When Celeste Gravatt first heard about a data breach in her kids' school system in February 2023, it sounded innocuous.
"I didn't really think anything of it at first," Gravatt says.
Officials at Minneapolis Public Schools called it a "system incident," then "technical difficulties," and finally, "an encryption event."
Gravatt has two children who have already graduated from Minneapolis schools, and one who is currently in middle school. She says it was only when she checked social media that she realized the true extent of the attack, and what it could mean for her kids.
Minneapolis Public Schools had been hit by what experts describe as one of the most devastating cyberattacks ever. Hackers stole district data, including files where children were identifiable, and then demanded the district pay a ransom for it. When district officials refused, the hackers released the data online. It included Social Security numbers, school security details and information about sexual assaults and psychiatric holds.
Minneapolis Public Schools did not make any officials available for an interview. In a written statement, the district said it sent written notice of the attack to more than 105,000 people who may have been impacted by it.
"This breach was actually really huge," Gravatt says. "And it wasn't just school records. It was health records, it was all sorts of things that should be privileged information that are now just out there floating around for anybody to buy."
It's an example of a growing nationwide trend in which hackers are targeting a surprising group of people: young public school students.
As school districts depend more on technology, cyberattacks against those systems, and the sensitive data they store, are on the rise. While it's hard to know exactly how many K-12 school systems have been targeted by hackers, an analysis by the cyber security firm Emsisoft found 45 districts reported they were attacked in 2022. In 2023, that number more than doubled, to 108.
The consequences of these data breaches can follow students well into adulthood.
School system data – which can include discipline information, special education records, medical histories and more – can be held hostage, with hackers threatening to release sensitive information if districts don't pay a ransom, as they did in Minneapolis. The data can also be used to steal a child's identity.
"As it turns out, the identity information of children is actually more valuable to them than that of adults," says Doug Levin, director of the K12 Security Information eXchange, a nonprofit that helps protect school districts from cybersecurity risks.
He says stealing a child's identity may seem counterintuitive because they don't have resources of their own, but it can cause "a lot of havoc." Parents don't necessarily monitor their children's credit and bad actors can easily open up bank accounts, rack up debt and apply for loans in a child's name.
"And as a result, cyber criminals can abuse the credit records of minors for many, many years before the victims learn about it," Levin says.
Schools store a lot of data
There's a misconception that the only sensitive data schools have are "Johnny and Susie's algebra grades," Levin says.
It's actually so much more. Districts have data on everything from a child's allergies and suspensions to household income and court orders.
"School systems' educators can be a little bit like pack rats," Levin explains. "And so there's a lot, a lot of information that is collected over time, and it's often not deleted when it's no longer necessary."
Gravatt calls the Minneapolis attack "an extreme breach of privacy," and says she felt violated, both for her children and also for herself. As a former Minneapolis Public Schools student, she also had data in the system.
Advocates also point out that Black and brown students are especially vulnerable when a school system gets hacked. For example, according to a report by the Minnesota Department of Human Rights, Black students in the state are eight times more likely than a white student to be suspended or expelled.
"So that also means that more of their information is being input into the system," says Marika Pfefferkorn. She co-founded the Twin Cities Innovation Alliance to educate and empower parents about how data collected about their children could be misused.
Pfefferkorn says the more information collected on a student – whether it's about housing, custody or free lunch – the more vulnerable they are after a data breach.
The long-term consequences can be devastating for students
Stolen student records can also come back to haunt children into adulthood.
Say a student has a history of drug use that's been successfully overcome; or they have disciplinary records that should have been expunged, but are now publicly available. That information could resurface in college applications, job interviews or in court hearings.
"Even having information on suspensions might mean that a young person might receive a harsher sentence," Pfefferkorn says.
After the Minneapolis breach, Pfefferkorn says some students whose sexual assault records were made public were doxed and bullied by their peers.
Levin, the cyber security expert, says some information can be devastating if it's made public.
"Given how polarized the public is today about issues like gender identity, about maybe even pregnancy or immigration status, if some of that information became public for specific individuals at specific points in time, it could be absolutely life threatening."
Recovering from an attack can be overwhelming for families
Minneapolis Public Schools says it provided impacted individuals with free credit monitoring services for one year, as well as guidance on how to protect against identity theft and fraud.
That guidance included a long list of steps families should take, such as placing "a fraud alert and security freeze on one's credit file," contacting national consumer reporting agencies and, if they suspect attempted identity theft, reaching out to the Federal Trade Commission, their state attorney general and local law enforcement.
"It felt really, really overwhelming," says Minneapolis parent Rachael Flanery. She thinks it's unrealistic to believe parents have the time or capacity to do everything the school district suggested.
So in the end Flanery, who has two young children in the school system, says she did nothing.
"I tried to just kind of be an ostrich about it, right? I put my head back in the sand, and I kind of was in the mindset of, well, if there's a knock on my door and [someone] tells me my 7-year-old just bought a boat, I'll show him where he is! And hopefully it won't be hard to get the charges reversed."
Her family has since moved to a different school district, but Flanery says the whole experience was scary. As a parent, she's always been concerned about her children's physical safety. Now, cybersafety is another thing she's worried about.
Parent Celeste Gravatt is also concerned. She locked her kids' credit so that no one could open accounts in their names. She's especially worried that one of her kid's health information will be made public. She still feels anxious when she thinks about it.
"I'm not what I would call a tech savvy person. So I do wonder, like, if somebody were to obtain information that they shouldn't have, would I even know till it was too late? I don't know."
Edited by: Nicole Cohen
Visual design and development by: LA Johnson
Audio story produced by: Lauren Migaki
Copyright 2024 NPR. To see more, visit https://www.npr.org.
