Elmbrook School District Logo
(image source: Elmbrook School District, n.d.)
One-sentence summary:
Wisconsin Elmbrook School District breach by the Vice Society ransomware group took over 6 months to fully investigate and involved all employees with an unknown total.
Who was involved?
Elmbrook School District of Wisconsin, an unknown number of employees, dependents, or students, the Vice Society ransomware group, and the FBI.
What was the timeline?
August 23, 2022: Breach starts
August 27, 2022: Breach ends
September 8, 2022: Elmbrook School District provides initial data breach notice,
February 27, 2023: Elmbrook School District discovers the full scope of the data breach
March 16, 2023: Elmbrook School District develops an updated breach notice
What occurred?
The Vice Society ransomware group, which has been seen in other school attacks (such as against LAUSD in 2022), breached Elmbrook School District in August 2022 and leaked the data on the dark web (Goldbeck, 2022). Elmbrook School District originally reported the threat actor never demanded a ransom or even interacted with the district (Goldbeck, 2022). Elmbrook School District also initially reported the data involved “all active employees,” did not involve social security numbers, and was limited to information such as student educational records (Goldbeck, 2022; Johnson, 2023). However, the information leaked was later clarified to include: “Social Security numbers, driver’s license numbers, state identification number, medical information, financial account number, payment card number, routing number, card CVV/expiration date, medical diagnosis/medical treatment information and health insurance information” (Elmbrook School District, 2023). Employees, dependents, and students were all identified as potential data breach victims (Goldbeck, 2022). Elmbrook School District is still not listed on the Wisconsin data breach portal.
Estimated costs:
Associated incident response costs (albeit mitigated by cyber insurance (SC Staff, 2023)), breach notification costs, operational costs (domain-wide password reset) (Goldbeck, 2022), 1 year Experian IdentityWorks service, M-F call center
Involved laws:
Federal: HIPAA, HITECH, and FERPA
State: Wisconsin: Wis. Stat. § 134.98
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
A 24/7 SOC is a requirement for a modern organization or business. Chief Strategy Officer Chris Thompson said they just hired a “security service firm to provide 24/7 managed services,” essentially implying they did not have a SOC before (Johnson, 2023).
Example solutions
CyberConvoy MDR 24/7 SOC: https://www.cyberconvoy.com/
Sources:
Elmbrook School District. (n.d.). ElmbrookSchoolslogo.jpg. elmbrookschools.org. https://resources.finalsite.net/images/v1533216857/elmbrookschoolsorg/x5mldqs8hp0uobyph9eq/ElmbrookSchoolslogo.jpg
Elmbrook School District. (2023, March 16). Notice of Security Incident – Elmbrook Schools. Elmbrook Schoos. Retrieved April 17, 2023, from https://www.elmbrookschools.org/cyber-notice
Goldbeck, M. (2022). Elmbrook School District hit by cyberattack; student, staff data posted on dark web. TMJ4 News. https://www.tmj4.com/news/local-news/elmbrook-school-district-hit-by-cyberattack-student-staff-data-posted-on-dark-web
Johnson, A. (2023, April 10). Data breach at Elmbrook School District exposes personal information about former and current employees. Milwaukee Journal Sentinel. Retrieved April 17, 2023, from https://www.jsonline.com/story/communities/west/2023/04/10/names-social-security-numbers-exposed-in-data-breach-at-elmbrook/70077855007/
SC Staff. (2023, April 11). Data breach hits Wisconsin school district. SC Media. Retrieved April 17, 2023, from https://www.scmagazine.com/brief/breach/data-breach-hits-wisconsin-school-district
