Madison Elementary School District 38 (MESD) in Phoenix, Arizona, suffered a ransomware attack in April 2025 by the threat group Interlock, which exploited social engineering to breach the network. The attack exposed personal information of 35,000 individuals, including potential Social Security numbers and financial data, as suggested by the district’s offer of free identity protection services (IDX). Interlock claimed to have stolen 70 GB of data (49,000 files across 4,247 folders), including sensitive folders like *Accounts Receivable*, *Gifts & Donations*, and employee-related records. MESD engaged cybersecurity firm Arete for forensic analysis (costing ~$21,700) to assess the breach’s scope. While the district confirmed the attack, it did not disclose whether a ransom was demanded or paid. The incident marks one of the largest education-sector breaches in 2025, second only to Cherokee County School District’s attack (46,000 records). Interlock, active since October 2024, has targeted nine US educational institutions, with this attack highlighting vulnerabilities in school district cybersecurity defenses.
TPRM report: https://www.rankiteo.com/company/madisonaz
"id": "mad4033140092525",
"linkid": "madisonaz",
"type": "Ransomware",
"date": "10/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '35,000 individuals',
'industry': 'education (K-12)',
'location': 'Phoenix, Arizona, USA',
'name': 'Madison Elementary School District 38',
'size': '~6,000 students across 8 schools',
'type': 'public school district'}],
'attack_vector': 'social engineering',
'customer_advisories': 'free IDX identity protection services offered to '
'affected individuals',
'data_breach': {'data_exfiltration': '75 GB (claimed by Interlock); nearly '
'49,000 files across 4,247 folders',
'file_types_exposed': ['documents (Accounts Receivable, Gifts '
'& Donations)',
'images',
'videos'],
'number_of_records_exposed': '35,000 individuals notified',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (PII, financial data likely)',
'type_of_data_compromised': ['potentially Social Security '
'numbers',
'financial data',
'folder names: Accounts '
'Receivable, Gifts & Donations, '
'Images, Videos']},
'date_detected': '2025-04-07',
'description': 'Madison Elementary School District 38 (MESD) suffered a '
'ransomware attack in April 2025, conducted by the threat '
"actor group 'Interlock'. The attack involved social "
'engineering targeting a district employee, leading to the '
'potential exposure of personal information of 35,000 '
'individuals. Interlock claimed to have stolen 75 GB of data, '
'including nearly 49,000 files across 4,247 folders. The '
'district enlisted Arete for forensic analysis, which cost '
'$21,700 and involved reviewing nearly 100 GB of data. MESD '
'offered free IDX identity protection services to affected '
'individuals, suggesting that sensitive data such as Social '
'Security numbers and/or financial information may have been '
'compromised.',
'impact': {'brand_reputation_impact': 'potential damage due to exposure of '
"35,000 individuals' personal data",
'data_compromised': '75 GB (claimed by Interlock); nearly 49,000 '
'files across 4,247 folders',
'financial_loss': '$21,700 (forensic analysis cost)',
'identity_theft_risk': 'high (IDX identity protection services '
'offered, suggesting SSNs/financial data '
'exposure)',
'payment_information_risk': 'likely (IDX services offered)'},
'initial_access_broker': {'entry_point': 'social engineering targeting a '
'Madison employee',
'high_value_targets': ['Accounts Receivable',
'Gifts & Donations folders']},
'investigation_status': 'ongoing (forensic analysis completed by Arete; '
'further details pending)',
'motivation': 'financial (ransomware)',
'post_incident_analysis': {'root_causes': 'successful social engineering '
'attack on an employee'},
'ransomware': {'data_encryption': True,
'data_exfiltration': '75 GB (claimed by Interlock)'},
'references': [{'source': 'Comparitech'},
{'source': 'Madison Elementary School District 38 notification '
'letter'},
{'source': 'Arete emergency purchase order'}],
'response': {'communication_strategy': 'public notification and offer of free '
'IDX identity protection services',
'incident_response_plan_activated': True,
'third_party_assistance': ['Arete (forensic analysis)']},
'stakeholder_advisories': 'notification letters sent to 35,000 affected '
'individuals',
'threat_actor': 'Interlock',
'title': 'Madison Elementary School District 38 Ransomware Attack and Data '
'Breach',
'type': ['ransomware', 'data breach']}