School Districts That Have Experienced More Than One Cyber Incident Since 2016

Alphabetical by school district name. 

  • Argyle Independent School District (TX)
    • 2017 (phishing): “Victimized by W-2 email phishing scam affecting educators and other school employees (as reported by EdTech Strategies).”
    • 2017 (ransomware): “A Texas Department of Agriculture (TDA) employee’s state-issued laptop computer was compromised through a malicious ransomware attack. As a result, students in school districts throughout Texas may have been potentially impacted by the breach. The information exposed on the employee’s laptop included names, social security numbers, home addresses, birthdates, and personal phone numbers of the affected students and their families. To date, TDA’s Information Security Officer (ISO) has identified more than 700 students whose sensitive personal information was, or is reasonably believed to have been, exposed to acquisition by an unauthorized person.”
  • Arlington (VA) Public Schools
    • 2016 (unauthorized disclosure/breach): “A total of 68 Arlington Public Schools employees have had their social security numbers and tax information compromised in a data breach.”
    • 2017 (unauthorized disclosure/breach): “Recently, APS learned that one of our vendors, OneLogin, experienced unauthorized access to their data. Our APS Information Services staff responded immediately to implement the remediation recommendations provided by OneLogin. After completing our initial analysis, we do not believe this incident presents a significant risk to you. Nonetheless, in accordance with best email practices, we are recommending that you change your password for your Family Access (ParentVUE) account. We value your participation as a partner with APS in support of your student’s instruction and want to ensure that access to your student’s records remains private.”
  • Bay District (FL) Schools
    • 2017 (other incident): “The Bay District Schools website was hacked Sunday night and authorities are working to fix the issue. The district’s home page was replaced by a page showing an anime character making an obscene gesture and text stating “Hacked by Typical Idiot Security.” Superintendent Bill Husfelt said the site’s host was hacked and not the district’s servers and no confidential information was compromised.”
    • 2018 (unauthorized disclosure/breach): “Bay District School announced Tuesday that 1,200 students were impacted by a data breach at Florida Virtual School. The statewide school provides online instruction for students from kindergarten through high school. The school announced last month that an unauthorized user gained access to their system that stored personal information sometime between May 6, 2016, and Feb. 12, 2018.”
  • Chesapeake (VA) Public Schools
    • 2016 (unauthorized disclosure/breach): “Chesapeake Public Schools has experienced a potential data breach after an employee’s laptop was stolen. The information on the laptop included names, social security numbers and bank account numbers of some past and present Chesapeake Public Schools employees.”
    • 2018: (phishing): “Officials with Chesapeake Public Schools said Thursday the district’s computer system has been hacked. The school district said a virus entered their network through phishing emails sent to employees. CPS said only a couple of divisions have been affected and it’s not a system-wide outage. Right now, the IT department is working to contain and get rid of the virus.”
  • Chicago (IL) Public Schools
    • 2016 (unauthorized disclosure/breach): “A Chicago Public Schools employee improperly leaked some student names, home addresses and current schools to the Noble Network of Charter Schools.”
    • 2017 (unauthorized disclosure/breach): “Confidential information about Chicago Public Schools students — including medical conditions and dates of birth — was kept on unsecured web documents that anyone could call up despite laws and CPS rules that are supposed to safeguard children’s privacy.”
    • 2018 (unauthorized disclosure/breach): “Families were sent an email Friday evening from CPS’s Office of Access and Enrollment inviting them to submit supplemental applications to selective enrollment schools. Attached at the bottom of the email was a link to a spreadsheet with the private data of over 3,700 students and families. The link to the private data was active for several hours after CPS noticed and apologized for the breach. The link was eliminated by Saturday morning.”
    • 2018 (unauthorized disclosure/breach): “When Chicago Public Schools fired an employee recently, she left her job with more than just her final paycheck. The former employee allegedly took the personal information of about 70,000 people contained in a CPS private database. The temporary employee worked in the CPS information center. She may have stolen the data in retaliation for being fired, police said.”
