A notorious group of cyber criminals published the sensitive data of an elite private school in the Bronx after infiltrating the school’s computer system with malicious ransomware.
RansomHub, the hacking group behind the cyber-attack, published the stolen data on its darknet site, exposing the personal information of students, parents and faculty from Riverdale Country School—a prestigious institution known for its high tuition fees.
Cybersecurity experts sounded the alarm on Feb. 20, when the group announced that it had stolen Riverdale Country School’s data and posted a countdown clock, giving the school just over five days to meet its demands. After the clock ran out, RansomHub posted the 42 GB of data to its darknet website, updating the post about the data breach to read, “Published” in green letters.
The leaked data included sensitive information like biographical info and contact info as well as personal medical information, all posted publicly on the dark web and available for nefarious actors to download for free. As of around 3 p.m. on March 5, RansomHub’s website showed that Riverdale Country School’s data had been viewed over 4,000 times.
Luke Connolly, a cybersecurity threat analyst with Emsisoft, a firm specializing in security solutions, told the Bronx Times that publishing the data was a strong indication that the school had not complied with the crime organization’s demands, in line with Federal Bureau of Investigation guidance for ransomware victims. He noted that cybercrime groups don’t always honor their word to delete data after a successful ransomware attack.
“These guys are financially driven, and they have zero morals, so I would not at all be surprised if the data was sold after it had been promised that it had been deleted,” Connolly said.
Riverdale Country School declined to comment about the attack.
While the appeal of protecting sensitive data can make paying a ransom seem like a good idea, Connolly told the Bronx Times that giving into cyber criminals’ demands can perpetuate the problem.
“ If you pay the ransomware, you’re supporting their criminal activities and supporting their attempts to find further victims down the road,” Connolly said. “You have no idea what that money is going to go to later on.”
The need to protect client and user data remains a key priority in both state and federal policy.
Laws such as the Family Educational Rights and Privacy Act (FERPA) and New York’s Part 121 2-d of the Regulations of the Commissioner of Education regulate the unauthorized release of personally identifiable information. However, these protections primarily apply to schools receiving federal funding, leaving many private institutions outside their scope.
Riverdale Country School is just one of many schools where personally identifiable information has been stolen recently. In fact, a major software company specializing in School Information Systems called Power Schools was attacked with ransomware in late December, compromising the data security of schools all over the country, including in New York State and prompting at least one class action lawsuit.
“ It’s been a devastating year for K through 12,” Connolly said. “A lot of schools have been compromised either directly themselves or indirectly through supply chain attacks like PowerSchool.”
But he urged caution in leveling blame. Highly protected data systems in tech, government, essential services and financial institutions worldwide have been subject to malicious software attacks.
“ It’s devastating to the economy,” Connolly said.
