Sep 29, 2020 17:00:00

Why was the school where the personal information of 320,000 people was leaked deemed 'there was no problem with the leaked content'?

In a recent incident, hackers published personal information, including the names and addresses of approximately 320,000 students attending a large school district online. While the fact that the school allowed the hackers to gain access is problematic, the content of the data illegally published by the hackers is deemed 'not a major problem' under certain laws.

Ransomware Threat Actors Dump Data on Clark County School District Employees and Students

https://www.databreaches.net/ransomware-threat-actors-dump-data-on-clark-county-school-district-employees-and-students/

Hacker Releases Information on Las Vegas-Area Students After Officials Don't Pay Ransom - WSJ
https://www.wsj.com/articles/hacker-releases-information-on-las-vegas-area-students-after-officials-dont-pay-ransom-11601297930

The victims were approximately 320,000 students attending Clark County School District (CCSD) , a school district in Las Vegas. Hackers illegally locked out the school's servers and demanded money from the school in exchange for unlocking them. When the school refused, the hackers published students' personal information, including their names, grades, dates of birth, addresses, and the names of their schools, online.

The Wall Street Journal said the disclosure of students' personal information 'marks an escalation in hackers' tactics targeting schools that rely heavily on online learning during the coronavirus pandemic.'

However, under

the Family Educational Rights and Privacy Act (FERPA) , CCSD allows schools to release some student information to the public as 'directory information.' Schools can decide what data to release to the public as directory information, and CCSD was allowed to release a student's name, address, grade, date of birth, place of birth, years of attendance, degrees, awards, schools attended, clubs and sports teams, and, if a student is on a sports team, their weight and height.

Given FERPA, the data exposed by the hackers may not be considered classified information. Dissent Doe, who runs the security news site DataBreaches.net, said he has actually reviewed the data released by the hackers and commented, 'So far, we have not found any truly sensitive information, such as student medical records, disciplinary records, social activity or psychological records.'

However, Dissent Doe pointed out that even though the data exposed by the hackers was not sensitive, we should not be optimistic. 'What the hackers did was disrupt the functioning of the school district and took away resources that could have been used for other tasks,' he said. 'Each hacker's attack is different, so we need to be prepared to counter and recover from a variety of attacks. However, it is very dangerous to assume that hackers are always obtaining only sensitive data.'