Great Valley School District Faces Severe Cybersecurity Incident.
The Great Valley School District has recently experienced a significant cybersecurity breach that resulted in a ransomware attack. The district’s servers were compromised, leading to the unauthorized extraction of sensitive data.
The Great Valley is a school district located in Malvern, in the American state of Pennsylvania, comprising 6 schools (Grade Span KG-12). The data provided below is available on the institutional website of the National Center for Education Statistics (NCES) and refers to the academic year 2022-2023.
- Charlestown Elementary School, total students 371 (Grade Span KG-5)
- General Wayne Elementary School, total students 623 (Grade Span KG-5)
- Great Valley High School, total students 1402 (Grade Span 9-12)
- Great Valley Middle School, total students 1085 (Grade Span 6-8)
- Kathryn D. Markley Elementary School, total students 629 (Grade Span KG-5)
- Sugartown Elementary School, total students 496 (Grade Span KG-5)
If we refer only to the number of students potentially affected by the data breach, we have over 4,600 students from the Great Valley School District who may have experienced the theft of their identity. In addition to these, according to data reported by the NCES, we must also include at least 500 staff members of the School District who may have been involved in the theft of PII and PHI data.
The cybercriminal group known as Medusa Team has claimed responsibility for the attack and provided evidence by releasing 25 files containing comprehensive information. This data includes full names of students and staff, addresses, dates of birth, phone numbers, complete email addresses (including personal ones) with clear-text login passwords.
In the ransom demand, the attackers are asking for $600,000 in cryptocurrency to prevent the publication of the stolen data on their website within a week.
From the information we have gathered, it appears that a negotiator from the Great Valley School District contacted the Medusa Team through the chat opened by the cybercriminals. We know that the School District refused to pay the ransom.
As reported by the School District in a statement on its institutional website, the cyberattack on its computer network occurred between October 31 and November 10. In addition to the sensitive data previously described, the statement indicates that Social Security numbers, driver’s licenses, and medical information may have been exfiltrated.
However, one aspect of this incident remains unclear to us. We were able to examine some files published by the Medusa Team and can confirm that among them is at least one medical document belonging to a woman. What we find perplexing is not the presence of unprotected medical data on the School District’s servers, which is a serious matter in itself, but rather whose data it is.
We came across a folder containing clinical exams conducted in April 2023 at the Manatee Memorial Hospital (MMH) Emergency Room in Bradenton, Florida. These belong to an 88-year-old woman residing in the city of Bradenton, Florida. Why were these data, which we present below with the woman’s name edited, on the servers of the Great Valley School District within these directories? In addition to data related to laboratory medical exams, we found information pertaining to the woman’s 2022 tax return. For these data as well, we pose the same question: is it correct for them to be present on a computer of the Great Valley School District?
Great Valley School District\GVSD_2\[EDITED] Fax.docx
Great Valley School District\GVSD_2\[EDITED]Fax042423.pdf
Great Valley School District\GVSD_2\[EDITED]_04_17_23 ER Lab Results.pdf
Great Valley School District\GVSD_2\[EDITED]_1099INT,2022_Citizens.pdf
Great Valley School District\GVSD_2\[EDITED]_1099R,2022_Citizens.pdf
The only positive aspect of this situation, in our opinion, is the promptness with which the School District informed the individuals affected by the data breach, providing them with useful information.
But despite this, once again, we have witnessed poor management of sensitive data protection—data that should be protected but is instead handled with negligence. How many more cases like this must we be forced to read before someone decides that the current laws adopted by almost all American states are often ineffective and unsuitable for combating cybercrime? Or perhaps there is still a belief that the likelihood of someone infiltrating their computer network is very low?
These institutions, especially if public, should be asking themselves various types of questions, the same questions we have been posing for several years now: “How can we make our computer systems more secure? How should a computer network be properly configured? What data can reside on an online server, and what must be kept absolutely offline?” Additionally, “Which data should be preserved, making them inaccessible in the event of a cyberattack?”
These are questions we tend to answer only when it’s too late. Investing money in cybersecurity and providing ongoing training to staff is never a waste of time or resources. Occasionally, the staff should be reminded that it is not wise to “store” private files on school servers.
We have sent two emails to the Great Valley School District, with recipients including the offices of the Superintendent and Media Inquiries/Communications, requesting a statement on the matter in light of the documents we had the opportunity to review. However, no response was received before the publication of this article.
SuspectFile will update the article in case of new developments.