(844) 627-8267
(844) 627-8267

Cyber crime: TCAPS hack led to online posting of employee data | Local News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

TCAPS: Hackers claim they caused computer disruption

TCAPS cancels Tuesday classes

TRAVERSE CITY — On April 15, about three weeks after the Traverse City Area Public Schools reported a “network disruption” that closed schools for two days, a cybersecurity research firm in England reported the alarming news that a shadowy group of hackers called the Medusa group had penetrated TCAPS’ computer network and was demanding $500,000 in ransom.

Responding to the report, TCAPS Superintendent John VanWagoner issued a carefully worded statement on April 16 in which he declined to confirm the report by the research firm Comparitech that Medusa had hacked TCAPS’ network. He also declined to confirm Comparitech’s report that Medusa had threatened to publish or sell the data if the district failed to pay up.

“We are currently investigating whether personally identifiable information was potentially impacted,” VanWagoner wrote. “Should we discover individuals’ personally identifiable information was potentially impacted, we will notify those individuals directly.”

He added: “I would like to again stress that, to date, TCAPS has no reports of identity theft or fraud arising out of the incident.”

That changed on May 2, when a TCAPS employee whom VanWagoner would identify only as “a building staff member” contacted the superintendent and told him that her husband had found personal information about TCAPS employees posted on the dark web, a hidden part of the internet that’s only accessible via specialized web browsers.

VanWagoner said he immediately referred the woman’s husband to Arctic Wolf, an international cybersecurity firm that has been retained by the district’s East Lansing-based insurer, SET SEG, to investigate the crime.

Two weeks later, on May 17, VanWagoner sent an email to TCAPS’ 932 employees, informing them that personal information about some — or all — of them had been published by the hacking group.

“Recently, TCAPS discovered that some employee personal information stored on its servers was published online by the unauthorized actor as part of the underlying cyber incident,” VanWagoner wrote. “We are . . . working with professional partners who are investigating whether other personally identifiable information was potentially impacted. Any individuals whose personally identifiable information was potentially impacted will be notified directly with detailed information.”

The email included information on how to place a fraud alert, obtain a free credit report and put a security freeze on a credit file.

VanWagoner said the employee and her husband declined an interview request from the Record-Eagle. He also declined the newspaper’s request for an interview with TCAPS IT Director Evan OBranovic, saying that only he, as superintendent, is authorized to speak publicly about the hack.

Asked whether he is confident that the hackers only stole employee data and did not access student records, VanWagoner said, “I’m confident in none of it . . . but I’m hopeful that is the case.

“I’ve seen no evidence of that to this point, but that doesn’t mean tomorrow – from a data-mining standpoint – that they (Arctic Wolf) won’t find it and we have to notify people.”


Nicole Hooper, whose son is a 16-year-old sophomore at Central High School, has followed stories about the hack and she’s also hopeful that student data wasn’t stolen. The thought that a group of hackers could be so ruthless as to publish personal data about her son and other children in the district, if TCAPS refuses to pay the ransom, terrifies her.

“Sometimes no news is good news, but I don’t know if that’s the case,” she said.

VanWagoner would not discuss Medusa’s ransom demand other than to say that the hackers placed automated phone calls to OBranovic and other district officials saying, “Tell your administrators to call.”

Asked whether the district has paid the group any money or whether it has told the hackers TCAPS will not pay the ransom, he said only that any payment over $25,000 would have to be authorized by the TCAPS Board of Education in a public session. The board has taken no such action thus far.

A hack of the Minneapolis Public Schools last year serves as a chilling example of the Medusa group’s malevolence.

In March 2023, after the Minneapolis schools refused to pay a $1 million ransom demand, Medusa released a huge trove of highly sensitive documents that detailed “campus rape cases, child-abuse inquiries, student mental health crises and suspension reports,” according to a lengthy story in The 74, a nonprofit news outlet that covers education.

