LANCASTER, Texas — The names, dates of birth, Social Security numbers and salary information for more than 500 Lancaster Independent School District teachers was posted on the dark web by a hacking group, according to records reviewed by WFAA-TV.
The highly-sensitive information was among numerous records posted to the dark web, including banking statements, payment transactions, invoices from attorneys and other files belonging to the district.
Officials with Lancaster have confirmed the hack, but they have not confirmed the depth and scope of the ransomware attack.
WFAA has spoken to several teachers who said they were aware that there had been a ransomware attack but had no idea that their personal information had bene posted to the dark web.
Several of the teachers audibly gasped when told what had been posted on the dark web.
"(The district) just told us that we had to turn in our computers and that's about it," said one teacher. "We knew that they had been hacked and that the system would have to be rebuilt."
Other teachers who have left the district did not even know there had been hack and said they had not been contacted by the district.
Officials with the district released a statement late Thursday night after WFAA reached out for comment.
"Lancaster Independent School District recently experienced a ransomware attack that has impacted the District’s operations," the statement said. "After learning of the incident, the District immediately took affirmative steps to contain the threat. In addition, outside cybersecurity experts have been engaged to assist with the District’s response and conduct an independent investigation."
The statement said that the district was working to get its system back up and running "as quickly and safely as possible."
Board President Marion Hamilton told WFAA that the board hadn't been briefed about the situation when she was contacted Thursday.
A source close to WFAA shared files and posts made by the hacking group "Grief" on the dark web that revealed the district was one of its targets.
In a post, the group wrote that "The network of Lancaster Independent School District was screwed, and now we have about 9GB of data from file servers, including internal company documents, personal, and customer data."
That information is now available for cybercriminals to grab at any moment.
The district has not responded to follow-up questions, such as:
- How and when was the district contacted and told that there had been attack?
- What is the amount of the ransom that hackers have demanded?
- Does the district plan to pay any ransom demands?
- Have the hackers taken control of the school’s servers?
- Has the district notified students and employees whose personal information may have been compromised?
- Does the district plan to provide credit monitoring to those affected?
- Has the district reported the incident to the TEA as required by law?
- Does the district have a cyber security coordinator as required by the 2019 law?
Brett Callow, a threat analyst with cybersecurity giant Emsisoft, said hackers usually throw out a small chunk of what they have when an entity they're targeting isn't cooperating.
"They usually start by publishing a small amount of fairly innocuous things," Callow said. "Then, you'll see the game heat up."
Callow said that attacks on schools are common.
"There were about 80 or so attacks in the U.S. education sector this time last year," Callow said. "The criminals are becoming better-resourced and more motivated."
Ransomware attacks have become a hot topic in the U.S. after hackers targeted the Colonial Pipeline in early May, launching a ransomware attack that impacted computerized equipment managing the pipeline.
To stop the attack from spreading, the Colonial Pipeline Company halted all operations, creating gas shortages along the East Coast. The pipeline carries gasoline and jet fuel to the Southeastern United States.
The Colonial Pipeline Company ended up paying the hackers $4.4 million in cryptocurrency to gain control of its systems once again.
The company also hired outside consultants to handle negotiations with the hackers.
Following that attack, the world's largest meat processing company, JBS, paid hackers $11 million in ransom to resolve a cyber attack against them that put the company in a digital stranglehold.
Callow said that the attacks would keep happening if companies continue to shell out cash in cryptocurrency, which is more difficult for law enforcement to track.
"If they keep paying ransoms, it will keep happening. It's as simple as that. There are no winners but the cybercriminals," Callow said.
Investigative Reporter Tanya Eiserer contributed to this story. She can be reached at teiserer@wfaa.com.