Cyber Incident Victim: Frederick School District
Date:
Jun 2021
Location:
United States of America
Summary
Frederick School District experienced a ransomware attack where threat actors encrypted files but the district refused payment, restoring operations using backups, including older versions. The attackers, identified as Vice Society, exfiltrated and publicly dumped data containing sensitive employee payroll information, vendor payment details, and Social Security Numbers, including those of an employee’s family members from a tax document. Some files also disclosed student names, parental contact information, and a disciplinary investigation involving middle school students. While no master employee or student record systems were confirmed in the leaked data, the actors claimed to have released all exfiltrated information. The district is currently notifying affected individuals while continuing recovery efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Frederick Public Schools in Oklahoma experienced a ransomware attack in early June 2021, though the district had not publicly disclosed the incident until DataBreaches.net identified compromised files on a dark web leak site later that month. The attackers encrypted district files, but Superintendent Shannon Vanderburg confirmed no ransom was paid. Recovery efforts involved restoring systems from backups, including older backups in some cases, with operations fully restored by late June. Notification of affected individuals remained ongoing at the time of reporting. Analysis of leaked files revealed extensive exposure of sensitive data, including employee payroll records from 2018-2020 containing Social Security Numbers, vendor payment details, and a family’s federal tax return exposing additional SSNs for a staff member’s spouse and children. Student-related information was also compromised, including names, parental contact details, and a disciplinary report involving middle school students under police investigation. No master employee or student record systems were identified in the reviewed leaks, though the volume and sensitivity of exposed data prompted concerns about identity theft risks.
The ransomware group Vice Society claimed responsibility for the attack in a June 29 communication with DataBreaches.net, aligning with technical analysis by cybersecurity researcher Michael Gillespie suggesting the use of HelloKitty Linux ransomware variants. Vice Society asserted they published all exfiltrated data after the district refused payment, though the district did not verify this claim. The leaked data’s composition indicated potential gaps in the district’s data management practices, such as personnel storing personal tax documents on district systems. While restoration prioritized operational continuity, the scope of notifications expanded as investigators reviewed the dark web dump. The incident highlighted vulnerabilities in securing both employee and student data, with exposed information spanning financial records, identifiers, and confidential student matters. No evidence suggested further data releases beyond the initial dump, but the district maintained caution given the unverified completeness of the leak.