麻豆影视

Help fund stories like this.

It was a Thursday morning when Brandi Hecht, a mother of three from Las Vegas, woke up to an alarming email from a student in another state whom she鈥檇 never met. 

鈥淚鈥檓 so sorry to tell you this but unfortunately your private information has been leaked,鈥� read the email, sent to Hecht in the middle of the night Oct. 25 from an account tied to a school district in California. Attached were PDFs with personal information about her daughters including their names, photographs and the home address where they鈥檇 just spent the night asleep. 

鈥淏e careful out there,鈥� the cryptic message warned. 鈥淒on鈥檛 shoot the messenger!鈥�

Some 200,000 similar student profiles had been leaked, the email claimed, following a recent cyberattack on Clark County School District, the nation鈥檚 fifth-largest district and where Hecht鈥檚 three daughters are enrolled. But the message, she鈥檇 soon learn, was not from a California student but from the student鈥檚 email account, which had also been compromised. An unidentified, publicity-hungry hacker was using it as a 鈥渂urner鈥� account to brazenly extort Clark County schools by frightening district parents directly.

鈥淚 put my child on the bus and then immediately called the district,鈥� Hecht told The 74. 鈥淚 called the school, they transferred me to the district, the district transferred me to their IT department, who then transferred me to the help desk. I have yet to hear anything back.鈥�

The Clark County threat actors claim their in-your-face tactics, which apparently involve not just direct outreach to parents, but also to media outlets, is already being used against at least one other district. Also distinct from other recent K-12 ransomware attacks, including high-profile incidents in Los Angeles and Minneapolis, the Vegas school district hackers claimed to use weak passwords 鈥� in this case students鈥� dates of birth 鈥� and flimsy Google Workspace file-sharing practices. Deploying those relatively low-tech incursions allowed them to gain access to reams of sensitive files, including students鈥� special education records. 

Schools nationwide rely heavily on Google Workspace to create, and share records and the methods the hacker used to exploit district systems, a cybersecurity expert said, offer valuable lessons for all of them. 

鈥淭his is not going to qualify as sophisticated hacking,鈥� said Doug Levin, the national director of the K12 Cybersecurity Information eXchange, and is perhaps a sort of brand-building exercise. 鈥淕iven that they reached out to the media鈥� and have demanded payments smaller than those typically leveraged by ransomware gangs, 鈥渋t seems they may be more interested in publicity and reputation than they are money.鈥�

For Las Vegas educators, the hack has already brought significant consequences, including a class-action lawsuit and to resign. 

Clark County school leaders on Oct. 16 that they became aware of a 鈥渃ybersecurity incident鈥� on Oct. 5, noting in that it was 鈥渃ooperating with the FBI as they investigate the incident鈥� and that such attacks against schools have become routine. 鈥淩est assured that we will share information as it becomes available so everyone is informed and can respond to protect personal information.鈥�

When contacted by The 74, a Clark County spokesperson declined to comment further and shared a copy of the district鈥檚 previous statement. 

Yet as Hecht and others accuse the district of failing to inform parents about the extent of records stolen, much of the information being revealed about the data breach has come from the threat actor themselves, including taunts that they were still in Clark County鈥檚 computer systems. In two follow-up emails shared with The 74, Hecht was sent web links that purportedly included troves of sensitive information about students including disciplinary records and test scores. 

In an Oct. 26 message to Hecht, threat actors this time used a Clark County student鈥檚 email address 鈥渢o show how much of a joke their IT security is and to show how seriously they are taking this.鈥� 

Beyond outreach to parents, the hacker 鈥� which could be one or multiple people 鈥� on Oct. 25 without solicitation, first communicating with a reporter via Facebook. Identifying themselves as 鈥淪ingularityMD (the hacker team),鈥� the threat actor disputed Clark County鈥檚 statement that it had detected 鈥渁 security issue鈥� on its own and that district leaders had only become aware after the hackers sent an email 鈥渢o tell them we had been in their network for a few months.鈥� 

A hack with TikTok origins

Perhaps between the hacker and a cybersecurity researcher at the blog DataBreaches.net, where the threat actor divulged their techniques and offered advice on how other districts can protect themselves. 

