Cyber Incident Victim: Toledo Public Schools
Date:
Sep 2020
Location:
United States of America
Summary
Toledo Public Schools experienced a cyberattack involving a Distributed Denial of Service (DDoS) incident followed by data exfiltration, leading to the online publication of sensitive personal information including names, addresses, Social Security numbers, and dates of birth belonging to faculty, staff, and students. The ransomware group Maze claimed responsibility, releasing a portion of stolen data initially misattributed to a construction firm before confirming the school district's information in a subsequent leak. The attack disrupted virtual classes and forced system downtime, though administrators were unaware of the data theft until contacted by media outlets and had not received any ransom demands. The district pledged to notify affected individuals and offer credit monitoring services while advising impacted parties to monitor for fraudulent activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early September 2020, Toledo Public Schools (TPS) experienced a Distributed Denial of Service (DDoS) attack that disrupted its systems, forcing administrators to temporarily take them offline. This interruption affected virtual classes across the district. While DDoS attacks typically do not involve data theft, subsequent developments revealed a more extensive compromise. On September 14, 2020, the ransomware group Maze claimed responsibility for an attack on TPS, though their initial data dump as proof of compromise contained information belonging to a construction firm rather than the school district. Earlier in October 2020, Maze published approximately 9GB of sensitive TPS data online, which included names, addresses, dates of birth, phone numbers, and Social Security numbers of faculty, staff, and students. Multiple TPS staff members confirmed to local media outlet 13abc that this second data dump contained legitimate district information. Maze asserted they had only released a small portion of the exfiltrated data, leaving the full scope of the breach unclear.
TPS administrators stated they had not received any communication or ransom demands from the attackers prior to the data leak. The district became aware of the breach only after being contacted by media outlets on October 16, 2020, having not previously detected the data exfiltration. Deputy Superintendent Jim Gant confirmed no known misuse of the compromised data had been identified at that time. In response, TPS pledged to notify affected individuals and provide credit monitoring services, though these measures were described as forthcoming rather than immediately implemented. On October 19, 2020, district leadership emailed faculty and staff, urging them to monitor financial accounts and credit reports for fraudulent activity. The incident occurred amid a broader trend of ransomware attacks targeting educational institutions, with approximately 70 school districts and colleges reportedly affected nationwide during the same period.