When Celeste Gravatt first heard about a data breach in her kids’ school system in February 2023, it sounded innocuous.
“I didn’t really think anything of it at first,” Gravatt says.
Officials at Minneapolis Public Schools called it a “system incident,” then “technical difficulties,” and finally, “an encryption event.”
Gravatt has two children who have already graduated from Minneapolis schools, and one who is currently in middle school. She says it was only when she checked social media that she realized the true extent of the attack, and what it could mean for her kids.
Minneapolis Public Schools had been hit by what experts describe as one of the most devastating cyberattacks ever. Hackers stole district data, including files where children were identifiable, and then demanded the district pay a ransom for it. When district officials refused, the hackers released the data online. It included Social Security numbers, school security details and information about sexual assaults and psychiatric holds.
Minneapolis Public Schools did not make any officials available for an interview. In a written statement, the district said it sent written notice of the attack to more than 105,000 people who may have been impacted by it.
“This breach was actually really huge,” Gravatt says. “And it wasn’t just school records. It was health records, it was all sorts of things that should be privileged information that are now just out there floating around for anybody to buy.”
It’s an example of a growing nationwide trend in which hackers are targeting a surprising group of people: young public school students.
As school districts depend more on technology, cyberattacks against those systems, and the sensitive data they store, are on the rise. While it’s hard to know exactly how many K-12 school systems have been targeted by hackers, an analysis by the cyber security firm Emsisoft found 45 districts reported they were attacked in 2022. In 2023, that number more than doubled, to 108.
The consequences of these data breaches can follow students well into adulthood.
School system data – which can include discipline information, special education records, medical histories and more – can be held hostage, with hackers threatening to release sensitive information if districts don’t pay a ransom, as they did in Minneapolis. The data can also be used to steal a child’s identity.
“As it turns out, the identity information of children is actually more valuable to them than that of adults,” says Doug Levin, director of the K12 Security Information eXchange, a nonprofit that helps protect school districts from cybersecurity risks.
He says stealing a child’s identity may seem counterintuitive because they don’t have resources of their own, but it can cause “a lot of havoc.” Parents don’t necessarily monitor their children’s credit and bad actors can easily open up bank accounts, rack up debt and apply for loans in a child’s name.
“And as a result, cyber criminals can abuse the credit records of minors for many, many years before the victims learn about it,” Levin says.
Schools store a lot of data
There’s a misconception that the only sensitive data schools have are “Johnny and Susie’s algebra grades,” Levin says.
It’s actually so much more. Districts have data on everything from a child’s allergies and suspensions to household income and court orders.
“School systems’ educators can be a little bit like pack rats,” Levin explains. “And so there’s a lot, a lot of information that is collected over time, and it’s often not deleted when it’s no longer necessary.”
Gravatt calls the Minneapolis attack “an extreme breach of privacy,” and says she felt violated, both for her children and also for herself. As a former Minneapolis Public Schools student, she also had data in the system.
Advocates also point out that Black and brown students are especially vulnerable when a school system gets hacked. For example, according to a report by the Minnesota Department of Human Rights, Black students in the state are eight times more likely than a white student to be suspended or expelled.
“So that also means that more of their information is being input into the system,” says Marika Pfefferkorn. She co-founded the Twin Cities Innovation Alliance to educate and empower parents about how data collected about their children could be misused.
Pfefferkorn says the more information collected on a student – whether it’s about housing, custody or free lunch – the more vulnerable they are after a data breach.
The long-term consequences can be devastating for students
Stolen student records can also come back to haunt children into adulthood.
Say a student has a history of drug use that’s been successfully overcome; or they have disciplinary records that should have been expunged, but are now publicly available. That information could resurface in college applications, job interviews or in court hearings.
“Even having information on suspensions might mean that a young person might receive a harsher sentence,” Pfefferkorn says.
After the Minneapolis breach, Pfefferkorn says some students whose sexual assault records were made public were doxed and bullied by their peers.
Levin, the cyber security expert, says some information can be devastating if it’s made public.
