When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate 鈥� unsuccessfully 鈥� with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by 社区黑料 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn鈥檛 hand over 60 bitcoin which, at the time, was worth about $660,000. 

鈥淚f we don鈥檛 reach an agreement we will start leaking your private data,鈥� the hacker wrote, noting that for bitcoin they would also offer 鈥渁 list of security measures鈥� to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An obtained by 社区黑料 describes the ransom payment as being for 鈥渢echnical consultant services and remediation.鈥�

鈥淭ypically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,鈥� Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn鈥檛 respond to requests for comment for this story. 

Records show that Beazley, the school district鈥檚 cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack鈥檚 impact and its data breach reporting obligations, but it wasn鈥檛 until November 鈥� four months later 鈥攖hat the firm told them a 鈥減rogrammatic review of the files鈥� had been completed. 

鈥淏aker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,鈥� staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would 鈥渃onduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.鈥� 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department鈥檚 technology director, requested in a July 31 email that the district furnish the threat actor鈥檚 bitcoin address 鈥渁s soon as possible,鈥� so he could share it with a Secret Service agent who 鈥渙ffered to track the payment with the hopes of identifying the suspect(s).鈥� 

鈥淭here will be no action taken by the Secret Service without express permission from the decision-makers in this matter,鈥� Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

鈥淎ll are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,鈥� said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district鈥檚 lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: 鈥淚 am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.鈥�

Tedford asked if the accusation was legitimate and if the police had been notified.

鈥淚 need to cover these bases now that we have been made aware of this claim,鈥� Tedford wrote in an Aug. 3 email. 鈥淚t鈥檚 clear the attorneys don鈥檛 want law enforcement involved, and that鈥檚 fine, but this is a different issue.鈥�

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is 鈥渨ell aware of that situation,鈥� which was related to an incident during an out-of-town show choir event. 

鈥淎fter a thorough investigation, no charges were filed,鈥� Shoonover wrote, adding in a later email that an officer 鈥渋nterviewed dozens of kids鈥� in response to 鈥渢his entire unfortunate event.鈥� 

In August 2020, the district was working on its talking points to the public and it鈥檚 clear the consultants weren鈥檛 far away. 社区黑料 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would 鈥渉ave preferred to notify the public earlier鈥� but couldn鈥檛 鈥渢o ensure the privacy of student records,鈥� that they were unsure what, if any, records may have been compromised and that they were encouraged to 鈥渨ait to release any information until the investigation鈥� was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was 鈥渦nable to provide any further information鈥� about whether the district paid a ransom, the document also notes.

The until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized 鈥� but he didn鈥檛 divulge the $200,000 ransom payment. 

The district submitted to Massachusetts regulators in December 2020 鈥� five months after the incident 鈥� and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver鈥檚 license and credit card numbers. 

After the Providence, Rhode Island, school district fell victim to a September 2024 cyberattack by the Medusa ransomware gang, school officials said an ongoing investigation found 鈥渘o evidence that any personal information for students has been impacted.鈥� 

An investigation by 社区黑料, including a review of stolen files captured in the 217-gigabyte leak, indicates otherwise. Sexual misconduct allegations involving both students and teachers, children鈥檚 special education records and their vaccine histories were posted online after Providence Public Schools did not pay the cybercriminals鈥� $1 million ransom demand. 

The district鈥檚 failure to acknowledge that students鈥� records had been exposed 鈥� even after being informed otherwise by 社区黑料 鈥� means that parents and students were likely unaware that their private affairs had entered the public domain. 

In October 2024, Providence schools notified 12,000 current and former employees that their personal information, such as their names, addresses and Social Security numbers, had been compromised. But the letter never makes mention of students鈥� sensitive records. 

In response to 社区黑料鈥檚 findings in mid-October 2024, a district spokesperson didn鈥檛 acknowledge that students鈥� sensitive information was compromised. He said the district 鈥渉as been able to confirm that some [of its] files鈥� were accessed by an 鈥渦nauthorized, third party,鈥� and that 鈥渟ecurity consultants are going through a comprehensive review鈥� to determine whether the leaked files contain personal information 鈥渇or individuals beyond current and former staff members.鈥� 

Meanwhile, in an unsolicited phone call to 社区黑料, a state education department spokesperson appeared to contradict that, saying 鈥渘o one had actually gone in to see the files.鈥� 

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 鈥渟ignificant difficulty sustaining attention to task鈥� and who 鈥渨andered around the classroom setting without purpose.鈥� Another special education plan notes a 3-year-old boy 鈥渞andomly roamed the room humming the tune to 鈥榃heels on the Bus,鈥� pushed chairs and threw objects.鈥� 

A single spreadsheet lists the names of some 20,000 students and their demographic information, including disability status, home addresses, contact information and parents鈥� names. Another contains information about their race and the languages spoken at home.