    • 2018 (unauthorized disclosure/breach): “Chicago Public Schools officials this week confirmed confidential student information has been improperly disclosed in yet another data breach, this time involving the recently removed principal of Ogden Elementary School. CPS Chief Education Officer LaTanya McDade informed Ogden parents in a letter Thursday that former principal Michael Beyer improperly shared a Google Drive folder with files containing employee ratings and evaluations from last school year as well as identification numbers, grades, standardized test scores and the email addresses of numerous students.”
  • Clark County (NV) School District
    • 2017 (other incident): “Close to 20 Clark County School District computers were hit this week with a virus that led to a nude image to appear on the screen. Spokesman David Roddy said the IT department was looking into how the virus got on the computer.”
    • 2017 (other incident): “The Foothill High School Twitter account has been compromised. In an hour a number of tweets were sent that ranged from anarchist symbols, taunts, to offensive messages targeting staff. Half of the tweets seemed to be in response to some sort of school policy.”
  • Cleveland (OH) Metropolitan School District
    • 2017 (unauthorized disclosure/breach): “CMSD determined that certain categories of employee, student, and/or guardian information contained in a limited number of CMSD employee email accounts may have been accessed by an unknown and unauthorized individual.”
    • 2017 (other incident): “Teachers of the Cleveland Metropolitan School District were victims of an email spoofing scam that resulted in their direct-deposit compensation being directed to an unknown third party.”
  • Cloquet Public Schools (MN) ISD94
    • 2016 (ransomware): “The Cloquet school district was the victim of a malicious computer software attack last week that resulted in the equivalent of a lock on much of its information, and a $6,000 ransom demand to have it released.”
    • 2018 (ransomware): “On August 3, 2018 users began noticing files on shared network drives were renamed with an odd file extension, making the files unable to be opened. Upon analysis, the district had fallen victim to a ransomware virus. The virus encrypted files on all servers except one, including network shared drives. There is no indication that any information was stolen or accessed by any individuals other than to encrypt the data. The district did not pay the ransom, but instead plans to rebuild their existing servers and manually enter any data that was lost. The district says that they chose this option as it was the only one that guaranteed that their insurance policy would cover the district’s costs.”
  • Columbia County (GA) School District
    • 2016 (unauthorized disclosure/breach): “The Columbia County School District has revealed that one of their servers suffered a data breach. The affected server did not contain any student data, but it DID contain confidential employee information, including names, Social Security numbers, birth dates and more.”
    • 2017 (unauthorized disclosure/breach): “Despite the fact that the school’s action appears to violate a ‘Memorandum of Understanding’ signed by the school system and sheriff’s office, an assistant principal and a sheriff’s deputy let a sophomore quarterback for the Evans High football team avoid arrest after he hacked into the lunchroom computer and added $120 to his meal account.”
  • Corpus Christi (TX) Independent School District
    • 2016 (unauthorized disclosure/breach): “The Corpus Christi Independent School District is offering 443 of their former students and one current student free credit monitoring service, after their Social Security numbers were published to the internet.”
    • 2017 (unauthorized disclosure/breach): “The names and social security numbers of employees were made public on a website by managed by the Texas Association of School Boards.”
  • Corsicana (TX) Independent School District
    • 2017 (phishing): “Victimized by W-2 email phishing scam affecting educators and other school employees (as reported by EdTech Strategies).”
    • 2017 (ransomware): “A Texas Department of Agriculture (TDA) employee’s state-issued laptop computer was compromised through a malicious ransomware attack. As a result, students in school districts throughout Texas may have been potentially impacted by the breach. The information exposed on the employee’s laptop included names, social security numbers, home addresses, birthdates, and personal phone numbers of the affected students and their families. To date, TDA’s Information Security Officer (ISO) has identified more than 700 students whose sensitive personal information was, or is reasonably believed to have been, exposed to acquisition by an unauthorized person.”