“Given how polarized the public is today about issues like gender identity, about maybe even pregnancy or immigration status, if some of that information became public for specific individuals at specific points in time, it could be absolutely life threatening.”
Recovering from an attack can be overwhelming for families
Minneapolis Public Schools says it provided impacted individuals with free credit monitoring services for one year, as well as guidance on how to protect against identity theft and fraud.
That guidance included a long list of steps families should take, such as placing “a fraud alert and security freeze on one’s credit file,” contacting national consumer reporting agencies and, if they suspect attempted identity theft, reaching out to the Federal Trade Commission, their state attorney general and local law enforcement.
“It felt really, really overwhelming,” says Minneapolis parent Rachael Flanery. She thinks it’s unrealistic to believe parents have the time or capacity to do everything the school district suggested.
So in the end Flanery, who has two young children in the school system, says she did nothing.
“I tried to just kind of be an ostrich about it, right? I put my head back in the sand, and I kind of was in the mindset of, well, if there’s a knock on my door and [someone] tells me my 7-year-old just bought a boat, I’ll show him where he is! And hopefully it won’t be hard to get the charges reversed.”
Her family has since moved to a different school district, but Flanery says the whole experience was scary. As a parent, she’s always been concerned about her children’s physical safety. Now, cybersafety is another thing she’s worried about.
Parent Celeste Gravatt is also concerned. She locked her kids’ credit so that no one could open accounts in their names. She’s especially worried that one of her kid’s health information will be made public. She still feels anxious when she thinks about it.
“I’m not what I would call a tech savvy person. So I do wonder, like, if somebody were to obtain information that they shouldn’t have, would I even know till it was too late? I don’t know.”
Edited by: Nicole Cohen
Visual design and development by: LA Johnson
Audio story produced by: Lauren Migaki
Transcript:
MARY LOUISE KELLY, HOST:
Hackers are targeting a surprising group of people – young public school students.
DOUG LEVIN: As it turns out, the identity information of children is actually more valuable to them than that of adults.
KELLY: Doug Levin. He is director of the K-12 Security Information Exchange, a nonprofit that helps protect school districts from cybersecurity risks. And he is busy these days because cyberattacks against school systems are on the rise. Kavitha Cardoza reports on what is at stake for students and their families when their school districts are attacked by cybercriminals.
KAVITHA CARDOZA, BYLINE: When Celeste Gravatt first heard about a data breach in her kids’ school system last year, it sounded innocuous.
CELESTE GRAVATT: I didn’t really think anything of it at first.
CARDOZA: Officials at Minneapolis Public Schools called it a system incident, then technical difficulties and an encryption event. It was only when Gravatt checked social media that she realized the true extent of the cyberattack and what it could mean for her kids.
GRAVATT: And then it was like, OK, well, this breach was actually really huge. And it wasn’t just, like, school records. It was health records. It was all sorts of things that are, you know – should be privileged information that are now just out there, floating around for anybody to buy.
CARDOZA: Minneapolis had been hit by one of the most devastating school cyberattacks ever. Hackers gained access to the files of more than a hundred thousand people, including files where children were identifiable. The data, which the hackers released online, included information about sexual assaults, psychiatric holds and school security maps. Gravatt says she felt violated.
GRAVATT: It was an extreme breach of privacy.
CARDOZA: Minneapolis Public Schools confirmed the details of the incident but declined to speak to NPR for this story.
LEVIN: I think there’s a misconception that what schools have are just Johnny and Susie’s algebra grades.
CARDOZA: Doug Levin, the cybersecurity expert, says it’s so much more. Over the past few years, as school systems depend more on technology, hackers have increasingly targeted them for their sensitive data – data they can use to steal a child’s identity or which they threaten to release if officials don’t pay ransoms.
LEVIN: It is affecting people not just currently in school but who used to go to school or used to work in a school system.
CARDOZA: In 2022, 45 districts reported they were attacked. Last year that number more than doubled. That’s according to the cybersecurity firm Emsisoft. Districts have data on everything from a child’s medications and discipline records to household income and court orders.
