When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate 鈥� unsuccessfully 鈥� with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by 社区黑料 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn鈥檛 hand over 60 bitcoin which, at the time, was worth about $660,000. 

鈥淚f we don鈥檛 reach an agreement we will start leaking your private data,鈥� the hacker wrote, noting that for bitcoin they would also offer 鈥渁 list of security measures鈥� to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by 社区黑料 describes the ransom payment as being for 鈥渢echnical consultant services and remediation.鈥�

鈥淭ypically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,鈥� Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn鈥檛 respond to requests for comment for this story. 

Records show that Beazley, the school district鈥檚 cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack鈥檚 impact and its data breach reporting obligations, but it wasn鈥檛 until November 鈥� four months later 鈥攖hat the firm told them a 鈥減rogrammatic review of the files鈥� had been completed. 

鈥淏aker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,鈥� staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would 鈥渃onduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.鈥� 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,鈥� said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district鈥檚 lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: 鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

Tedford asked if the accusation was legitimate and if the police had been notified.

鈥淚 need to cover these bases now that we have been made aware of this claim,鈥� Tedford wrote in an Aug. 3 email. 鈥淚t鈥檚 clear the attorneys don鈥檛 want law enforcement involved, and that鈥檚 fine, but this is a different issue.鈥�

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is 鈥渨ell aware of that situation,鈥� which was related to an incident during an out-of-town show choir event. 

鈥淎fter a thorough investigation, no charges were filed,鈥� Shoonover wrote, adding in a later email that an officer 鈥渋nterviewed dozens of kids鈥� in response to 鈥渢his entire unfortunate event.鈥� 

In August 2020, the district was working on its talking points to the public and it鈥檚 clear the consultants weren鈥檛 far away. 社区黑料 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would 鈥渉ave preferred to notify the public earlier鈥� but couldn鈥檛 鈥渢o ensure the privacy of student records,鈥� that they were unsure what, if any, records may have been compromised and that they were encouraged to 鈥渨ait to release any information until the investigation鈥� was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was 鈥渦nable to provide any further information鈥� about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized 鈥� but he didn鈥檛 divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 鈥� five months after the incident 鈥� and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver鈥檚 license and credit card numbers. 

Information about a cyberattack at the district is limited 鈥� aside from data breach notices in several states. In to the Maine attorney general鈥檚 office, the district disclosed that it suffered a 鈥渉acking鈥� incident. On Aug. 3, the district 鈥渆xperienced a network disruption鈥� that rendered its systems inoperable due to 鈥渁 sophisticated cyber-attack.鈥� Nearly seven months later, on Feb. 29, 2024, school officials began informing individual victims that their Social Security numbers had been exposed in the breach. 

In to the Washington state attorney general鈥檚 office, the district acknowledged that 771 state residents had their information stolen, including their names, Social Security numbers, banking information, dates of birth and health insurance and medical information. The total number of affected individuals, according to the disclosure in Maine, was 30,373.

School officials couldn鈥檛 be reached for comment.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district鈥檚 computer network, accessing reams of students鈥� and educators鈥� sensitive information, officials contacted the FBI and laid out what happened. 

The district 鈥渋mmediately initiated an investigation鈥� after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker鈥檚 demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an 鈥渆ncryption event鈥� and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by 社区黑料 through public records requests, the district told families in a Feb. 24 email that its investigation 鈥渉as found no evidence that personal information was compromised.鈥� 

The statement was sent after cybersecurity experts advised district communications staff that 鈥渟haring the least amount of information鈥� as possible was 鈥渋n the best interest鈥� of district security. 

Threat actors with the ransomware gang Medusa 鈥� known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what鈥檚 known as a 鈥渄ouble-extortion鈥� scheme 鈥� took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn鈥檛 acknowledge for nearly two weeks after the attack that sensitive records may have been compromised 鈥� and waited months to notify breach victims directly by letter. 

The district didn鈥檛 respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by 社区黑料.  The cyber insurance provider will 鈥渇acilitate breach counsel and forensic investigation teams,鈥� the plan notes, and deploy 鈥渆xperienced negotiators鈥� to communicate directly with the hackers. The policy also states it would cover the district鈥檚 liability for bad press, fines and 鈥渞egulatory proceedings鈥� related to a cyberattack. 

鈥淭he insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,鈥� the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a 鈥減rivileged investigation,鈥� according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

鈥淧er [Minneapolis Public Schools鈥橾 request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,鈥� according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn鈥檛 respond to 社区黑料鈥檚 request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed 鈥渢he world鈥檚 most profitable spy organization.鈥� The researchers prepared 鈥渁 report detailing the forensic analysis process and analysis鈥� at Mullen Coughlin鈥檚 direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went 鈥渢hrough the list of what TA [the threat actor] might鈥檝e accessed,鈥� and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the 鈥淢edusa contact team,鈥� urging the person to respond to the threat actors immediately or else 鈥渨e will ensure your popularity.鈥� 

In March, Medusa ransomware actors posted the district鈥檚 stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom 鈥� a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by 社区黑料, include confidential and highly sensitive records about individual students and teachers. 

It wasn鈥檛 until September 2023 鈥� seven months after the attack 鈥� that 105,617 people were notified the 鈥渉acking鈥� incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general鈥檚 office. The notice states that the process to identify that information had been completed in July 鈥� a month and a half before officials notified victims.

鈥淎lthough it has been difficult to not share more information with you sooner,鈥� the letter to victims notes, 鈥渢he accuracy and the integrity of the review were essential.鈥�

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.