Ransomware actors steal detention slips in Illinois K-12 hack

A detention slip from 2014 exposed in a recent ransomware attack shows the risks of organizations not deleting or archiving old data.
(Getty Images)

New details on a January ransomware attack on a school district in central Illinois show that while malicious actors were successful in exfiltrating thousands of documents and posting them to a leak site in hopes of extorting the district, most the documents do not appear to be very potent.

According to, a site affiliated with the ransomware gang Vice Society posted more than 3,000 documents taken from the Griggsville-Perry School District, which sits about an hour west of Springfield. But while some of the documents appeared to be enrollment lists showing students names, many more were files related to various school functions that didn’t contain any information that would be considered personally identifying information — like dates of birth or Social Security numbers — under the Family Educational Rights and Privacy Act. (Names that appear on an enrollment sheet without any other data are considered directory information.)

Other ransomware attacks against K-12 districts have exposed students’ and teachers’ personal information, such as a September 2020 incident affecting Fairfax County, Virginia, Public Schools, in which some employees’ Social Security numbers were posted online. And last year, hackers targeting a school district in Allen, Texas, made emailed local parents with threats to expose their kids’ personal information if educators did not pay a ransom.

In the case of the Griggsville-Perry School District, though, the records Vice Society posted seem to be dated — and a bit mundane. Among the documents included in the leak was a detention slip from December 2014, issued to a student who would not stop interrupting his health class.


Disciplinary notes are not covered under FERPA, meaning the school is not obligated to notify a loudmouthed student from nearly a decade ago. But, as reported, it does highlight the risk when organizations don’t remove old data: “It’s a breach that didn’t have to happen if data were routinely purged or moved offline to storage,” the site reported.

Vice Society was first spotted in mid-2021, when Cisco’s Talos Intelligence Group identified it as one of several malicious actors taking advantage of a vulnerability in Microsoft printer software known as “PrintNightmare.” At the time, the group was described as having a knack for targeting the education sector.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts