TUSD’s Cyber Shutdown: TUSD confirms hackers accessed sensitive staff data

Published: Apr. 4, 2023 at 10:58 AM MST|Updated: Apr. 4, 2023 at 6:56 PM MST
Email This Link
Share on Pinterest
Share on LinkedIn

TUCSON, Ariz. (13 News) - In a major development in the TUSD ransomware attack in late January, the district now has confirmed the hackers accessed sensitive information.

The cybercriminals warned the district that they had staff and students’ confidential files and TUSD had to pay a ransom to get it all back.

The threat came by way of an email -- days after the ransomware attack.

The feds identified the relatively new group of experienced hackers as “Royal” whose members claim to steal sensitive data for double-extortion attacks.

The feds report payment demands from Royal have ranged from $250,000 to $2 million.

The superintendent confirmed the hackers got their hands on staff’s sensitive information.

Four days after TUSD’s “brutal” ransomware attack on Feb. 3, Royal sent an email to about 150 staffers titled Data Leak Urgent.

Royal wrote, “Hello guys, Hope you just missed the fact that we have stolen up to 290 GB (about 399K+ files) of your corporate data including *all personal students info, passport, SSN, driver’s license, birth certificate and much much more.”

Cybersecurity expert Victor Wieczorek of Guidepoint Security told 13 News Investigates that hackers like to showboat.

13 News Investigates asked, “Do we believe them? Are we supposed to believe them?”

Wieczorek said, “They certainly want us to believe them”

And in case the district didn’t, Royal wrote “see proofs in the attachments.”.

The emails included six PDF files with student names followed by “Passport.”

13 News Investigates has been able to identify only one name through an online search, which was a former TUSD student.

Wieczorek said, “Could it be overblown? Could some of those files be nothing? Of course, of course they can, but that doesn’t mean we should throw the baby out with the bathwater.”

Royal warned TUSD, “Just imagine what will happen if such data leak into the internet.” “Hurry up.”

The Royal email also included a claim of more proof of internal links to financial files.

Some links included names of current staffers.

That same day the district informed the entire staff about the “Data Leak” email and said it “launched an investigation to determine if the information is “real and accurate.”

The district then encouraged staff to “remain vigilant in reviewing their financial account statements for fraudulent activity” and “consider free fraud alert or security freeze on credit files.”

Rabih Hamadeh, the Executive Director of Technical Services for the district, told the board and public last month, “There’s no proof that there’s any sensitive data regarding our students or teachers or others that had been leaked.”

But Superintendent Dr. Gabriel Trujillo has now confirmed Royal got its hands on at least staff information.

Trujillo sent a notification late Friday, March 31, to the TUSD community.

“We have reached a point in our investigative efforts where we can confirm that employee information of a confidential and sensitive nature was accessed by the cyber-attackers.

“Our cyber-security forensic experts are working to confirm the extent to which this information has been stolen, sold, or published online.”

Trujillo wrote, “If the investigation by the experts determines that confidential information was compromised, then the affected employee will receive individual communication on behalf of Tucson Unified.”

But what about the parents and students?

Royal stressed it had all personal student info.

Wieczorek said if there’s no proof hackers don’t have all of it, you have to assume they do.

“We all have to go on the assumption that our data has been lost one way, shape or form and it’s a terrible reality to live in,” he said.

What about the ransom demand? Did the district pay it?

Again, Royal is known for double-extortion attacks. There’s no word on the exact amount Royal has demanded, but TUSD Executive Director of Technology Services Rabih K. Hamadeh did give 13 News an answer about the payment.

“We did not negotiate with that group and we did not pay the ransom,” Hamadeh said. “Instead, we’ll spend the money on protecting our users.”

The feds urge organizations not to cave in and give the cybercriminals what they want.

Wieczorek said some decide to pay -- some don’t.

“Certainly we see a lot of organizations decide to pay the ransom and obviously some have decided not to,” Wieczorek said. “Every organization is unique and there’s certainly no right answer.”

13 News Investigates reached out to the district for an interview with Trujillo.

Trujillo declined to sit down with us but is providing us with interviews with the district’s IT executives.

13 News Investigates will keep you updated on this development as we continue our investigative series TUSD’s Cyber Shutdown.