IE 11 is not supported. For an optimal experience visit our site on another browser.

Students’ psychological reports, abuse allegations leaked by ransomware hackers

The leak is a stark reminder of the reams of sensitive information held by schools and that such leaks often leave parents and administrators with little recourse.
Photo Illustration: A child wearing a backpack stands in front of a wall of code representing leaked data
Hackers have leaked thousands of files that appear to have come from Minneapolis Public Schools.Justine Goode / NBC News; Getty Images

Hackers who broke into the Minneapolis Public Schools earlier this year have circulated an enormous cache of files that appear to include highly sensitive documents on schoolchildren and teachers, including allegations of teacher abuse and students’ psychological reports.

The files appeared online in March after the school district announced that it had been the victim of a ransomware cyberattack. NBC News was able to download the cache of documents and reviewed about 500 files. Some were printed on school letterheads. Many were listed in folder sets named after Minneapolis schools. 

NBC News was able to view the leaked files after downloading them from links posted to the hacker group’s Telegram account. NBC News has not verified the authenticity of the cache, which totals about 200,000 files, and Minneapolis Public Schools declined to answer specific questions about the documents, instead pointing to its previous public statements

The files reviewed by NBC News include everything from relatively benign data like contact information to far more sensitive information including descriptions of students’ behavioral problems and teachers’ Social Security numbers. 

In addition to leaking the documents, the hacking group appeared to go a step further, posting about the documents on Twitter and Facebook as well as on a website, which hosted a video that opens with an animated short of a flaming motorcycle, followed by 50 minutes of screengrabs of the stolen files. NBC News is not naming the group.

It’s a stark reminder that schools often hold reams of sensitive information, and that such leaks often leave parents and administrators with little recourse once their information is released.

“The fact of the matter is, school districts really should be treating this more like nuclear waste, where they need to identify it and contain it and make sure that access to it is restricted,” said Doug Levin, the director of the K12 Security Information Exchange, a nonprofit that helps schools protect themselves from hackers. “Organizations that are supposed to be helping to uplift children and prepare them for the future could instead be introducing significant headwinds to their lives just for participating in public school.”

School districts really should be treating this more like nuclear waste.

— Doug Levin, the director of the K12 Security Information Exchange

In an update published to the Minneapolis Public Schools website on April 11, Interim Superintendent Rochelle Cox said the school district was working with “external specialists and law enforcement to review the data” that was posted online. Cox also said the district was reaching out to individuals whose information had been found in the leak. Cox also warned about reports that people had received messages telling them their information had been leaked.

“This week, we’re seeing an uptick in reports of messages — sometimes multiple messages — sent to people in our community stating something like ‘your social security number has been posted on the dark web,’” Cox wrote. “First — I want to remind everyone to NOT interact with such messages unless you KNOW the sender.”

Cybersecurity experts who are familiar with the leak have said it is among the worst they can remember.

“It’s awful. As bad as I’ve seen,” Brett Callow, an analyst who tracks ransomware attacks for the cybersecurity company Emsisoft, said about the breach.

Ransomware attacks on schools, which often end with the hackers releasing sensitive information, have become frequent across the U.S. since 2015. 

At least 122 public school districts in the U.S. have been hit with ransomware since 2021, Callow said, with more than half — 76 — resulting in the hackers leaking sensitive school and student data.

In such cases, districts often provide parents and students with identity theft protection services, though it’s impossible for them to keep the files from being shared after they’re posted.

The leak has left some Minneapolis parents wondering what to do next.

“I feel like my hands are tied and I feel like the information that the district is giving us is just very limited,” said Heather Paulson, who teaches high school in the district and is the mother of a younger child who attends school in Minneapolis.

Lydia Kauppi, a parent of a student in the district, said it’s unsettling to know that her family’s private information may have been shared by hackers.

“It causes anxiety on multiple, multiple fronts for everybody involved,” she said. “And it’s just kind of one of those weird, vague, unsettling feelings, because you just don’t know how long do I have to worry about it?”

Minneapolis Public Schools, which oversees around 30,000 students across 68 schools, said on April 11 it was continuing to notify people who had been affected by the breach, and that it was offering free credit monitoring and identity theft protection services to victims.

Ransomware hackers have drastically escalated their tactics in recent years, increasing how much they ask for and launching efforts to pressure schools to pay up — including by contacting people whose information has been leaked. The group that hacked the Minneapolis schools publicly demanded $1 million. The district announced in March that it had not paid, and ransomware gangs usually only leak large datasets of victims who refuse to pay.

Since last year, various criminal hacker groups have leaked troves of files on some of the largest school districts in the country, including in Los Angeles and Chicago

The leaked Minneapolis files appear to include dossiers on hundreds of children with special needs, identifying each by name, birthday and school. Those dossiers often include pages of details about students, including problems at home like divorcing or incarcerated parents, conditions like attention deficit disorder, documented indications where they appear to have been injured, results of intelligence tests and what medications they take.

Other files include databases of instances where teachers have written up students for behavioral issues, sorted by school, student ID number, behavioral issue and the students’ race. 

The leaked files also include hundreds of forms documenting times when faculty learned that a student had been potentially mistreated. Most of those are allegations that a student had suffered neglect or was physically harmed by a teacher or student. Some are extraordinarily sensitive and allege incidents like a student’s being sexually abused by a teacher or by another student. Each report names the victim and cites birthday and address.

In one report, a special education student claimed her bus driver groped her and made her touch him. Minnesota police later charged a man whose name matches the driver named in the report and the date of the incident.

Others describe a teacher accused of having had romantic relationships with two students. Another describes a student whom faculty suspected was the victim of female genital mutilation. NBC News was able to verify that faculty listed in those reports worked for Minneapolis schools but has not verified those reports.

Those files have been promoted online in what experts said is an unorthodox and particularly aggressive manner.

Many ransomware hacker groups create blogs on the dark web — sites that aren’t findable through search engines like Google and Bing — where they post files from victims who don’t pay.

The group behind the Minneapolis hack keeps such a blog, which is widely tracked by cybersecurity experts. But it also appears to maintain a more conventional website, registered in November, that posts “reviews” of each of its hacking exploits alongside news stories copied from other sites. The news site doesn’t review any other hackers’ leaks. Both websites point to the same social media accounts.

Posts on Twitter and Facebook bragging about the Minneapolis attack remained live on those social media accounts as of Monday morning. The posts direct people to the news website, which includes both a 50-minute video where the hackers show off the files and instructions on how visitors can download them.

“What’s unusual is the number of platforms this group uses to promote leaks, including Facebook and Twitter,” said Callow, the ransomware expert.

“And their use of video is, I believe, unique,” he said. “Gangs have shared videos privately with victims before, but this is the first time recordings of stolen data have been publicly shared.”

Paulson, the teacher and parent, said that she has taken some steps to prevent further harm but is out of ideas on what else she could do.

“I froze my credit, my son’s credit,” she said. “And more than that, I’ve just been watching and hoping that nothing is going to happen.