Cyber Incident Victim: Middlesex County Public Schools
Date:
May 2023
Location:
United States of America
Summary
Middlesex County Public Schools suffered a ransomware attack claimed by the Akira group, which allegedly stole 543 GB of data. The school system initiated an immediate internal investigation and formed an incident response team with its IT staff and external cybersecurity experts. They are working to determine if any student or staff personal information was compromised and are coordinating with law enforcement, including the FBI and Department of Homeland Security. The impact on daily operations was reported to be minimal.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 31, 2023, Middlesex County Public Schools in Virginia experienced a significant cybersecurity incident. The school division's superintendent, Dr. Tracy Seitz, confirmed the event was a ransomware attack in a public statement issued late on Thursday, May 31. The confirmation came after the cybersecurity organization BetterCyber reported that the Akira ransomware group had publicly claimed responsibility for the attack earlier that same day. The threat actor group alleged they had successfully hacked the school system's website and exfiltrated approximately 543 gigabytes of data.
The school system took immediate action upon discovery of the incident. An internal investigation was initiated, and an incident response team was formed. This team was led by the school district's own information technology professionals and was augmented by external experts described as some of the country's leading authorities on cybersecurity. A primary and immediate focus of this investigation was to determine the scope of the data breach, specifically to ascertain whether any personal information belonging to students or staff members had been accessed or stolen. The school administration stated that its priority was confirming if any such personal information had been compromised.
Concurrently with the internal investigation, the school system engaged with multiple federal law enforcement agencies. Dr. Seitz's statement confirmed that the district was working with the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), as well as other leading agencies. The purpose of this collaboration was twofold: to assist in the investigation of the attack and to provide information that could be used to help prevent similar incidents from affecting other school systems in the future. Due to the ongoing nature of the law enforcement investigation, the school system declined to provide further specific details about the attack to avoid interfering with these official efforts.
The impact of the ransomware attack on the district's daily operations was reported by the superintendent to have been minimal. Despite the severity of the incident, the school's educational activities were not severely disrupted. The attack occurred just one day before the last day of classes for the academic year, as students were preparing to begin their summer break. This timing may have contributed to the limited operational disruption observed.
Public notification of the incident was handled through the superintendent's public statement. However, direct communication to parents and guardians appeared to be delayed. As of the evening of May 31, at least one parent, who had children enrolled across the elementary, middle, and high schools within the county, reported having learned of the cyberattack from a local news report rather than from the school district itself. This parent expressed significant concern about the security of their children's information, noting the situation was terrifying and its scariness dependent on the identity of the attackers. The school district had not yet communicated a specific timeline for notifying all parents about the breach at the time the news reports were published.
The school system made a commitment regarding its responsibility to those potentially affected. Officials stated that if the investigation determined that personal information of students or staff had indeed been compromised, the district would work promptly to notify those individuals directly. Furthermore, the school system pledged to provide free credit reporting services to the impacted parties as a protective measure.
The incident placed Middlesex County Public Schools among a growing number of educational institutions targeted by ransomware groups. The news reports contextualized the attack by noting similar recent ransomware events affecting school districts in Minnesota, Boston, West Virginia, and Franklin County in southwest Virginia, which had been attacked the previous month. A former superintendent from another district commented on the broader concern such attacks generate, emphasizing that school districts are major targets due to the vast amounts of sensitive student records they maintain. He noted that while schools are not careless and have significant protections in place, all organizations remain vulnerable in the current cyber landscape, underscoring the persistent and widespread nature of the threat. The full extent of the data allegedly stolen by the Akira group and the specific systems encrypted during the attack were not detailed in the public statements from the school district.