Cyber Incident Victim: Minneapolis Public Schools
Date:
Feb 2023
Location:
United States of America
Summary
Minneapolis Public Schools experienced a ransomware attack causing widespread system disruptions, including internet, phones, cameras, badge access, copiers/printers, and building alarms. The district restored encrypted data from backups and took mitigation steps such as deploying endpoint detection tools, password updates, multi-factor authentication implementation, and engaging third-party cybersecurity specialists. While investigations found no evidence of personal data compromise, the district urged password resets for accounts accessed on school devices. In-person classes resumed after temporary e-learning days, with no instructional days lost due to coinciding conferences and weather-related closures. The incident remains under investigation, with no ransomware group claiming responsibility.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 20, 2023, Minneapolis Public Schools (MPS) experienced significant technical disruptions affecting critical systems during the Presidents Day holiday. The district initially described the incident as technical difficulties but later confirmed it was an "encryption event," consistent with a ransomware attack. Systems impacted included internet access, phones, security cameras, badge entry systems, printers/copiers, and building alarms, severely disabling operational infrastructure across the district serving approximately 34,500 students. MPS IT personnel and external specialists immediately initiated around-the-clock investigations to determine the source and full scope of the incident. By February 21, parent-teacher conferences were canceled, though the district avoided canceling instructional days due to pre-scheduled conferences that day and subsequent weather-related closures from February 22-24. During this period, MPS conducted "E-learning" days while restoration efforts continued.
MPS announced on February 24 that many systems had been restored through viable backups secured before the incident, enabling a return to in-person classes on February 27. Students were required to reset passwords upon returning to regain account access. The district emphasized no evidence indicated personal data compromise but advised all users to change passwords for personal accounts accessed on MPS devices as a precaution. Response actions included deploying endpoint detection and response tools, updating passwords district-wide, implementing multi-factor authentication where feasible, and engaging third-party cybersecurity firms for network monitoring. Investigations remained ongoing with no ransomware group claiming responsibility. The incident highlighted broader sector vulnerabilities, as referenced by federal agencies noting increased K-12 cyberattacks between 2018-2022, including recent disruptions in Los Angeles, West Virginia, Arizona, Massachusetts, and Iowa. MPS committed to evaluating existing security protocols and enhancing protections but provided no additional details on the forensic methodology supporting its "no data compromise" assertion or the attack's initial vector.