  • Crowley (TX) Independent School District
    • 2017 (ransomware): “A Texas Department of Agriculture (TDA) employee’s state-issued laptop computer was compromised through a malicious ransomware attack. As a result, students in school districts throughout Texas may have been potentially impacted by the breach. The information exposed on the employee’s laptop included names, social security numbers, home addresses, birthdates, and personal phone numbers of the affected students and their families. To date, TDA’s Information Security Officer (ISO) has identified more than 700 students whose sensitive personal information was, or is reasonably believed to have been, exposed to acquisition by an unauthorized person.”
    • 2018 (phishing): “On November 20, Crowley ISD learned that funds intended as payments to vendor Steele & Freeman, Inc., a construction company for the district, were electronically transferred via ACH (Automatic Clearing House) to a fraudulent account instead of Steele & Freeman’s account. The suspect, who has no connections to Crowley ISD or Steele & Freeman, is accused of posing as an employee of the construction company and asking the district to wire nearly $2 million in payments that were due to the fraudulent account. Upon discovering this fraud, the district immediately contacted authorities, including the FBI, and began an internal review.”
  • District of Columbia (DC) Public Schools
    • 2016 (unauthorized disclosure/breach): “The private information of about 12,000 D.C. public school students was accidentally uploaded to a publicly accessible website, the District’s Office of the State Superintendent of Education announced Thursday in an internal memo.”
    • 2018 (unauthorized disclosure/breach): “The personal information for 2,000 homeless D.C. students was mistakenly published online and accessible for six months, school officials said. According to D.C. Public Schools, the accidental disclosure took place after a spreadsheet with the students’ information was provided to the D.C. Council. The spreadsheet was then posted on the council’s website. The information included student names, birth dates, identification numbers, grade levels, attendance information, housing status and whether they qualified for special education and English Language Learner services.”
  • Escambia County (FL) School District
    • 2016 (unauthorized disclosure/breach): “The Escambia County School System is one of three in the state hit with a payroll accounting system security breach that allowed fraudulent tax returns to be filed in employee names.”
    • 2017 (denial of service): “The Escambia County School District experienced a denial-of-service attack last fall.”
  • Kountze (TX) Independent School District
    • 2017 (ransomware): “A hacker got access through an unsecured remote desktop used to access school computers from home or other locations. From there, the hacker was able to lock the shared user files of all 1,300 students and employees. The district was able to restore their files from backups without South Washington (MN) County Schoolscontacting the hackers.”
    • 2017 (unauthorized disclosure/breach): “The names and social security numbers of employees were made public on a website by managed by the Texas Association of School Boards.”
  • School District of Manatee (FL) County
    • 2017 (unauthorized disclosure/breach): “Victimized by W-2 email phishing scam affecting educators and other school employees (as reported by EdTech Strategies).”
    • 2018 (other): “An investigation by Hudl, a national online database, determined the Braden River High football coaching staff improperly accessed an account to view video footage of opposing football teams from Sarasota County in an effort to gain an on-field advantage, according to a statement Friday by the Sarasota County School District.”
  • Miami-Dade (FL) County Public Schools
    • 2017 (other): “International hackers slipped into the computer systems of at least four Florida school district networks, including Miami-Date, in the hopes of stealing the personal data of hundreds of thousands of students. They infected the systems with malware — malicious software — that turned off the logs recording who accessed the systems, according to United Data Technologies, the Doral-based cybersecurity company that investigated the incidents. For three months, the hackers probed the systems, mapping them out and testing their defenses. At one point, they even posted photos of someone dressed as an ISIS fighter on two school district websites.”
    • 2017 (unauthorized disclosure/breach): “Former students of American Senior High School, who filed a lawsuit against the Miami-Dade County Public Schools said a simple internet search of their names brings up all sorts of private information, such as social security number, developmental scale score, whether they passed or failed the FCAT, achievement levels and other test scores.”
