MINNEAPOLIS — Minneapolis Public Schools is responding to reports of even more vulnerabilities in its computer systems.
This comes after hackers dumped 300,000 sensitive files online last spring when the district failed to pay a $1 million ransom.
District officials says what happened recently wasn't a hack, writing in a statement, "The students were able to do this because they are part of the MPS system. They weren’t flagged as intruders because they are part of our system."
The two students are sophomores who used a mass email last month to point out problems with the school's technology and in it — a 20-page report that used a "Rickroll" prank to get everyone's attention.
To know what "Rickrolling" is is to know the old, 1987 hit by Rick Astley. It's a bait and switch prank that usually includes hyperlinks. The students wrote in the report that the gag was a "funny and harmless way to reveal it all."
"In a way, I was really proud of our students for bringing light to something I think we all knew, and at the same time, if our students can do it, who else can?" said president of the Minneapolis teacher's union Greta Callahan.
Callahan was one of thousands who got the email that was sent just four months after news broke of a much more serious breach.
"We deserve better and so do our kids," said Callahan.
In March, when the district acknowledged hackers dumped all those files online, they included union grievances, civil rights investigations and even assault complaints.
Critics are saying that officials failed to follow through on its promise to contact victims, like Callahan, who paid for credit monitoring after her social security number was released.
"In addition, I have thousands of members who have had to spend countless hours freezing their credit, fixing issues that have arisen because of this, making sure they are safe and that they're family is safe because there's a lot of long term damage that can come from this," said Callahan, even asking if the district would compensate staff for the trouble. "And so far, it's been a no."
Schools are particularly vulnerable to hacks due to a lack of IT staff and funding. Minnesota, though, is getting $23 million over the next four years as part of the Local Cybersecurity Improvement Act. Some 3,600 local organizations will be eligible to soon start applying for the funding to upgrade its infrastructure.
"I don't think this is unique to Minneapolis at all," said professional hacker and Minneapolis school parent Ian Coldwater, who says the battle against cyber criminals is an uphill one.
"Ransomware operators will target and attack whatever they can get ahold of," said Coldwater. "This is a thing that happens all over the place from Fortune 500 enterprises right down to your tiniest local DMV."
In this latest case, the students said the ransomware attack inspired them to investigate other potential problems. They found it included access to photos, usernames, printers and software — all while they carefully redacted private information, even suggesting certain fixes throughout the report.
"Let's talk about funding these local schools, let's talk about funding these IT departments, giving them the resources to be able to fight against stuff like this, because they really do have their work cut out for them," said Coldwater.
Callahan is even more concerned that the district's other shortcomings, from vacancies to a ballooning deficit, makes schools even more vulnerable.
"When we don't have those things in place, a lot of things behind the scenes are also falling apart," said Callahan.
District officials also said that many of the items the students identified in their report are already included in its "security roadmap". The statement went on to say, "Further certain items mentioned in the report were specifically set up to achieve various educational purposes, which present a limited level of risk in consideration of the benefits they will bring to student learning.
Two things are important to know about this incident:
1. The students were able to do this because they are part of the MPS system. They weren’t flagged as intruders because they are part of our system.
2. The ESD Portal referenced is being replaced this summer with a new, more modern portal. The vendor for the current portal has been notified to provide a fix in the short-term.
We continue to monitor and scan for security issues and address them on an ongoing basis based on priority and potential risk, including through layered security that addresses possible issues at multiple levels.
MPS, like the industrious students involved in this incident, want everyone to know the importance of safely using and accessing technology.
Watch more Breaking The News:
Watch all of the latest stories from Breaking The News in our YouTube playlist: