Hackers claim to steal 110,000 SSNs from Tenn. school system

Close to 9,000 SSNs belonging to students, employees publicly posted

A hitherto unknown hacking group claimed responsibility for a hacking attack on a county school system in Tennessee that may have exposed the names, Social Security Numbers and other personal data belonging to about 110,000 people.

The group, which called itself Spex Security, later posted 14,500 of the compromised records online and has threatened to post more. Those affected by the breach include an unknown number of former and current students and employees of the Clarksville-Montgomery County (CMCSS) School System.

In a message on Pastebin.com, an individual who appeared to be a member of the group suggested the intrusion at CMCSS was carried out as retaliation for its "belligerence."

"To be clear here, we gave Tennessee a chance to comply and they didn't, therefore, this is the consequence they'll have to swallow," the rambling message stated.

"Our primary suspects include the U.S Government for torturous and deceptive acts on our own soil, the Educational system for exuberantly being blown-over and belligerently not patching the holes in their system, and anybody else who partook a role in the Murder of America."

Elise Shelton, a CMCSS spokeswoman, said school system officials learned of the breach from the Clarksville Police Department, which received a tip from a caller.

The school system was able to confirm the breach on Monday and immediately took the site offline, she said. As of Wednesday afternoon, the main CMCSS.net site was still down, and there was no indication of when it will be restored, she said.

Investigators are still trying to determine what happened and it is not yet clear when the breach might have occurred or how it was done, Shelton said. It is also not immediately clear whether all the records that the hackers claimed to have accessed came from the CMCSS system, she said.

For the moment, the school system is assuming that records on an unknown number of its former and current employees and students have been breached. CMCSS has contacted all 4,000 or so of its current employees and roughly 31,400 enrolled students about the potential breach of their Social Security numbers and other personal data.

The real challenge is in notifying former employees and students, Shelton said. The CMCSS is actively engaged with local news media to try and get the word out. About 8,000 of the affected students are "military-dependent" children from the U.S. Army's Fort Campbell, located on the state line between Tennessee and Kentucky. CMCSS authorities are working with the military to find a way to communicate details about the breach to military families whose children may have been affected, she said.

"We are working as quickly and as carefully as we can," to restore the school system's web presence and to contact all those potentially affected by the breach, she said.

Meanwhile, Identity Finder, a New York-based company that provides software for redacting, deleting or otherwise protecting Social Security numbers and other sensitive data from laptops and desktop computers, said Tuesday that it has discovered close to 9,000 unique Social Security numbers related to the breach.

Of those, 4,942 numbers appear to belong to school district employees and 3,977 are those of students, the company's chief privacy officer Aaron Titus said Wednesday. In all cases, the full names and student IDs or employee IDs of those affected were also released. About 1,300 of the records also contained the gender and dates of birth of the students. The files containing the information appear to have been taken offline by authorities, he said.

According to Titus, Identity Finder has been keeping an eye out for the information since June 6, when a hacker the company monitors tweeted about plans to release more than 100,000 state records. The hacker later posted redacted images of files obtained from the CMCSS system but initially vowed not to publicly release the information.

That changed in less than 24 hours, and the information was publicly released, Titus said. Titus said he contacted Clarksville police on Sunday after discovering the information posted online.

"Clarksville's response is to be commended," Titus said. "They were very responsive and took every reasonable precaution once they knew they had a problem," he said. It's unclear if the hackers plan to release any more of the information they claim to have purloined, he added.

A Twitter account that appeared to belong to Spex Security seemed to reflect some uncertainly on the part of the hackers after the incident. Three hackers who appeared to have been behind the intrusion and release of information at CMCSS claimed they were retiring from black hat hacking and had become white hat hackers instead.

"We are gone! Tada" one tweet proclaimed, only to be followed by another one a few hours ago, announcing, "We're back."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place