    • 2018 (unauthorized disclosure/breach): “A high school, granted access to teachers’ computers because he was helping the school build a website, used a device known as a “keylogger” to get teachers’ logins and passwords, and use that information to to change between 25 and 30 grades. The high school student was eventually caught when a teacher noticed the wrong grades, but he was not criminally charged. Because of privacy laws, the district can’t release information about the student. But they say he learned a “hard lesson” and was disciplined. Sources tell us he was not able to go to prom or walk at graduation.”
  • Middletown (CT) Public Schools
    • 2017 (ransomware): “In Middletown last summer, the school district was dealing with ransomware, which threatens to publish personal data unless a ransom is paid. The district said no ransom was paid and that the affected server was decommissioned without any loss of data.”
    • 2018 (ransomware): “The Middletown school district is working to restore access to its computer systems after discovering a ransomware virus Thursday that had locked the staff out. Schools Superintendent Michael Conner said the district has not paid any ransom. He said officials are still working to determine how the virus got into the system and who might be responsible. By late Friday, two of the district’s six computer systems were operating with limited functionality.”
  • Midway (TX) Independent School District
    • 2016 (other incident): “Two Midway High School students were charged Tuesday with distributing a false report or alarm after posting a screen shot of a false administrative document warning families about potential violence at the school, Hewitt Police Chief Jim Devlin said.”
    • 2017 (unauthorized disclosure/breach): “The names and social security numbers of employees were made public on a website by managed by the Texas Association of School Boards.”
  • Modesto City (CA) Schools
    • 2016 (ransomware): “Hackers got ahold of the James C. Enochs High School’s entire journalism program and then offered to return access to files in exchange for a paid ransom. The incident that occurred wasn’t reported and they chose not to pay the ransom.”
    • 2017 (other incident): “Hit by a computer virus, the Modesto City Schools district has shut down all essential applications and services.”
  • Montgomery County (MD) Public Schools
    • 2016 (unauthorized disclosure/breach): “A contractor working with the Montgomery County school system has informed the parents of about 340 special-education students that the children’s private data was on a computer stolen during a break-in.”
    • 2017 (other incident): “Montgomery County Public Schools had an electronic disruption this week because of a cyberattack, said Derek Turner, a spokesman for the district. Turner said the disruption to computer systems lasted three days. District officials figured out who was behind the targeted attack and fixed the service. The district’s chief technology officer, says ‘the disruption was caused by an attack designed to slow our system and law enforcement has been involved. The system itself was not hacked and at no time was the data of our students or staff in danger of being breached. Our firewall and security systems worked as they are designed to, and completely protected all of our data.'”
  • Mt. Diablo (CA) Unified School District
    • 2017 (unauthorized disclosure/breach): “On April 27, 2017, when parents tried to access their student’s data through the HomeLink Portal, they were able to view information of a student other than their own.”
    • 2018 (unauthorized disclosure/breach): “The grading system at Ygnacio Valley High School (Mt. Diablo Unified School District) in Concord was hacked by a 16-year-old sophomore. That student has been suspended. It took the student just five minutes to create a phishing email which he sent out to school staff. Administrators were tipped off about two weeks ago when someone in the I.T. Department got that phishing email but it went to spam. All he needed was one username and password. The student raised and even dropped the grades of 10 to 15 people. “He was charged with crimes ranging from unauthorized use of entering network to personal info,” said Sgt. Carl Cruz of the Concord police.”
    • 2018: (unauthorized disclosure/breach): “The Mt. Diablo School District reports that an error on August 8 was caught after 200 of 650 emails were sent out containing the wrong children’s information. The emails contained students’ names, addresses, telephone numbers, permanent student ID numbers, grade levels, and Homelink verification codes.”
  • Mt. Zion Community Unit School District #3
    •  2018 (denial of service): “Police say a student hacked into the Mount Zion School District computer network to sabotage a homework assignment, causing the system to crash. The student launched denial-of-service attacks via a phone app on three separate days. An investigation led police to identify and arrest the student, who now faces computer tampering charges.”
