Cyber Incident Victim: Union Community School District
Date:
Apr 2021
Location:
United States of America
Summary
Union Community School District experienced a ransomware attack involving the DoppelPaymer threat group, which exfiltrated and publicly dumped sensitive data on the dark web after the district reportedly did not meet ransom demands. The compromised files included extensive personal and personnel information on current and former employees—such as Social Security numbers, salary details, performance evaluations, and termination records—alongside student data encompassing transcripts, disciplinary reports, class lists, and sensitive 504 Accommodation Plans. Despite the exposure of nearly 2 GB of compressed files containing addresses, birthdates, academic records, and family details, the district had not publicly acknowledged the incident or confirmed notifications to affected individuals at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Union Community School District in Iowa experienced a ransomware attack prior to April 19, 2021, though the exact timeline remains unclear. The DoppelPaymer ransomware group, widely suspected to be Russian-based, employed a double-extortion strategy by first exfiltrating sensitive district data before encrypting files on the servers. On April 19, the group listed the district as a non-paying victim on their dark web platform, escalating the incident on May 28 by publicly releasing nearly 2 GB of compressed files containing extensive personal and operational data. The dump included a comprehensive list of all computers on the district’s network, though it notably lacked certain expected system files, leaving uncertainty about whether attackers retained additional unreleased data for leverage.
The compromised files exposed highly sensitive information affecting both employees and students. Employee records included home addresses, phone numbers, spousal/partner names, birthdates, Social Security numbers, salary schedules, hire dates, termination letters, and performance improvement plans documenting professional deficiencies. Student data encompassed class rosters, disciplinary records with names, graduation transcripts from 2003-2019 containing full addresses and academic histories, Iowa Student Reporting (SRI) details, and confidential 504 Accommodation Plans outlining special education needs. Despite the severity of the breach, the district maintained no verifiable public communication—issuing no official statements, omitting the incident from school board meeting minutes, and providing no confirmation of external legal or recovery assistance. Superintendent Travis Fleshner and Board of Education members did not respond to media inquiries regarding operational impacts, breach scope awareness, or notification of affected individuals. The attackers’ data release occurred amidst existing district challenges including COVID-19 disruptions and prior allegations of inappropriate teacher-student communications.