Some of you will likely only know me as “Dissent,” the privacy advocate and blogger who publishes this site and DataBreaches.net. Some of you may know me under my real name as a licensed psychologist in clinical practice, an author, and as a former consultant to school districts. It is not often I put on my professional hat when writing this blog, but there’s a potential privacy nightmare on the horizon for school children in this country, and I want to make sure my readers understand how serious this is.
An untold number of k-12 students are at risk of experiencing significant psychological harm because their most sensitive information in their school records may be dumped publicly at any moment by hackers whose extortion demands have not been met.
Over on DataBreaches.net, I have reported on a group of hackers who call themselves “TheDarkOverlord.” That they are hacking and attempting to extort the organizations they hack is nothing new. What is new, however, is that they’ve attempted to up the pressure on their latest victims – school districts – by not only acquiring the most sensitive student records – psychological evaluations, psychological reports, medical reports, counseling records, etc. – but by threatening to publicly dump those records.
If they do that, the embarrassment and/or stigma that some students may experience may be so severe as to drive vulnerable students into deep despair and possible self-harm. In other cases, it may make children the targets of violence associated with bigotry or other issues.
Could the hackers be bluffing about possessing the records and potentially dumping the records? I’ve followed these threat actors’ activities for more than one year now. There is no doubt in my mind that these are credible threats.
Lest there be any doubt: the point of this post isn’t to suggest that the districts pay any extortion. The point of this post is to assume that the districts will refuse to be extorted and therefore need to figure out how to support their students through what may be a very difficult time. Because although school districts have understandably focused on other – albeit less credible – threats the hackers have made such as threats of physical violence, it is not clear to me what the victim districts are doing to prepare their students that their most sensitive information may be exposed maliciously at any moment.
Think about the revelations that are made that may be in a school psychologist’s or school nurse’s records about your child. Could there be any notes about counseling for gender identity or sexual orientation issues? Could the child have spoken with the school about having been abused in their home or having been bullied by named peers? Are they any notes about substance abuse or other issues in the home? Could the student have told a counselor that they are attracted to a same-sex peer who might be very embarrassed to hear that?
Now imagine it’s all dumped publicly – exact quotes from the school psychologist’s records naming the student with quotes from the student or descriptions of the issue – or the psychologist’s assessment that the student may be at risk of self-harm.
How will that student feel when all his/her peers see and read all that online?
We already have what may be half a dozen victim districts whose students are now at risk of having their sensitive information exposed by the hackers (we know about three districts for sure, but there are hints from law enforcement that there are others, too).
What should those school districts do?
Should the schools not prepare the students at all for this because they might be worrying them needlessly and the nightmare might never happen?
Should the districts prepare all students and talk about how to support each other when unpleasant or unacceptable details may be revealed? Can we immunize students somehow to what may happen and give them tools and an opportunity to stand up to bullies by supporting each other?
What should the schools do?
If your child’s district hasn’t been hacked already by these blackhats, then maybe you have time to save your own children. Contact your district and tell them that records with sensitive personal information should not be connected to the internet at all. There are basic security principles that k-12 schools have not adhered to, and they need to adhere to them. Perhaps we cannot stop schools from collecting all the sensitive information they collect, but we had damned well better insist that they protect it better than they have done so far.
In the meantime, a privacy nightmare is looming. What are the districts doing?