7 months after cyberattack, Minneapolis Public Schools to start notifying 105K impacted people by mail

Nearly seven months after a ransomware attack resulted in thousands of people’s personal information being posted online, Minneapolis Public Schools says it is starting to notify those who were impacted via mail.

Minneapolis Public Schools (MPS) says it first learned of suspicious activity impacting its computer systems on Feb. 18. Two days later, the district abruptly canceled parent-teacher conferences that were scheduled for the following day, citing “technical difficulties.” However, the district said no data was lost.

At the end of that week, the district confirmed it was dealing with an encryption event and its staff and third-party specialists were working “around the clock” to investigate it. However, the district maintained that no personal information was compromised.

The following week, the district said data may have been accessed but the district hadn’t paid any ransom to those involved. Another week later, MPS said personal data was accessed and had been posted online and on March 17 the district said some data was released onto the dark web.

On Friday, MPS said its review of the incident determined the person behind the attack had access to the district’s systems between Feb. 6 and Feb. 18, and may have had access to people’s personal information, including names, addresses, birth dates, Social Security numbers, driver’s license numbers, financial account numbers, state student numbers, medical and health information and health insurance information.

“As a precautionary measure, impacted individuals are being offered free credit monitoring services, including information on how they can place a fraud alert on their credit file, place a security freeze on their credit file, and obtain a free credit report,” MPS said Friday.

The district added that it is now in the process of contacting the approximately 105,500 people who may have had their personal information exposed, with letters from the district scheduled to arrive within the next two weeks.

“This (review) process was time-intensive and required both computer-assisted and manual review. Although it has been difficult to not share more information sooner, the accuracy and the integrity of the review were essential,” the district said.

MPS added that it is now reviewing its information security policy and procedures and will conduct additional training.

“Thank you to everyone impacted for their patience as we’ve moved through this difficult incident,” Rochelle Cox, the interim MPS superintendent, said in a prepared statement. “We encourage those who receive notifications to read the letters thoroughly and take whatever steps are recommended to protect themselves and their important data. MPS is implementing additional safeguards to do the same.”