions seek, very soon,” Trujillo said in his emailed statement.
The Tucson Police Department confirmed it was assisting in the investigation but referred all questions to TUSD.
Lower student attendance
Chaney said the lack of internet and network access resulted in lower student attendance in some sites and some teachers adjusting their Tuesday lesson plans to manage without certain resources and programs.
“Unfortunately, I do believe that a lot of the resources are now all online and so that creates some barriers here and there, I think, for certain subjects,” she said, noting that substitute teachers would likely have a more difficult time delivering lesson plans without the access to the online resources that teachers leave for them.
But, she said teachers are resourceful and creative, and would be able to adjust their classroom activities as the district works on resolving the issue.
Royal ransomware image, demand
On Monday, some TUSD students were circulating a photo on social media of a message that schools throughout the district allegedly received through school printers. The message in the photo stated the district’s systems “were hit by Royal ransomware.”
Royal, according to the Australian Cyber Security Centre (ACSC), is a “ransomware variant that is being used by cybercriminals to conduct ransomware attacks against multiple sectors and organizations worldwide.”
Once the attackers hack into the victim’s network, ACSC states, they encrypt the victim’s data, lock the network in an unusable format, and demand a ransom to return access to the sensitive files.
ACSC says Royal ransomware was first detected in September 2022 and is likely associated with Russian-speaking criminals. It adds that Royal has targeted critical Australian infrastructures, including an educational institution in 2022.
Royal, according to ACSC, communicates with its victims by sending a ransom note to printers in the victim’s network and storing a file in place of all files that have been encrypted in that network. This note then informs the victims how to communicate with Royal to deliver ransom.
The message in the photo circulating on social media after the TUSD incident stated network data had been encrypted and copied and could be published online for anyone to see.
To prevent that from happening, the note states, the victim can pay a “modest royalty” to have Royal decrypt the files, restore the data and keep the information confidential.