Cyber Incident Victim: Mars Area School District
Date:
Sep 2022
Location:
United States of America
Summary
The Mars Area School District experienced a ransomware attack by the Vice Society group, leading to unauthorized data leaks containing sensitive personal information. The attackers exfiltrated historical employee and student records, including Social Security numbers, dates of birth, contact details, and confidential reports on disciplinary actions, medical incidents, and employment disputes. While initial district communications asserted no evidence of compromised records, subsequent updates acknowledged an ongoing forensic investigation and potential notification obligations. The leaked data comprised extensive files with personally identifiable information and sensitive operational documents, though no comprehensive databases were identified in preliminary reviews. The district maintained school operations despite network disruptions but ceased communications with the threat actors during negotiations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Mars Area School District in Pennsylvania disclosed a ransomware attack on September 27, 2022, disrupting email and internet network access while leaving phone systems operational. Schools remained open during recovery efforts, with the district initially asserting no evidence of compromised student or employee records. By October 3, Superintendent Gross reported ongoing recovery progress but revised the earlier assessment, acknowledging the forensic investigation remained in preliminary stages and omitting prior assurances about data safety. The district committed to providing breach notifications in accordance with legal obligations upon completing the forensic review. The Vice Society ransomware group claimed responsibility, listing the district on its data leak site and publishing stolen files containing sensitive personnel and student information spanning multiple years.
A preliminary review of leaked data by DataBreaches.net revealed extensive historical records, including a 2016-2017 personnel file exposing Social Security numbers, dates of birth, contact details, and email addresses for over 350 employees. Additional compromised documents included disciplinary records such as a 2022 employee arrest for driving under the influence, medical incident reports from 2012 and 2014 involving students and staff, custodial work complaints dating to 2006-2011, a 2021 negligence hearing notice, and a 2019 legal response to parental rights allegations. The district faced potential notification challenges for outdated incidents containing personal data unrelated to current operations. Vice Society representatives confirmed initial communications with the district ceased prior to the leak and dismissed the relevance of Pennsylvania’s proposed anti-ransom payment legislation, stating their motives centered exclusively on financial gain or notoriety. The stalled state bill would have restricted taxpayer-funded ransoms and mandated attack disclosures within one hour of discovery.