Students holding leaked documents warned of disciplinary action

0
Students holding leaked documents warned of disciplinary action
Acting Superintendent Gaurav Passi sent a cautionary email to the community, warning students who held school files posted online by hackers they could face disciplinary action.

BY THE ISLAND NOW STAFF

District officials warned Manhasset students who held or shared files posted online by hackers they could face disciplinary action, in an email sent to parents Saturday afternoon.

Among the files now on the web are documents describing a series of sexual harassment allegations between 2006 and 2008.

After students reportedly passed around an unspecified file, Acting Superintendent Gaurav Passi sent a cautionary email to the community and notified the Department of Homeland Security.

“We received troubling information that some Manhasset students were in possession of and were circulating a stolen confidential memorandum,” Passi wrote. “We have alerted Homeland Security and law enforcement authorities of the circulation of the stolen file. Please note, possessing and circulating stolen files is a serious violation of the Manhasset Public School’s Code of Conduct and may result in disciplinary action.”

Manhasset Schools has spent weeks recovering from a September ransomware attack in which hackers left the district without Wi-Fi for days.

In October, cybercriminals published hundreds of stolen district documents online. Among them were files detailing three sexual harassment investigations, as well as the 2014 reprimand of a former middle school teacher.

One file documented the 2008 investigation of a district employee, who personnel records show currently works at the secondary school, allegedly telling a female colleague her “breasts were so hard it looked like no one had sucked on them.”

The female colleague told investigators that when another male colleague confronted the alleged harasser, he replied he didn’t have to respect her because she was Hispanic and not married, according to the document.

The investigator wrote the allegations made by the female were found, and the comments were corroborated by another employee.

The investigation also recorded allegations of the male slapping another female colleague’s rear twice in front of several other employees. Those charges could not be substantiated by the investigator, according to the document.

Manhasset School District’s public relations firm, Syntax, did not respond to questions about disciplinary actions taken against the alleged harasser.

Also posted online were files containing social security numbers, drivers’ licenses, passports, student grades and home addresses. In a previous email, the district committed to providing complimentary credit monitoring for affected individuals.

“The intrusion into our network was deep, the files stolen were voluminous, and some files contain sensitive information regarding certain students or staff,” Passi wrote. “We share your outrage about this invasion of privacy.”

Cybersecurity experts say the district’s ransomware attack is not an isolated incident, as universities and local school districts have become “juicy targets” for cyber extortion.

“What we’re actually noticing in research is that there is a business cycle starting to emerge with this,” said Scott Jeffreys, associate professor of computer science at Hofstra University. “Right now is a very hot time for cybercriminals to be launching these kind of spear phishing attacks against organizations.”

The most common method of cyber-attack is spear phishing, where individuals might not question the source of an email and inadvertently disclose credentials, allowing bad actors to log into the computer network, Jeffreys said. Even with good training, employees can still fall victim to convincing communications.

“The whole purpose of an attack like this is to create panic,” Jeffreys said. “The greater the value of the mined assets, in this case passports, drivers licenses private information, the more value that might have on the dark web of the internet for a resale, or the more embarrassment it may create for the school district to encourage them to potentially pay more quickly.”

Passi implored parents to speak with their children about the potential harm of circulating stolen information, arguing that “spreading it through the community compounds the harm done to the members of the community by the criminals who perpetrated this crime.”

Manhasset is continuing to cooperate with law enforcement agencies, including the Federal Bureau of Investigation, according to the email.

No posts to display