glendale school district data breach

Glendale Unified School District Suffers Ransomware and Data Breach

The Medusa Locker ransomware gang continues to victimize students, families and employees with ransomware and theft of sensitive documents containing personal information. Among the latest victims, Glendale Unified School District.

On January 10, 2024, Glendale Unified School District (“GUSD”) reported to the California Attorney General’s Office they became aware of suspicious activity on their network on December 6, 2023. It is unclear exactly how long the cyberthieves had access to personal information on District servers, but it appears to be at least a month.

Cyberthieves Demand $1,000,000 For Deletion or Download of Stolen Files

On December 11, the leak site for Medusa Locker took credit for the ransomware attack and demanded $1,000,000 to either delete or download the stolen data, with a countdown clock that indicated the District had approximately 10 days to respond.

Such warnings are ignored at the District’s peril.

In February, 2023, Medusa Locker hacked into the Minneapolis Public School District (“MPSD”) and held their data for ransom for $1 million. That school district initially said that it refused to pay and had restored its own systems from backups. However, the Medusa gang later released approximately 100 GB of data it claimed was from MPSD onto the open web.

NBC news reviewed some of those files and found a highly distressing amount of student personal and medical data, including information about special needs, intelligence testing, abuse allegations, and medications.

According to Cybernews, a publication focused on cybersecurity investigation and journalism, review of over 90 documents posted by Medusa locker connected to this GUSD breach and the concurrent breaches of two other school districts also contain extensive databases of personal information. Cybernews was able to view student names, ID numbers, special education needs, assessments, pictures, parent information, student after care schedules and in some cases positive Covid-19 test results.

To Date, Glendale Unified Only Identifies Employee Data at Risk

So far, the Notice provided by GUSD (available here) states that the following types of employee data have been identified by the district as being at risk:

  • Names
  • Addresses
  • Dates of Birth
  • Social Security Numbers
  • Driver’s License Numbers
  • Financial Account Information

A complimentary one-year membership to Experian IdentityWorks is being offered to GUSD employees who receive the Notice. But this may be inadequate for the protection of Social Security information.

Attackers can wait for many years to use personal data, particularly the Social Security numbers. As of this writing, no notice appears to have been sent to students or their families. However, Glendale Unified did require students reset their passwords over the winter break and post a notification regarding the extensive set of systems the District needed to “restore.”

California Data Breach Laws Provide Protection

If you or your student had personal data accessed by Medusa Locker as part of the GUSD data breach, you may be entitled to $1,000, your damages, obtain injunctive relief, (to ensure that GUSD has reasonable security practices to protect personal data from being leaked again and notifies affected people promptly and properly in the event of a breach), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

California has laws that specifically protect your personal information, such as:

  • The California Confidentiality of Medical Information Act (CMIA) which requires that medical information be maintained in a manner that preserves its confidentiality. If applicable, the CMIA provides for an award of statutory damages of $1,000.
  • Article I, Section I of the California State Constitution provides that every person in the State of California has an inalienable right to privacy. This includes a legitimate expectation of privacy in your personal and medical information. Under the California Constitution, all state residents are entitled to the protection of this information against disclosure to unauthorized third parties.

Additionally, student records are protected by the Family Educational Rights and Privacy Act (FERPA), and prompt notice may be required under the California Customer Records Act.

Personal Data Held By Schools Is an Attractive Honeypot for Hackers

As noted by the California Cybersecurity Integration Center (Cal-CSIC), “California’s Education Sector presents a sizable target for cybercriminals… These networks often contain highly valuable research and personal information. The convoluted, multi-tiered systems, coupled with a workforce that is generally underfunded and not versed in practical cybersecurity practices, present several potential avenues of attack for cybercriminals.”

Moreover, personal and financial data of young adults is particularly attractive to cyber-thieves because they can retain the data for years before it used to commit identity theft or other cyber-crimes.

Student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.” Source: Kamala Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).