And instead of publishing the information on the dark web, Medusa ensured that the Minneapolis students’ files were able to be accessed “with little more than a Google search,” The 74 story said.

A report by Palo Alto Networks’ Unit 42, which has done extensive studies of how Medusa ransomware has turned its victims’ files “into stone,” noted that the group brazenly publishes a Medusa Blog, which provides a synopsis of each hack; a “price tag” identifying the amount of money the group is demanding; and a countdown (in days, hours, minutes and seconds), informing the victim how much time it has before the information is released.

Medusa Blog posts — which the group publishes on the dark web using the domain .onion (instead of .com, .net, etc.) — also include buttons that allow victims to add a time extension to prevent the publication of data and to request a data deletion or a download of the data.


Medusa’s blog post about the TCAPS hack claims the group stole a staggering 1.2 terabytes of information. According to Dropbox.com, 1 terabyte is the equivalent of 1 trillion bytes, which equates to 1,300 filing cabinets of paper documents.

If that’s the case, it’s unlikely that the data does not include student information, according to Thomas Holt, a professor in the School of Criminal Justice at Michigan State University. Holt’s research focuses on computer hacking, malware and the role of the Internet in facilitating crime.

“It’s possible that they only breached certain parts of the network, but we won’t really know until we know,” Holt said. “My guess would be that it’s possible that student data will eventually be revealed (to have been stolen), but it’s also possible that it may have only affected faculty employees.”

Holt said ransomware attacks that result in the theft of deeply personal data about children — as opposed to the theft of Social Security or credit card numbers — are particularly challenging.

“There isn’t much that I’m aware of at the moment for strategic management of the loss of personal information like this,” he said. “From a parental perspective — and this is something I struggle with because I have two elementary school-aged kids — in the event that their school was compromised, the best that you can do is put some kind of fraud alert onto their credit histories.

“With young kids, that’s not much, but it’s really the only productive effort you can take at the moment.”

Asked how groups like Medusa are organized and operate, Holt said they tend to reside in Russia or former Soviet bloc countries “where the likelihood of extradition is non-existent or very low.”

“What we tend to see with groups like Medusa is three segments of operations,” he said. “There’s a sort of advanced recon team that does the target management and figures out how they’re going to attack it (the target). Then there’s the actual penetration team that manages the ransomware. And then there may be a separate negotiation team or back-end communication team that deals with the ransomware event.”

Combating these robust criminal shakedown enterprises is a vast network of cybersecurity firms and “ransomware negotiating services” that often are able to persuade the extortionists to reduce their demands, Holt said.

“You should know that most ransomware payments are not for the original amount,” he said. “So you need to hit as many targets as you can . . . to make sure that everybody is getting paid.”


Appointed superintendent in 2020 after serving as superintendent of the Alpena school system for four years, VanWagoner says the March 28 ransomware attack is one of the most difficult issues he has dealt with in his career.

He finds himself in almost a no-win situation. On one side are parents, students and employees who want to know immediately whether their personal data has been compromised. On the other side are lawyers representing SET SEG and the Thrun Law Firm, which represents TCAPS, who are jointly micromanaging every word he utters about the hack.

“It’s a scary, scary world,” VanWagoner said, noting that Medusa’s victims include large corporations like Toyota. “They have much more resources . . . than we do and they weren’t able to stop them.

“That’s what worries me the most. I don’t know that anybody’s safe in this environment. When multimillion-dollar national companies are not able to stop their stuff from being stolen, what’s a school district with minimal resources . . . to do?

“You never want people to be hurt,” he said. “You don’t want kids hurt, you don’t want staff hurt – and this is a different level of hurt. For years, we worried about physical safety. This is my 27th year in education and it’s changed so much.

“I used to say that the No. 1 thing as an educator that I worried about was academic achievement. And then all these things happened and now I say the No. 1 thing I worry about is student and staff safety.

“And this is now another layer of safety to worry about.”


Click Here For The Original Story From This Source.


National Cyber Security