In February 2023, Minneapolis Public Schools fell victim to a **ransomware attack** by the **Medusa gang**, which encrypted district files and exfiltrated highly sensitive data—including student records on **sexual misconduct, child abuse inquiries, mental health crises, and suspension reports**, as well as educator financial data. The attackers initially demanded **$4.5 million in bitcoin**, later reducing it to **$1 million** before leaking the data publicly when the district refused to pay. The breach exposed **105,617 individuals**, with victims experiencing **financial fraud** (e.g., $26,000 stolen from an educator’s account) and **direct threats** from the hackers via social media. The district delayed notifying affected parties for **seven months**, citing investigative integrity, while hiring high-cost cybersecurity lawyers ($370/hour) and forensic firms to manage the crisis. The attack disrupted operations, compromised trust, and revealed systemic failures in transparency, with officials initially downplaying the incident as an 'encryption event' despite FBI reports confirming data theft.
Source: https://www.the74million.org/article/kept-in-the-dark-inside-the-minneapolis-schools-cyberattack/
TPRM report: https://www.rankiteo.com/company/minneapolis-public-schools
"id": "min5650156102725",
"linkid": "minneapolis-public-schools",
"type": "Ransomware",
"date": "2/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '105,617',
'industry': 'Education',
'location': 'Minneapolis, Minnesota, USA',
'name': 'Minneapolis Public Schools',
'type': 'K-12 School District'}],
'customer_advisories': 'Delayed by 7 months; 105,617 individuals notified via '
'letter in September 2023.',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['documents',
'reports',
'personal records'],
'number_of_records_exposed': '105,617',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (confidential student/educator '
'records, PII, financial data)',
'type_of_data_compromised': ['student records (sexual '
'misconduct, child abuse '
'inquiries, mental health '
'crises, suspensions)',
'educator records',
'personal/financial data (e.g., '
'bank account access)']},
'date_detected': '2023-02-17',
'date_publicly_disclosed': '2023-02-24',
'description': 'A ransomware attack by the Medusa gang disrupted Minneapolis '
"Public Schools' computer network on February 17, 2023, "
'encrypting files and exfiltrating sensitive student and '
"educator data. The attack involved a 'double-extortion' "
'scheme, where the gang threatened to publish stolen data '
'unless a ransom was paid. Initially, the district downplayed '
'the severity, claiming no personal information was '
'compromised, but later admitted to a massive breach affecting '
'over 105,000 individuals. Sensitive records, including sexual '
'misconduct cases, child abuse inquiries, and mental health '
'crises, were leaked online after the district refused to pay '
'the ransom (reduced from $4.5M to $1M). Notification to '
'victims was delayed by seven months, and the district relied '
'heavily on cyber insurance, legal counsel, and third-party '
'forensics firms to manage the incident.',
'impact': {'brand_reputation_impact': True,
'customer_complaints': True,
'data_compromised': True,
'downtime': True,
'identity_theft_risk': True,
'legal_liabilities': ['potential fines', 'regulatory proceedings'],
'operational_impact': True,
'payment_information_risk': True,
'systems_affected': ['computer network', 'student/educator files']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['student mental health '
'records',
'abuse inquiries',
'financial data']},
'investigation_status': 'Completed (forensic analysis by Tracepoint; legal '
'review by Mullen Coughlin)',
'lessons_learned': ['Transparency delays erode trust; timely notification is '
'critical.',
'Over-reliance on legal/insurance advice may hinder '
'public communication.',
'Double-extortion ransomware requires proactive data '
'protection and incident response planning.',
'Sensitive educational data (e.g., mental health, abuse '
'records) requires heightened safeguards.'],
'motivation': ['financial gain', 'data extortion'],
'post_incident_analysis': {'corrective_actions': ['Hired third-party '
'forensics (Tracepoint) and '
'legal (Mullen Coughlin) '
'for investigation.',
'Reviewed incident response '
'plan (per insurance policy '
'requirements).',
'State-mandated cyberattack '
'reporting (effective Dec. '
'1, 2024, though '
'anonymized).'],
'root_causes': ['Inadequate network segmentation '
'or access controls for sensitive '
'data.',
'Delayed or opaque communication '
'strategies prioritizing '
'legal/insurance interests over '
'transparency.',
'Lack of real-time monitoring to '
'detect exfiltration early.',
'Potential vulnerabilities in '
'third-party vendor or insider '
'access.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$4.5 million (initial) / $1 million '
'(final)',
'ransomware_strain': 'Medusa'},
'recommendations': ['Implement stricter data access controls and encryption '
'for sensitive records.',
'Develop clear, victim-centric communication protocols '
'for breaches.',
'Review cyber insurance policies for transparency vs. '
'legal privilege trade-offs.',
'Conduct regular third-party audits of incident response '
'plans.',
'Train staff on recognizing phishing/initial access '
'vectors to prevent future attacks.'],
'references': [{'source': "The 74 - 'Kept in the Dark' Investigation"},
{'source': 'FBI Report (via The 74 public records request)'},
{'source': 'Maine Attorney General Breach Notice (September '
'2023)'},
{'source': 'Medusa Ransomware Leak Site'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Attorney '
'General (breach '
'notice)',
'FBI']},
'response': {'communication_strategy': ['minimal disclosure',
'delayed victim notification',
'privileged investigation'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Mullen Coughlin (legal)',
'Tracepoint (forensics)',
'cyber insurance provider']},
'stakeholder_advisories': ['FBI (February 21, 2023)',
'District email to families (February 24, 2023 - '
"vague 'encryption event')",
'Victim notification letters (September 2023)'],
'threat_actor': 'Medusa ransomware gang',
'title': 'Ransomware Attack on Minneapolis Public Schools by Medusa Gang',
'type': ['ransomware', 'data breach', 'double extortion']}