Cyber Incident Victim: Manhasset Union Free School District

In September 2021, the Manhasset Union Free School District on Long Island experienced a ransomware attack attributed to the Vice Society threat actor group. The district publicly confirmed the incident on October 7, 2021, after Vice Society published stolen data on their dark web leak site during the preceding weekend. Attackers encrypted the district's computer systems, though network segmentation enabled restoration from backups without ransom payment. The compromised data included extensive student and personnel records spanning over a decade, with particularly sensitive education files containing Individualized Education Programs (IEPs) for special needs students, disciplinary records, medical conditions, academic performance details, and letters of recommendation—all protected under FERPA and IDEA regulations. Personnel files contained employment investigations, salary information, and other confidential documents.

The district engaged cybersecurity experts and law enforcement following system encryption. Vice Society claimed the district made an insufficient ransom offer before data publication, though specific amounts were undisclosed. By October 18, the district issued a community letter confirming data exposure and outlining notification plans for affected individuals, with complimentary credit monitoring for those whose Social Security or driver's license numbers were compromised. The attackers characterized the breach execution as "not hard," while the district cited implementation of additional security measures to prevent recurrence. Legal obligations under FERPA required potential annotation of breached education records, including decade-old files, while New York state laws applied to exposed employee data. No evidence suggested district payment to attackers or exposure of comprehensive payroll databases.