Cyber Incident Victim: Consolidated High School District 230

In or around August 2020, Consolidated High School District 230 experienced a ransomware attack attributed to the threat actor group Pysa. The attackers infiltrated the district’s systems, exfiltrated sensitive data, and deployed ransomware to encrypt files. The compromised data included student disciplinary records containing personally identifiable information (PII) such as names, birthdates, and behavioral incident details, as well as staff files with employment-related information. The breach remained undisclosed publicly until April 2021, when it was reported alongside a separate attack on Haverhill Public Schools. Pysa, also known for targeting the healthcare sector, typically threatens to leak stolen data unless a ransom is paid. District 230 did not comply with the attackers’ demands, leading to the public release of the exfiltrated data on the dark web.

The incident exposed sensitive student and staff information, creating risks of identity theft and reputational harm. The district’s refusal to pay the ransom aligned with law enforcement guidance but resulted in confirmed data disclosure. The attack occurred amid a broader surge in ransomware operations targeting educational institutions during the COVID-19 pandemic, highlighting systemic vulnerabilities. Massachusetts lawmakers subsequently proposed legislation to mandate ransomware reporting and establish response funds, partly motivated by this and similar breaches. No specific containment measures or system restoration details were disclosed by the district. The breach underscored operational disruptions and privacy challenges faced by schools combating financially motivated cyber threats.