A ransomware attack in early September 2025, claimed by the Russian cybercrime group Qilin, disrupted operations at Mecklenburg County Public Schools (MCPS) in Virginia. The attack forced teachers offline, halting digital instruction and leaving them reliant on manual methods like pen, paper, and whiteboards. Systems were restored after about a week, but the gang claimed to have stolen 305 GB of sensitive data, including financial records, grant documents, budgets, and children’s medical files. Sample images of the stolen data were published online, though the full extent of the breach remains under investigation. Superintendent Scott Worner confirmed the attack but ruled out ransom payment, emphasizing the need for cybersecurity preparedness. The incident highlights the growing threat to educational institutions, with Qilin alone responsible for 103 confirmed ransomware attacks in 2025. The breach exposed staff and students to potential identity fraud and crippled critical operations like attendance, grading, payroll, and communication.
Source: https://www.infosecurity-magazine.com/news/qilin-ransomware-mecklenburg/
TPRM report: https://www.rankiteo.com/company/mecklenburg-county-public-schools
"id": "mec1492414100725",
"linkid": "mecklenburg-county-public-schools",
"type": "Ransomware",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': ['students',
'teachers',
'staff',
'families'],
'industry': 'education (K-12)',
'location': 'Mecklenburg County, Virginia, USA',
'name': 'Mecklenburg County Public Schools (MCPS)',
'type': 'public school district'}],
'attack_vector': 'phishing emails',
'customer_advisories': ['Families alerted to cybersecurity incident on '
'2025-09-02',
'No specific guidance provided to affected '
'individuals yet (investigation ongoing)'],
'data_breach': {'data_encryption': 'yes (files encrypted as part of '
'ransomware attack)',
'data_exfiltration': 'yes (305 GB of data claimed stolen)',
'personally_identifiable_information': 'likely (medical files '
'and financial records '
'may contain PII)',
'sensitivity_of_data': 'high (includes medical and financial '
'records)',
'type_of_data_compromised': ['financial records',
'grant documents',
'budgets',
'medical files (children)',
'potentially personally '
'identifiable information '
'(PII)']},
'date_detected': '2025-09-02',
'date_publicly_disclosed': '2025-09-02',
'description': 'A ransomware attack disrupted operations at Mecklenburg '
'County Public Schools (MCPS) in early September 2025. The '
'Russian cybercrime group Qilin claimed responsibility, '
'stating it stole 305 GB of sensitive data, including '
'financial records, grant documents, budgets, and children’s '
'medical files. The attack forced teachers offline, relying on '
'pen, paper, and whiteboards for instruction. Internet systems '
'were restored about a week later. Qilin published sample '
'images online, allegedly from the stolen files. '
"Superintendent Scott Worner confirmed the group's involvement "
'but stated no ransom payment would be made pending further '
'investigation. The incident highlights the growing threat of '
'ransomware in the education sector, with Qilin targeting '
'multiple institutions in 2025.',
'impact': {'brand_reputation_impact': 'high (public disclosure of breach, '
"potential loss of trust in district's "
'cybersecurity)',
'data_compromised': ['financial records',
'grant documents',
'budgets',
'children’s medical files'],
'downtime': '1 week (internet systems)',
'identity_theft_risk': 'high (exposure of staff and student data)',
'operational_impact': ['disruption of digital instruction',
'reliance on manual methods (pen, paper, '
'whiteboards)',
'potential identity fraud risk for staff '
'and students'],
'systems_affected': ['internet systems',
'teaching tools (digital)',
'communication systems',
'attendance systems',
'grading systems',
'payroll systems']},
'initial_access_broker': {'data_sold_on_dark_web': 'partial (sample images '
'published online; full '
'data may be sold or '
'leaked)',
'entry_point': 'phishing emails (likely initial '
'access vector for Qilin)',
'high_value_targets': ['financial records',
'grant documents',
'medical files']},
'investigation_status': 'ongoing (district assessing extent of breach and '
'encrypted/stolen files)',
'lessons_learned': ["Cybersecurity preparedness is critical ('It’s not if. "
"It’s when.')",
'Importance of up-to-date cybersecurity insurance '
'coverage',
'Education sector is a frequent target for ransomware '
'groups like Qilin',
'Manual backup plans (e.g., pen/paper) are essential for '
'operational continuity during outages'],
'motivation': ['financial gain', 'data theft'],
'ransomware': {'data_encryption': 'yes',
'data_exfiltration': 'yes (double extortion: data stolen and '
'encrypted)',
'ransom_paid': 'no (district stated no intention to pay)',
'ransomware_strain': 'Qilin'},
'recommendations': ['Ensure cybersecurity insurance coverage is comprehensive '
'and up to date',
'Implement robust phishing defenses (Qilin primarily uses '
'phishing emails)',
'Prepare incident response plans tailored to ransomware '
'attacks',
'Conduct regular backups and test restoration procedures',
'Educate staff and students on cybersecurity best '
'practices',
'Monitor dark web for stolen data leaks',
'Collaborate with other districts to share threat '
'intelligence'],
'references': [{'source': 'Comparitech'},
{'source': "ICO (Information Commissioner's Office) Warning on "
'Student-Led Data Breaches'},
{'date_accessed': '2025-09-02',
'source': 'Mecklenburg County Public Schools (MCPS) Public '
'Alert'}],
'response': {'communication_strategy': ['public alert to families on '
'2025-09-02',
"superintendent's statement urging "
'cybersecurity preparedness'],
'containment_measures': ['isolation of affected systems',
'restoration of internet services '
'within a week'],
'incident_response_plan_activated': 'yes (superintendent '
'confirmed investigation '
'ongoing)',
'recovery_measures': ['restoration of internet systems',
'assessment of encrypted/stolen files']},
'stakeholder_advisories': ['Superintendent Scott Worner urged other districts '
'to prepare for cyber threats',
'Recommended reviewing cybersecurity insurance '
'coverage'],
'threat_actor': 'Qilin (Russian cybercrime group)',
'title': 'Ransomware Attack on Mecklenburg County Public Schools (MCPS) by '
'Qilin Group',
'type': ['ransomware', 'data breach', 'cyberattack']}