Cyber Incident Victim: Rochester Public Schools

On or around April 5, 2023, Rochester Public Schools, a district serving 17,474 students in southeast Minnesota, discovered irregular activity on its network. This discovery initiated a significant incident response that led the district’s IT department to shut down the district-wide internet connection in order to review and address the issue. The initial detection of this anomalous activity prompted an immediate containment action, effectively isolating the network to prevent further potential spread or damage from the suspected cyber intrusion. The shutdown was comprehensive, affecting nearly all of the school district's core technology systems and infrastructure.

The immediate impact of the network shutdown was widespread and disruptive. All staff members and students were abruptly unable to access their Google accounts, which are integral to daily educational and administrative functions. Furthermore, the phone systems at all school district buildings ceased operating, severely hampering internal and external communications. This loss of critical technology systems occurred late in the week, with the district issuing a public message explaining the situation on Friday, April 7, 2023. The announcement acknowledged the irregular network activity and the necessary response of disconnecting the internet to facilitate an investigation.

By Saturday, April 8, the district assessed the ongoing technical challenges and the anticipated duration of the recovery process. School officials determined that providing instruction and school services would be exceedingly difficult without access to the internet and the core systems that remained offline. Consequently, Rochester Public Schools made the decision to cancel classes for Monday, April 10, for all 42 schools it operates. This cancellation affected thousands of students and families, necessitating a major operational adjustment. The district expressed regret for the impact this decision would have on families, particularly as it was communicated during a holiday weekend and at the end of the district's spring break.

While students were instructed not to report to school on Monday, April 10, district staff were required to attend an early morning meeting to address the situation and plan for the immediate future. Following this meeting, staff were given the opportunity to work from home because the internet and other essential systems were still not operational within school buildings. Despite the cancellation of classes, the district announced that sports and other extracurricular activities would continue to operate as usual on that Monday. Furthermore, certain services were to be made available for parents in need, indicating an effort to maintain some level of support for the community amidst the widespread technical outage.

The primary focus of the district’s response was on reviewing the network and addressing the issue to restore operations. The planning session held by staff on Monday was aimed at developing methods to operate schools with no or significantly reduced access to technology systems starting on Tuesday, April 11. This planning was necessary as the core technology systems remained shut down, and a full restoration of services was not immediately anticipated. The incident forced the district into a position of contemplating the delivery of education and administrative functions through alternative, low-tech or no-tech methods for an indefinite period.

This incident occurred within a broader context of heightened cybersecurity concerns for educational institutions. Just weeks prior, in March 2023, Minneapolis Public Schools, another large Minnesota district, experienced a severe ransomware attack. In that separate incident, the Medusa ransomware group posted a large amount of the district's data to the dark web. A sample of the leaked data from Minneapolis was reported to include highly sensitive records, such as those related to student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment, and sex offender notifications. While no explicit connection was made between the Minneapolis attack and the incident in Rochester, their temporal and geographical proximity highlighted a pattern of targeting against school systems.

The exposure of sensitive student data from the Minneapolis attack heightened concerns regarding the consequences of cyberattacks on schools, particularly the risk of massive data leaks onto the dark web when ransoms are not paid. This concern was further exemplified by a separate incident involving the Los Angeles school district, where the mental health records of thousands of K-12 students were found leaked across the internet following an attack by the Vice Society ransomware group the previous year. The Rochester Public Schools incident, while initially described as a suspected cyberattack with unclear motives, therefore resonated within an environment of increasing anxiety over the protection of student data and the operational resilience of educational infrastructure.

The response actions taken by Rochester Public Schools were characterized by a cautious and methodical approach, prioritizing the security review of its network over the rapid restoration of services. The decision to cancel classes was framed as a necessity due to the district's heavy reliance on its technology systems for fundamental educational delivery. The duration of the system outages and the full scope of the network intrusion were not immediately disclosed by the district. The investigation into the irregular activity and the process of securing the network before bringing systems back online constituted the central focus of the district's IT recovery efforts in the immediate days following the initial detection.