Cyber Incident Victim: Affton School District

On February 25, 2023, Affton School District publicly disclosed a ransomware attack impacting its systems. The district initially asserted in its community notification that no sensitive information, including personal data, financial details, or student grades, had been accessed or compromised, attributing this to routine protections like offsite server storage. This assessment was contradicted on March 3 when threat actors publicly released over 400 files containing personnel information of current and former employees, including Social Security numbers (SSNs). The data dump, comprising approximately 23 MB of compressed documents (.doc, .pdf, and spreadsheet formats), demonstrated broader exposure than initially reported; one file alone contained SSNs and names of hundreds of individuals employed during the 2010-2011 academic year. By March 4, the district acknowledged its initial scope assessment was inaccurate. The attackers included a reference to a defunct 2018 U.S. Senate bill proposing data breach compensation in their leak, though their rationale for doing so remained unclear.

The incident ultimately affected 1,183 individuals, including at least one Maine resident, prompting the district’s Chief Financial Officer, Steven Fedchak, to submit a breach notification to Maine’s Attorney General by April 1, 2023. Impacted individuals received offers for 12 months of credit monitoring, fraud consultation, and identity theft restoration services through Kroll. No evidence indicated student or parent data was accessed or exfiltrated, and threat actors did not reference such data in their communications. The district’s response focused exclusively on personnel data exposure, with no public disclosures regarding technical containment measures, ransom demands, or network recovery processes following the initial attack.