Prince George’s school district says 2023 ransomware attack impacted over 215,000 staff and students

Prince George’s County Public Schools said a significant ransomware attack it suffered last year impacted more than 215,000 staff members and students.

 

The public school district, located in Prince George’s County in the U.S. state of Maryland, announced last year that it experienced a cyber security incident that caused temporary disruption to certain operations.

 

After discovering the incident, the school district initiated an investigation with outside forensic specialists to understand the nature and scope of the incident and to restore all affected operations.

 

The investigation, which concluded recently, revealed that unauthorised actors gained access to the school district’s computer systems between August 3, 2023 and August 14, 2023 and accessed or acquired the personally identifiable information of staff and students.

 

“The information present in the files that may have been viewed or acquired as a result of this incident varies per person, and includes individuals’ name, medical information, health insurance information, Social Security number, driver’s license number, financial account number, and passport number," Prince George’s County Public Schools said.

 

While the school district initially refrained from announcing the number of impacted employees, job applicants and students, in a notice of data security incident filed on February 16 with the Office of the Maine Attorney General, it said it had identified 99,543 individuals who were impacted by the data breach.

 

In another filing with the state regulator, the school district said that it identified another 117,785 individuals who were impacted by the security incident, adding that the breach occurred in March last year but was discovered in August.

 

“We treat our responsibility to safeguard the information entrusted to us as an utmost priority. As such, we responded immediately to this incident and have been working diligently to provide you with an accurate and complete notice of the incident. We have also implemented additional processes and procedures to help prevent similar incidents from occurring in the future,” it said.

 

While the school district did not find any evidence of the compromised data being misused, the possibility for the same cannot be ruled out. It has urged all affected individuals to remain vigilant, review their credit reports and financial statements on a regular basis, and report suspicious transactions to relevant law enforcement authorities.

 

The school district is also offering one year of complimentary credit monitoring and identity theft protection services through Experian, to all the individuals affected by the data security incident.

 

On August 25, the infamous Rhysida ransomware group claimed responsibility for the cyber attack on the school district and listed it as a victim on its data leak site. The group gave the school a deadline of six day to meet its ransom demand of 15 Bitcoin or roughly $390,000.

 

Acknowledging the reports of the data leak, the district said, “We have learned that some personal information may be released online by those responsible for the cyber attack. While we now know that this may include identification details, we do not yet know the full extent of information relating to you, or to others, that may be affected.

 

“We are taking steps to perform a detailed review of all data that may have been compromised to identify any sensitive information impacted by this event. Once this work is complete, we will move as quickly as possible to notify those whose information may be affected.

 

“With the detailed data review expected to take several weeks, we will offer all staff and students access to free credit monitoring and identity protection services through Experian to help guard against potential misuse of personal information. Enrollment information is forthcoming,” it added.