In recent years, cybercriminals have gravitated toward 鈥渄ouble-extortion ransomware鈥� schemes, where they gain access to a victim鈥檚 computer network, often through a download compromising records and lock the files with an encryption key. Criminals then demand the victim pay a ransom to unlock the files and stop them from being posted online. Yet in this case, the threat actors appear to have skipped past the first part and are employing an extortion strategy that centers exclusively on holding students鈥� sensitive information hostage. 

For years, the 325,000-student Clark County district, whose systems were also breached in 2020, has reportedly reset all students鈥� passwords to their birth date at the beginning of each academic year. Using a student鈥檚 date of birth as a password has . In the case of Las Vegas schools, hackers claim the breach began on TikTok, where a student shared their birth date. The student used their district email address to create a TikTok account and their student ID became their username on the social media platform. 

Once the hacker used that information to compromise the student鈥檚 account, they claim to have exploited poor data-sharing practices in the district鈥檚 Google Workspace to access the sensitive files. The compromised account was used to access information available to any student, which in turn offered records that allowed the hacker to escalate the breach until they were able to access administrative files. 

鈥淕oogle groups and google drives, if not configured correctly will expose teachers and staff files and conversations,鈥� the hacker told DataBreaches.net. 鈥淚n rare instances teachers have created shared drives and given the google group access to this drive. So if one was to add themselves to the group, they can then also access the drive contents. Nothing fancy at all.鈥�

Schools are particularly easy targets because so many students have access to a district鈥檚 computer network, the hacker noted, with a word of advice: 鈥淚 would recommend school districts separate the student network from the teacher network to make this process harder for teams like us.鈥� 

The same technique, , was used recently to compromise records maintained by Jeffco Public Schools in suburban Denver. In Nevada, SingularityMD says it demanded a ransom of roughly $100,000 versus just $15,000 from the 77,000-student Colorado district.

Federal law enforcement officials generally advise cybersecurity victims against paying ransoms, which can embolden hackers and spur future attacks. In the last year, ransomware attacks against the , according to a recent report by the nonprofit Institute for Security and Technology, which observed an uptick in incidents immediately after hackers succeeded in securing payments. 

Levin said the hacker鈥檚 breach methods should set off alarm bells for educators nationwide, with 鈥渧irtually every school in the U.S.鈥� relying on cloud-based suites, like Google Workspace, to create and share content internally, with parents and with the public. 

鈥淚t鈥檚 very easy to overshare information and grant rights for people who shouldn’t be able to see this information,鈥� Levin said. 鈥淭hat鈥檚 what it looks like happened in Clark County is they got access to some student accounts, found some shared folders and in the shared folders was more sensitive information that allowed them to escalate privileges and get to even more sensitive information.鈥� 

Google spokesperson Ross Richendrfer said in an email that as districts become 鈥渁 top target鈥� for cybercriminals, 鈥渢here鈥檚 not just one way that attackers attempt to infiltrate schools.鈥� This particular incident, he said, was 鈥渢he result of compromised passwords and configuration issues at the user/admin level.鈥� 

He pointed to the company鈥檚 , which notes that while Google products 鈥渁re built secure by default, it is critical that admins also properly use and configure networks and systems to ensure security.鈥� The guidance also recommends that districts train teachers and staff on best practices around file sharing. 

In response to an email request, a Jeffco Public Schools spokesperson shared acknowledging the breach, which noted that staff members had received 鈥渁larming email messages from an external cybersecurity threat actor.鈥� The district is working with outside cybersecurity experts and the police to determine the scope and credibility of the attack. 