LEVIN: School systems, educators can be a little bit like pack rats. And so there’s a lot of information that is collected over time, and it’s often not deleted when it’s no longer necessary.
CARDOZA: Stealing a child’s identity may seem counterintuitive because they don’t have resources of their own.
LEVIN: But their identities can be stolen to create a lot of havoc.
CARDOZA: They can open bank accounts, rack up debt, apply for loans.
LEVIN: And as a result, cybercriminals can abuse the credit records of minors for many, many years before the victims learn about it.
CARDOZA: Black and brown students are especially vulnerable when a school system gets hacked. In Minnesota…
MARIKA PFEFFERKORN: Black students are eight times more likely than a white student to be suspended.
CARDOZA: That’s Marika Pfefferkorn, an advocate in Minneapolis.
PFEFFERKORN: So that also means that more of their information is being input into the system.
CARDOZA: She co-founded the Twin Cities Innovation Alliance to educate parents about the misuse of data. Pfefferkorn says the more information collected on a student, whether it’s about discipline, special education or free lunch, the more vulnerable they are after a data breach.
PFEFFERKORN: And I think about all the different domains where Black and brown people – whether it’s housing, health care, all of these things – it actually shows up in the school district and what information they’re collecting.
CARDOZA: Pfefferkorn says communities of color are overrepresented. And while the immediate concern about identity theft is bad enough, there are also the long-term implications if the stolen data resurfaces years later. Say a student has a history of drug use that’s been successfully overcome or disciplinary records that should have been expunged but are now publicly available.
PFEFFERKORN: It might be when you’re applying for college scholarships.
CARDOZA: Or job interviews or a court hearing.
PFEFFERKORN: Even having information on suspensions might mean that a young person might receive a harsher sentence.
CARDOZA: And then there are students whose sexual assault records have been released.
PFEFFERKORN: There have been stories about these students being doxxed or their peers actually posting information about them and bullying them.
CARDOZA: Levin, the cybersecurity expert, says some information can be devastating if it’s made public.
LEVIN: Given how polarized the public is today about issues like gender identity, maybe even pregnancy or immigration status, if some of that information became public for specific individuals at specific points in time, it could be absolutely life-threatening.
RACHAEL FLANERY: It felt really, really overwhelming.
CARDOZA: Rachael Flanery has two young children whose data was stolen in the Minneapolis cyberattack. She received the district’s guidance, which included free credit monitoring services and instructions for credit freezes and fraud alerts. But she says it’s unrealistic to think parents have the time or capacity to do all that.
FLANERY: Freeze this. Do this. Send a copy of your birth certificate and Social Security number here. Call this number. If you fill out this form, you’ll get so many months of free credit monitoring.
CARDOZA: In the end, she did nothing.
FLANERY: I tried to just kind of be an ostrich about it, right? I put my head back in the sand. And I kind of was on the mindset of, well, if anyone knocks on my door and tells me my 7-year-old just bought a boat, I’ll – yeah, I’ll show him where he is. And hopefully it won’t be hard to get the charges reversed.
CARDOZA: The family has since moved, but Flanery says the whole experience was scary. As a parent, she’s always been concerned about her children’s physical safety. Now, cyber safety is another thing to worry about.
GRAVATT: I’m not what I would call a tech-savvy person.
CARDOZA: Parent Celeste Gravatt is also worried. She has two children who have graduated from Minneapolis Public Schools and another who’s currently in the seventh grade. Gravatt locked her kids’ credit so no one could open accounts in their names. She’s especially concerned about one of her kids’ health information being made public. She still feels anxious when she thinks about it.
GRAVATT: I do wonder if somebody were to obtain information that they shouldn’t have, would I even know till it was too late? I don’t know.
CARDOZA: Advocates say the biggest fallout from cyberattacks is that communities become even more wary of their schools at a time that trust is needed more than ever. For NPR News, I’m Kavitha Cardoza.
(SOUNDBITE OF MOONSTARR’S “DETRIOT”)