Cyber Incident Victim: Sheldon Independent School District
Date:
Mar 2020
Location:
United States of America
Summary
A ransomware attack encrypted a critical business server at Sheldon Independent School District, prompting the organization to pay a ransom facilitated by a third-party firm to obtain a decryption key and avoid prolonged system restoration. The subsequent investigation determined unauthorized actors accessed and downloaded documents containing personal information of current and former students and staff, including names, academic details, demographic data, test scores, and language proficiency—though no Social Security Numbers or similarly sensitive identifiers were compromised. Impacted individuals received notification letters following confirmation of the breach's scope, which revealed variable data exposure across affected groups. The incident occurred amid a wave of cyberattacks targeting Texas school districts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 19, 2020, Sheldon Independent School District (ISD) in Houston, Texas, experienced a ransomware attack that encrypted a critical business server essential to district operations. Faced with an estimated multi-month recovery timeline to rebuild and restore the encrypted system, the district’s board convened an emergency meeting the same day and authorized payment of the ransom. The district engaged Coveware, a third-party firm specializing in ransomware response, to facilitate the transaction. Coveware charged a $5,500 flat fee plus cryptocurrency transaction fees to obtain and transfer the payment to the threat actors. The firm advised the district that these specific attackers had historically provided decryption keys in previous cases they had handled, though the article does not confirm whether Sheldon ISD successfully regained access to its systems after payment. The incident occurred amid a wave of cyberattacks targeting Texas school districts during the early stages of the COVID-19 pandemic.
Following the initial containment response, Sheldon ISD launched an internal investigation and retained a computer forensics firm to assess network security. On June 15, 2020, this investigation revealed that the unauthorized actors had accessed and downloaded documents containing sensitive information about current and former students and staff. The compromised data varied by individual but generally included student names, year in school, school name, teacher names, sex, race, standardized test scores, and English language proficiency records. Notably, the breached files did not contain Social Security Numbers or similarly sensitive identifiers for students. By July 22, 2020, the district completed identification of affected individuals and mailed notification letters to all current and former staff members, along with many current and former students whose information was exposed. The public disclosure of the breach occurred via a district website posting on July 24, 2020, over four months after the initial ransomware incident.