Cyber Incident Victim: Rockland Public Schools
Date:
May 2021
Location:
United States of America
Summary
Rockland Public Schools in Massachusetts experienced a ransomware attack that disrupted staff access to laptops, desktops, and critical systems like ASPEN (X2), forcing manual attendance and grading processes while classes continued unaffected. The district collaborated with authorities to investigate the breach and restore operations, later confirming unauthorized access to personal data—including names and Social Security numbers—affecting 259 state residents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 18, 2021, Rockland Public Schools (RPS) in Massachusetts announced it had been targeted by a ransomware attack discovered that morning. The district immediately notified its community via a website posting, confirming school operations would continue as scheduled despite significant IT disruptions. Staff laptops and desktops were rendered inaccessible for several days, severely limiting email communication and forcing manual workarounds for critical functions. The ASPEN (X2) student information system became unavailable, requiring staff to record attendance and grades manually with plans to update digital records once systems were restored. Student Chromebooks remained unaffected and operational, allowing uninterrupted learning. RPS engaged with unspecified authorities to investigate the breach’s scope and develop recovery plans, though initial communications did not disclose whether threat actors issued a ransom demand or claimed responsibility. No dedicated ransomware leak sites listed RPS at the time of the initial disclosure, suggesting data may not have been publicly exfiltrated or leaked immediately following the attack.
The district provided Portuguese-translated notifications alongside English communications, reflecting community diversity. On November 23, 2021—over six months after the incident—RPS formally notified the Massachusetts Attorney General’s Office that 259 state residents were impacted by unauthorized access to personal data. Affected individuals received notices confirming attackers accessed or exfiltrated names and Social Security numbers, though the district characterized the compromised dataset as “limited.” No additional details emerged regarding the attack vector, duration of system downtime, full restoration timeline, or whether ransom payments were considered. The delayed breach notification timeline indicates forensic investigations extended for months before RPS confirmed specific data exposure. Manual academic record-keeping persisted during the initial disruption period, though the district did not specify when full IT functionality resumed.