Minneapolis Public Schools cyberattack: What to know and how to protect your data

The district has not specified exactly what information was accessed, but there are steps people can take to protect their information.

March 9, 2023 at 11:07PM
FILE- In this June 19, 2017, file photo, a person types on a laptop keyboard in North Andover, Mass. The availability of remote work has increased significantly in recent years, giving rise to the ability for telecommuters to buck travel norms. Remote work has blurred the line between business and personal travel, affording workers the flexibility to extend trips to fly on cheaper days. (AP Photo/Elise Amendola, File) ORG XMIT: NYBZ206
Minneapolis schools officials have described the incident as an “encryption event” by a “threat actor.”  (AP/The Minnesota Star Tribune)

Minneapolis Public Schools suffered a cyberattack last month that temporarily disabled some district technology and led to a data breach that appears to have revealed some personal information online this week. But details of what happened are still scarce.

Here's what we know — and don't know — about the breach and what you can do to protect yourself or your child if you are affected.

What has the school district said about the breach?

MPS has described the incident as an "encryption event" by a "threat actor."

The district issued a news release Feb. 21 saying it "recently began experiencing technical difficulties affecting the operability of certain computer systems." Students were not in school buildings Feb. 22-24 because of a snowstorm, and the district said the technical issues would not affect e-learning activities.

In an update Feb. 24, the district began referring to the tech troubles as an "encryption event" and encouraged people to change passwords for personal accounts that may have been accessed on district devices, saying that was "a best practice and out of an abundance of caution." At that time, the district said it had "no evidence that personal information was compromised as a result of this event."

On March 1, the district said it still had "not found any evidence that any data accessed has been used to commit fraud" but was working with law enforcement, outside forensic investigators and legal counsel. It warned people to be wary of possible phishing attempts and scams and monitor financial accounts.

The district notified families Tuesday that a "threat actor" claimed responsibility for the "encryption event" and "apparently posted online some of the data they accessed from MPS." That was reported to law enforcement and the district said it was working to have the online information removed. It again said families should be cautious about potential scams and recommended changing passwords.

On Thursday, the district said it was reviewing the data that may have been accessed and said, "This will take some time and individuals will be contacted directly by MPS if this review indicates personal information has been impacted."

District officials have declined several requests for interviews and declined to answer questions that would explain further.

Has anyone claimed responsibility for the breach?

A ransomware group called Medusa has claimed responsibility, without specifying motive, and demanded $1 million to delete the data, according to news sites that cover cybersecurity.

What types of data were accessed?

It is still unclear what, exactly, was accessed. The district has declined to say.

A 51-minute video posted online — but since removed — showed screenshots of a wide variety of information, including spreadsheets that appeared to list student names and addresses, disciplinary information and forms that could contain sensitive employee information, like W-2s. Other images appear to show lesson plans, enrollment projections and district forms and policy documents.

What is the district doing in response to the breach?

The district said March 1 that it had not paid any ransom.

In earlier communications about the "encryption event," the district said it has worked with third-party IT contractors to investigate, monitor and restore its systems. Some of those efforts include "advanced endpoint detection" tools that the district likened to a virus alert system, updated passwords and additional multifactor authentication.

The district said Thursday that people "whose legally protected personal information has been accessed will be provided with free credit monitoring and identity protection services."

Online security experts have said school districts have increasingly become targets of these kinds of cyberattacks.

Are any government agencies investigating the breach?

Minneapolis Public Schools has said the issues have been reported to law enforcement, but they have not said which agencies.

A spokesperson declined to say anything more about third-party investigators or contractors involved in investigations.

What can I do to protect myself or my children from identity theft?

There are several steps you can take to prevent criminals from using your personal information.

  • Change any passwords associated with Minneapolis Public Schools websites. If you used the same password on other websites, change those as well. Create entirely new passwords, don't just change the old one slightly, and don't reuse passwords on multiple websites. You can use a random password generator to create a complex, highly secure new password. Use a secure password manager, such as 1Password, to store your passwords so you don't need to remember them. Writing down your passwords and storing them in a secure location is also a good way to save them.
  • Use multifactor authentication whenever possible to log into personal accounts. This requires additional steps to confirm your identity before you can access your account.
  • Regularly monitor your credit reports for new accounts that you didn't open. You can request a free annual credit report from annualcreditreport.com.
  • Freeze your credit files, as well as those of your child. This will prevent someone from using your name or your child's name to open a credit account or utility service. Find information about freezing your credit for free at the following sites: Equifax, Experian, Innovis, TransUnion, and the National Consumer Telecommunications and Utilities Exchange.

You can find more information on how to prevent identity theft at usa.gov/identity-theft. This Federal Trade Commission website offers information specifically about protecting children from identity theft.

What signs should I look for to know if my or my child's identity has been stolen?

  • A new account that you did not open appears on your credit report.
  • You are turned down for government benefits because your Social Security number, or that of your child, is already being used.
  • You receive a call or letter from a debt collector about overdue bills for an account you did not open.
  • You receive a letter from the IRS saying your child has not paid taxes. This could happen if someone uses your child's personal information on tax forms. The IRS will generally contact you by mail first about any issues. Be wary of any phone calls purporting to come from the IRS if you have not received a letter.
  • You are denied a student loan because of your child's bad credit. This could happen if someone opens accounts with your child's personal information and does not pay the bills.

What should I do if my/my child's identity has been stolen?

You can create an account and report the theft to the Federal Trade Commission at identitytheft.gov and follow the steps to create a recovery plan.

about the writers

about the writers

Mara Klecker

Reporter

Mara Klecker covers suburban K-12 education for the Star Tribune.

See More

Matt DeLong

Audience editor

Matt DeLong is an editor on the Minnesota Star Tribune's audience team. He writes Nuggets, a free, weekly email newsletter about legal cannabis in Minnesota. DeLong also oversees the Minnesota Poll and has written numerous reader-focused guides and FAQ articles on a wide range of topics.

See More

More from Local

card image