A 鈥渢ermination list鈥� included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 鈥渞etired in lieu鈥� of being fired and a middle school English teacher who 鈥渞esigned per agreement.鈥� Another set of documents reveals a fifth-grade teacher鈥檚 request 鈥� and denial 鈥� for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 鈥渓ess effective as an educator if I am not supported with the accommodations because I can not sleep at night.鈥� 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 鈥渉ave a safe at work as well as one at home.鈥�

Following an investigation published by 社区黑料 and in October, the district to families acknowledging that students鈥� personal information, such as vaccine records and special education details, were exposed in the attack.

In response to an inquiry from 社区黑料, a district spokesperson said in a November statement that educators remain 鈥渃ommitted to transparency and the security of personal information.鈥�

鈥淒uring these types of incidents, districts typically start with limited information on what occurred and then gain more information over the course of the investigation,鈥� the statement continues. 鈥淎s we navigated the initial uncertainty of the situation, PPSD prioritized taking real-time action and communicating with all stakeholders as we gathered more information.鈥�

The school district in Louisiana鈥檚 St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack 鈥� long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general鈥檚 office. 

A December 2023 investigation by 社区黑料 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack. 

Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status.

Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online. 

鈥淭hey want to brush everything under the rug,鈥� said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary. 

After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws. 

鈥淲e never received reports of the actual information that was obtained,鈥� she said in November 2023. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥� 

Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general鈥檚 office was on the  phone with the district, questioning them 鈥渄irectly in response to the article鈥� and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark.

School board attorney Courtney Joiner responded a day later to the attorney general鈥檚 office, saying they were working 鈥渢o address the notice issue without further delay.鈥�

In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� records show. Officials didn鈥檛 send a formal notice to the AG鈥檚 office until Jan. 10, 2024.

Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter 鈥渨ell after the fact鈥� she and her colleagues had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she told reporters. 鈥淭his should have happened much earlier.鈥� 

School officials couldn鈥檛 be reached for comment for this story.

This story was supported by a grant from the Fund for Investigative Journalism.

Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district鈥檚 computer network, accessing reams of students鈥� and educators鈥� sensitive information, officials contacted the FBI and laid out what happened. 

The district 鈥渋mmediately initiated an investigation鈥� after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker鈥檚 demand for $4.5 million in bitcoin. 

Yet when school officials notified students and parents, they vaguely described what happened as an 鈥渆ncryption event鈥� and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by 社区黑料 through public records requests, the district told families in a Feb. 24 email that its investigation 鈥渉as found no evidence that personal information was compromised.鈥� 

The statement was sent after cybersecurity experts advised district communications staff that 鈥渟haring the least amount of information鈥� as possible was 鈥渋n the best interest鈥� of district security. 

Threat actors with the ransomware gang Medusa 鈥� known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what鈥檚 known as a 鈥渄ouble-extortion鈥� scheme 鈥� took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. 

Minneapolis school leaders didn鈥檛 acknowledge for nearly two weeks after the attack that sensitive records may have been compromised 鈥� and waited months to notify breach victims directly by letter. 

The district didn鈥檛 respond to requests for comment.

As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. 

An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by 社区黑料.  The cyber insurance provider will 鈥渇acilitate breach counsel and forensic investigation teams,鈥� the plan notes, and deploy 鈥渆xperienced negotiators鈥� to communicate directly with the hackers. The policy also states it would cover the district鈥檚 liability for bad press, fines and 鈥渞egulatory proceedings鈥� related to a cyberattack. 

鈥淭he insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,鈥� the plan notes.  

Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a 鈥減rivileged investigation,鈥� according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 

鈥淧er [Minneapolis Public Schools鈥橾 request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,鈥� according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn鈥檛 respond to 社区黑料鈥檚 request for comment.

Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed 鈥渢he world鈥檚 most profitable spy organization.鈥� The researchers prepared 鈥渁 report detailing the forensic analysis process and analysis鈥� at Mullen Coughlin鈥檚 direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went 鈥渢hrough the list of what TA [the threat actor] might鈥檝e accessed,鈥� and answered questions. 

The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the 鈥淢edusa contact team,鈥� urging the person to respond to the threat actors immediately or else 鈥渨e will ensure your popularity.鈥� 

In March, Medusa ransomware actors posted the district鈥檚 stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom 鈥� a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by 社区黑料, include confidential and highly sensitive records about individual students and teachers. 

It wasn鈥檛 until September 2023 鈥� seven months after the attack 鈥� that 105,617 people were notified the 鈥渉acking鈥� incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general鈥檚 office. The notice states that the process to identify that information had been completed in July 鈥� a month and a half before officials notified victims.

鈥淎lthough it has been difficult to not share more information with you sooner,鈥� the letter to victims notes, 鈥渢he accuracy and the integrity of the review were essential.鈥�

As of Dec. 1, 2024, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

This story was supported by a grant from the Fund for Investigative Journalism.

The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. 

Three subsequent class-action lawsuits from parents accused the nation鈥檚 second-largest district of taking inadequate steps to protect their children鈥檚 personal records 鈥� and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. 

The trio of events encompass a September 2022 ransomware attack that exposed students鈥� highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. 

Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An told the local press that students鈥� psychological evaluations were included in the leak, a revelation Carvalho refuted as 鈥渁bsolutely incorrect.鈥� 

鈥淲e have seen no evidence that psychiatric evaluation information or health records, based on what we鈥檝e seen thus far, has been made available publicly,鈥� said Carvalho, who acknowledged the hackers had 鈥渢ouched鈥� the district鈥檚 massive student information system but said the 鈥渧ast majority鈥� of exposed student records involved their names, academic records and home addresses. 

An investigation by 社区黑料 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that 鈥渁pproximately 2,000鈥� student psychological evaluations 鈥� including those of 60 current students 鈥� had been uploaded to the dark web. 

In a statement to 社区黑料, a district spokesperson said its cybersecurity response protocol 鈥渇ollows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.鈥� The process, the district said, is 鈥渄esigned with transparency, compliance and community trust in mind.鈥�

Due to the sensitive nature of the information, students may have to 鈥渄eal with this breach for the rest of their lives,鈥� attorney Ryan Clarkson told 社区黑料. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students鈥� personal records had been compromised.  

鈥淚t鈥檚 hard to bury it, it鈥檚 hard to get away from it, it鈥檚 kind of part of who we are,鈥� Clarkson said in an interview. 鈥淵our psychology as a child is always going to be your psychology as a child.鈥�

While the parents of special education students had been left in the dark about the breach, so too were members of the district鈥檚 special education committee. Carvalho acknowledged at a September 2022 that L.A. Unified was a 鈥渄istrict under siege鈥� and sought to 鈥渄ispel rumors鈥� about the incident, including one that multiple attacks had occurred. He didn鈥檛 make any statements regarding the impact on sensitive special education records. 

Carl Petersen, who served on the committee at the time, told 社区黑料 that Carvalho left the committee members without information about the attack鈥檚 ramifications on children with disabilities. 

鈥淎t that point it was, 鈥極h, this was a very minor thing. We caught them in the system immediately and we shut it down,鈥� said Petersen, who described Carvalho鈥檚 comments as part of a larger district effort to obfuscate. 

In January 2023 鈥� four months after the attack 鈥� L.A. school officials acknowledged in that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn鈥檛 until March 2023 that they disclosed to state regulators the leak had also compromised . 

The letter submitted to the California AG鈥檚 office doesn鈥檛 make clear the types of student records that were affected but urges individuals to 鈥渒eep a copy of this notice for your records in case of future issues with your child鈥檚 medical records.鈥� 

社区黑料 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho鈥檚 communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any 鈥渘on-privileged responsive records,鈥� meaning that they didn鈥檛 have to provide any of the records that were responsive because they were legally protected from disclosure. 

A week after it was discovered, the school board to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to 鈥渆nter into any and all contracts鈥� to address the incident 鈥渨ithout advertising or inviting bids and for any dollar amount necessary.鈥� 

鈥楽hared with the world鈥�

In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data.

鈥淚f we want to safeguard our children鈥檚 futures, we must protect their personal data,鈥� she said at the first-ever K-12 cybersecurity summit. 鈥淓very student deserves the opportunity to see a school counselor when they鈥檙e struggling and not worry that these conversations will be shared with the world.鈥�

Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn鈥檛 touch on the leak of students鈥� mental health records but said the number of stolen files 鈥渃ould have been much worse鈥� had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because 鈥渨e don鈥檛 negotiate with terrorists.鈥�  

Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she鈥檚 worried that fallout from the data breach could divert money from the services her children with disabilities need.

鈥淚 would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,鈥� said Harman-Holmes, while acknowledging it 鈥渨ould be very disturbing鈥� if her own child鈥檚 psychological evaluations were leaked online. 

As L.A. Unified鈥檚 response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district鈥檚 mitigation efforts weren鈥檛 just inadequate 鈥� they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students鈥� sensitive records and failed to provide enough notice to victims once that information was stolen. 

An inspector general鈥檚 office audit highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students鈥� psychological records and other files were published online. 

The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System 鈥� the district鈥檚 primary student data portal. The district 鈥渉as stated under oath in discovery responses鈥� that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs.

Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide 鈥減rompt and accurate notice of the data breach.鈥� 

The breached portal 鈥渋s currently the largest student data system in the United States,鈥� the 162-page complaint notes, yet district officials 鈥減rioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.鈥� 

One district, three breaches

Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general鈥檚 office in May 2022, some unfolded. The report doesn’t disclose the types of information that were exposed or the number of students who had been affected. 

Then, in June 2024, a threat actor who goes by the name 鈥渢he Satanic Cloud鈥� posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as 鈥淪p1d3r鈥� similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. 

The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn鈥檛 disclose the name of the vendor or the types of records that may have been compromised. 

The district denied a public records request by 社区黑料 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. 

The incident doesn鈥檛 appear in a California attorney general鈥檚 office database of data breaches.

This story was supported by a grant from the Fund for Investigative Journalism.