    • 2019 (other incident): “Foreign hackers targeted the Mount Zion schools computer system in an attack that resulted in 19 days’ worth of grades being wiped out across the district. Data was not removed from the system, but the hackers encrypted several servers, making them unusable. The hackers used a sophisticated computer program to institute a brute force attack against the school’s network to gain access. Efforts to retrieve some information after the security breach have been unsuccessful: teachers are maintaining paper records temporarily and – since grades for 19 days of the third quarter were lost – all students will receive a 100 percent A+ for those days.”
  • Palo Alto (CA) Unifed School District
    • 2017 (unauthorized disclosure/breach): “The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district.”
    • 2017 (unauthorized disclosure/breach): “A website that enables Palo Alto High School students to view their grade point averages and class rank is circling around the student community this morning, and suggests a breach of the Infinite Campus system. By entering their student ID as well as their “person ID”, which can be found through Infinite Campus, students can find their class rank, percentile, and weighted GPA to four decimal places. In addition, the site provides information on overall class size, mean weighted GPA, and standard deviation. However, students can only view their own information, not that of other students.”
    • 2018 (unauthorized disclosure/breach): “On January 18, 2018, Palo Alto Unified School District learned that an employee was storing confidential parent information on his laptop. This same employee had a prior laptop stolen and based on this information, the District conducted an investigation to determine whether personal information was affected by the prior incident. The District’s investigation determined that although the stolen laptop was password protected, confidential information may have been stored on the device, including the name, address, and Social Security number for 353 individuals (including seven North Carolina residents).”
  • South Washington (MN) County Schools
    • 2017 (unauthorized disclosure/breach): “The South Washington County school district is tightening security after a high school student hacked into the district’s server and took names, Social Security numbers and some addresses.”
    • 2017 (unauthorized disclosure/breach): “South Washington County Schools emailed parents Wednesday with their children’s transportation information for the upcoming school year — and in one attachment mistakenly released data on over 9,600 students and their parents. The document contains student names, home addresses and schools; parent names, phone numbers and email addresses; and student busing information, including pick-up and drop-off time and location and the bus route and description. The release raises student and family safety and privacy concerns.”
  • Teton (ID) School District 401
    • 2017 (phishing): “In light of a new incident in late 2018, it was publicly disclosed that the district had previously fallen victim to a phishing scam perpetrated against the school business manager in 2017.”
    • 2018 (phishing): “The district’s business manager was tricked into directing an electronic school construction payment of over $784,000 to a fraudulent account via an email he received. Upon review, it became clear that the school construction company’s email account had been hacked and the fraudster was posing as a real accounts payable employee from the company. The business manager has been suspended. He previously had fallen victim to a fraud payout in 2017 when he responded to a phishing email from someone posing as the superintendent.”
  • United (TX) Independent School District
    • 2017 (unauthorized disclosure/breach): “The names and social security numbers of employees were made public on a website by managed by the Texas Association of School Boards.”
    • 2017 (other incident): “Two students from United High School placed a device on several of the educators’ computers in May (discovered in August) that recorded information to retrieve passwords. The district reports that students did this in order to access teachers’ files and electronic grade books to change grades.”
  • Victoria (TX) Independent School District
    • 2017 (unauthorized disclosure/breach): “The names and social security numbers of employees were made public on a website by managed by the Texas Association of School Boards.”
    • 2018 (unauthorized disclosure/breach): “Victoria ISD has learned that during the second half of 2017, emails within email accounts belonging to some of its employees may have been accessed without authorization. Some of the emails in those accounts may have contained personal information belonging to former and current Victoria ISD students, applicants, and/or employees. Upon learning of the incident, Victoria ISD immediately reset all affected employees’ email passwords and set up an additional layer of authentication for email access. Victoria ISD also conducted an investigation to determine what information may have been stored in the affected email accounts. The information that may have been impacted includes names, addresses, Social Security numbers, government issued identification numbers, financial account information and/or medical information.”