Cyber Incident Victim: Tucson Unified School District
Date:
Jan 2023
Location:
United States of America
Summary
The Tucson Unified School District experienced a ransomware attack by the Royal group, compromising its network and resulting in data encryption and theft, which disrupted internet services and forced temporary offline operations while schools maintained functionality through alternative learning methods. Personal information, including names and Social Security Numbers, was accessed, affecting nearly 29,000 individuals, with identity protection services subsequently offered to impacted parties; law enforcement assisted in the investigation, and the district emphasized securing systems to safeguard confidential data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 20, 2023, Tucson Unified School District (TUSD) experienced a cybersecurity incident involving unauthorized access to its network. The breach was initially detected on January 23 when district staff discovered a printed letter from the Royal ransomware group on school printers, claiming they had copied, stolen, and encrypted TUSD's data. The letter offered a "unique deal" to decrypt the data and maintain confidentiality, though district officials did not publicly confirm whether the incident involved ransomware or whether any ransom was paid. As Arizona's largest school district, serving over 42,000 students and approximately 7,000 staff members, TUSD immediately disabled internet and network services across multiple schools to contain the breach while maintaining regular class schedules through alternative offline teaching methods. The district engaged cybersecurity experts, launched an internal investigation, and notified law enforcement authorities including the Tucson Police Department.
The attack caused significant operational disruptions, forcing staff to implement contingency plans using paper-based instruction and mobile hotspots. A subsequent investigation revealed that personal information—including names and Social Security Numbers—of 28,948 individuals (including 11 Maine residents) had been compromised during the breach. TUSD began notifying affected individuals on August 25, 2023, offering 12 months of identity theft protection through IDX CyberScan. While the district restored basic functionality quickly, full system recovery extended beyond initial disruptions. The incident marked one of at least five K-12 cyberattacks reported in early 2023, occurring amid heightened warnings from CISA about rising threats to educational institutions. No evidence suggested student safety was physically compromised, but the breach exposed systemic vulnerabilities in school cybersecurity infrastructures facing budget constraints and evolving attack methods.