Students and teachers at the Minneapolis Public School (MPS) District, which suffered a huge ransomware attack at the end of February, have had highly sensitive information about themselves published on the web, including allegations of abuse by teachers and psychological reports.
MPS initially said that it had refused to pay a US $1 million ransom to its extortionists, and that it had successfully restored its encrypted systems via backups.
However, the Medusa hacking group who attempted to blackmail MPS had not just encrypted the school district's data but had also exfiltrated their own copy of it which was ultimately published on the internet, and promoted through links on a Telegram channel.
In all, approximately 100 GB of what claimed to be data from the MPS District was published on the public internet, alongside a video summary showing some of the contents.
NBC News were amongst those who examined some of the files, and was alarmed by what it found.
Contained in the published data were:
But the sensitive data didn't end there. According to the report, the leak also revealed reports of abuse:
"The leaked files also include hundreds of forms documenting times when faculty learned that a student had been potentially mistreated. Most of those are allegations that a student had suffered neglect or was physically harmed by a teacher or student. Some are extraordinarily sensitive and allege incidents like a student’s being sexually abused by a teacher or by another student. Each report names the victim and cites birthday and address."
Furthermore, NBC News described leaked reports that detailed allegations of sexual abuse involving named individuals, and a teacher said to have had romantic relationships with students.
This is all, of course, appalling. But the situation is made worse by the fact that data stolen by the Medusa hacking group has not taken the conventional course of being published on a dark web leak site, but instead on a conventional website that does not need a specialist tool like Tor to access it.
Posts bragging about the hacks, and then pointing to the leak website, have been published on social media - increasing the potential for the highly damaging information to be seen by an even larger audience.
MPS says that it is attempting to the have the leaked data removed from these public webpages, but for now - at least - they're still available.
It's quite clear that the Medusa group is revelling in the chaos it is causing, and feels no guilt about the impact it has on vulnerable, innocent young people.
While some ransomware gangs have sometimes apologised and even occasionally offered free decryption tools after hacking schools, it's clear that there are many other criminal groups who have no qualms about the harm their attacks can cause.