Cybercriminals made off with confidential data about Tucson Unified School District employees and students and put it on the dark web for public access, Bloomberg News reports.
After the ransomware attack in late January, TUSD officials said for weeks that there was no proof sensitive data was stolen.
βBut Bloomberg News found that cybercriminals made off with gigabytes of files, containing tens of thousands of current and former employeesβ Social Security numbers and other confidential records. They then uploaded the information in February to the dark web for anyone to access with an easily downloadable browser,β Bloomberg reporter Jack Gillum found.
βExamples of the leaked files include a high schoolerβs medical records; another detailed arguments for expelling several students,β the report said.
Bloomberg found more than 16,000 numbers and birth dates tied to current and former employees on the dark web.
βAnother leaked document included βconfidential recordsβ concerning a high school studentβs diabetes diagnosis and instructions for their insulin injections,β the Bloomberg report said, adding that the studentβs parents did not respond to inquiries seeking comment.
TUSD data is still available on the dark web for downloading, Gillum confirmed to the Arizona Daily Star on Friday, May 5.
βThere are documents showing a confidential settlement agreement with Joann Anderson, a former employee who had previously sued Tucson Unified School District in federal court, alleging discrimination,β Bloombergβs article said. It quoted Anderson as saying a school district lawyer had recently told her there was no evidence of a data breach and that nothing was taken.
District Superintendent Gabriel Trujillo was on personal leave and unavailable to comment, TUSD communications director Leslie Lenhart said.
When asked by the Star about Bloombergβs findings, Lenhart provided an email Trujillo sent to staff and families on April 25, a week after the Bloomberg report, updating them on the situation.
Trujillo confirmed in the email that a large amount of sensitive and confidential employee data was accessed and taken.
βOur cyber-security forensic experts are working to confirm, on a person by person, employee by employee basis, the validity of any personal and confidential information that has been posted or published online, particularly social security numbers, birth dates or any other personal health or financial information,β Trujillo wrote.
βThis requires the team to review tens of thousands of documents and files at a time as well as to determine if each file can be linked to a current or former TUSD employee, parent or student. This work, which is part of our ongoing investigation is time consuming and has not yet been completed. For this reason, we have made no further statements about the validity of any district information that may have been posted on the dark web.β
Trujillo encourages employees and families to βremain vigilantβ and monitor all banking information, accounts and credit-related information, the email said. If the investigation determines that confidential information was compromised, those affected will receive individual communications on behalf of TUSD.
The district will also work with the Arizona Risk Retention Trust to determine the support and services that will be available if the investigation reveals Social Security numbers were breached, the email said.
Ravi Shah, president of the TUSD Governing Board, declined to comment to the Star on the Bloomberg findings and referred questions to district officials.
Lenhart said TUSD didnβt engage with the attackers or pay a ransom.
A ransomware group called Royal, active internationally, was responsible for the βcyberterrorismβ attack, Trujillo previously confirmed.
Trujillo told the district governing board in February he was asking βthe community for patienceβ because, βout of an abundance of caution ... we are very limited in what we can sayβ about specific security steps and other details.
Officials have high confidence two critical district systems, for finance/human resources and student information, are secure, the board was told then by Rabih Hamadeh, TUSDβs executive director of technology services.
Hamadeh said TUSD did a βmassive password changeβ for all teachers, students and staff after the attack, and would conduct training for all about new security measures.
He also said that as budget constraints allow, the district will start a phased approach to transition to more cloud computing and cloud storage, under which companies such as Amazon, Google and Microsoft are βresponsible with us for protecting your data.β
CNET reports that on Jan. 26, the U.S. Department of Justice (DOJ) said it disrupted the operations of Hive, a ransomware group. The department began infiltrating the group in July 2022.
