Des Moines Public Schools, Iowa’s largest school district, has disclosed a ransomware attack which has stolen the personal information of nearly 6,700 individuals. The attack occurred on January 9, 2023, and the school received a ransom demand. However, based on the advice of its cybersecurity experts, no ransom has been paid or will be paid in response to the attack.
During the attack, the school suspended all classes for several days starting January 10, after which the incident was investigated. Internet and network services were also subsequently taken offline. The affected 6,700 individuals will start receiving letters notifying them of the nature of the breach and details regarding what personal information was exposed starting June 19.
As a precautionary measure, the school is also providing complimentary credit monitoring services with a letter also detailing information on how to place a fraud alert on their credit file, place a security freeze on their credit file and obtain a free credit report.
The school’s disclosure announcement doesn’t state the exact nature of the attack or the personal details stolen, only saying that “some data was exposed during the attack”. However, there’s no evidence at the time to suggest financial fraud or identity theft resulting from the breach.
Since the attack, the school claims to have taken “immediate steps to bolster the security of its data systems”, while also adding to existing security measures in the form of “technical safeguards” to prevent such attacks from happening in the future.
Des Moines isn’t the only Iowa school affected by a ransomware attack either. The school’s register report published on the day of the attack notes that the Des Moines Area Community College, MercyOne facilities, Cedar Rapids Community School District, Linn-Mar Community School District and Davenport Community School District all faced similar ransomware attacks in 2021 and 2022.