With respect to the emails from the California student, it appears the hacker used a compromised account associated with the roughly 4,440-student Coalinga-Huron Unified School District in Fresno County merely to communicate with other victims. The threat actor said that compromised student email addresses are used as 鈥渂urner accounts鈥� when they are not useful in escalating permissions beyond the student level. 

Still, the district has conducted an assessment of its systems to ensure that it also hasn鈥檛 become the victim of a data breach, Superintendent Lori Villanueva told The 74. She said the student鈥檚 email address was used to send four emails, which were then deleted. 

鈥淲e canceled that email account, we set up a new one for the student, and we鈥檙e just running our own diagnostics to make sure there was no other unusual activity,鈥� Villanueva said. Allowing students to choose their own passwords can have drawbacks, she said, if they settle on weak credentials. 鈥淢y people have been in contact with the Clark County school district and are trying to cooperate with them as much as we can but we鈥檙e really limited to that one tiny piece of information.鈥� 

Never before had she experienced an incident where a student鈥檚 email address was compromised and exploited in such a major way, she said. 

鈥淣othing this widespread, nothing in another state, nothing this big,鈥� she said. 鈥淔or our little neck of the woods here, this was a little crazy.鈥� 

Reputational damage

For Hecht, the Las Vegas mom, the cyberattack in Clark County is deeply personal. In fact, she has a hypothesis about why she, in particular, received direct communication from the hackers. 

In 2021, of numerous news reports when she contracted COVID and never recovered. 

鈥淭he only thing I can think of is somebody knows that I鈥檓 not quiet, that I will talk,鈥� she said. If the hacker鈥檚 goal was to get Hecht fired up, it worked. The district, she said, needs to be held accountable for a failure to protect her children. Still, she said she hasn鈥檛 been able to get any answers from school administrators. 

鈥淚鈥檝e emailed the superintendent and I just continue to call that helpline,鈥� she said 鈥淣othing. Nobody has responded. I can鈥檛 even get through, it just rings and rings and rings. To me, that tells me there are so many parents calling.鈥�

Hecht said she has since retained a lawyer, and a pair of other parents have already filed a class-action lawsuit against the district. The Oct. 31 complaint accuses Clark County schools of negligence, particularly in the wake of the 2020 ransomware attack. The lawsuit alleges the district has refused 鈥渢o fully disclose any details of the attack and what data were accessed and were available for third parties to exploit.鈥� 

鈥淲e think the district should be held accountable for their failures and ideally they will be able to make a more secure network in the future and anyone who has been subject to these data breaches will get the proper identity protection provided by the district at a minimum,鈥� attorney Steve Hackett, who represents the families, told The 74.

Among those calling for Superintendent Yara to resign is Nevada Assembly Speaker Steve Yeager, who with nontransparency.

In an email, a district spokesperson said that individuals found to be affected by the breach will receive data breach notifications in the mail and declined to comment on whether it had, or planned to, pay the ransom. The after the 2020 breach led hackers to release Social Security numbers, student grades and other private information. 

鈥淎s the investigation continues, we are committed to cooperating with agencies responsible for finding the responsible party and holding them accountable,鈥� the statement said. 

The district also offered a sharp rebuttal to calls for Jara鈥檚 resignation, specifically referring to with the local teachers union: 鈥淪uperintendent Jara will remain superintendent as long as the Board of Trustees desires him to do so,鈥� the statement continued 鈥淣o bullying pressure, harassment or coordination with the leadership of the Clark County Education Association will deter him from his job to educate over 300,000 students and protect taxpayer resources from those who wish to harm the district or its finances.鈥� 

Hecht said the release of sensitive files, like medical records and special education reports, is particularly concerning, with implications extending far beyond those of Social Security numbers and financial records. She offered a message of her own directly to the hackers. 

鈥淚t worries me because this stuff is going to follow them for life,鈥� she said. 鈥淟ook, I know that our district is not great, but if you鈥檙e going to go against the district, don鈥檛 take our kids down with you. They did nothing wrong.鈥�

Help fund stories like this.