The hacker group SingularityMD threatened to upload sensitive employee and student information to the dark web if JeffCo Public Schools didn’t pay a $15,000 ransom in cryptocurrency, The Denver Gazette has learned.

“Your overall approach to cyber security is too relaxed,” Anihi Blep, likely an alias, wrote in an Oct. 31 email to several district executives, including Superintendent Tracy Dorland.

Hundreds of parents received a copy of the email from the hackers.

According to emails obtained by The Denver Gazette, the hackers gave district officials until 5 p.m. on Nov. 7 to comply.

With the deadline quickly approaching, the hackers emailed district officials shortly before 4:30 on Nov. 7, reducing the extortion amount to $2,000.

“The deadline is fast approaching,” Anihi Blep wrote. “Your team is still resetting passwords and has not reset them all as yet.”

It’s unclear whether the district paid the ransom.

Kimberly Eloe Mahugh, a district spokesperson, declined to comment. She previously directed The Denver Gazette to an online statement, which was updated earlier this week.

According to the district, law enforcement is investigating an unspecified cyber-attack after JeffCo Public Schools staff received an email on Oct. 31.

“Jeffco’s Information Technology team is working together with cybersecurity experts and law enforcement to determine the credibility of the attack and scope of the incident,” officials said in a Nov. 1 statement.

According to emails The Denver Gazette obtained, the hackers provided JeffCo officials with a 1 gigabyte sample of the stolen 40 GB dataset.

Among the information the hackers have purported to have stolen:

? Staff phone, home addresses, title and other undisclosed information

? Student information, including school email addresses, emergency contacts name, phone and email and birthdates

? Dating back to 2020, Individualized Education Program – also called “IEPs” – which can contain sensitive health care information, such as prescribed medication and clinical diagnosis

“This cyber breach has not been politically motivated in any way, and is viewed by us as a business transaction,” the hackers wrote JeffCo officials on Oct. 31.

JeffCo Public Schools is the second largest school district in Colorado behind Denver with roughly 14,000 employees and more than 65,000 students on 140 campuses.

If JeffCo officials knew the extent of the cyber threat, they have not yet disclosed it.

Ashlee Cochran, the parent of four JeffCo students ages 7 to 13, three of whom are on an IEP, found out about the hack through her kids.

“At first, I honestly thought it was a joke,” Cochran said. “I thought they just didn’t want to do their homework.”

That’s because – parents have told The Denver Gazette – the district uses Google Classroom for assignments.

Google Classroom is a free, platform that streamlines file sharing between teachers and students for educational institutions that simplifies creating, distributing and grading assignments.

According to Google, the data is encrypted in transit and not shared with third parties.

Cochran said she didn’t realize until four days after the hack – buried in an email from one of her children’s teachers – that sensitive information could have been compromised.

“JeffCo was never forthcoming that this was a hack,” Cochran said.

Cochran added, “The district and the people on the board are more concerned with dwindling enrollment numbers than they are about security.”

Lisa Girard, a former JeffCo Public Schools employee with two kids attending district schools, said she is concerned, as well.

On Halloween, the day hackers emailed district officials, Girard said she received notice that a new credit card with the district’s address was added to her personal PayPal account.

Girard hasn’t worked for the district since February of 2022.

Depending on how deep the hack went, staff payroll and deposit information could have been compromised.

“I think the breach is a lot bigger than the district is letting on,” Girard said.

Of particular concern to parents and security experts alike was the use of student birthdays in creating student passwords.

“That’s a terrible practice,” said Deb Howitt, a partner with Dorsey & Whitney, an international law firm with offices in Denver.

Howitt’s practice area includes data privacy and cybersecurity.

“I think the reason they do it is because it makes it easy for students,” Howitt said.

On Oct. 5, SingularityMD conducted a similar cyberattack demanding payment on Clark County School District in Nevada, the nation’s fifth largest, with more than 300,000 students.

On the day JeffCo employees received a suspicious email in Colorado, parents in Nevada filed a class action lawsuit against Clark County School District, alleging the district – among other things – failed to implement reasonable and adequate security procedures, such as encrypting personal information to prevent infiltration and the hacking of weak passwords.

According to the complaint, the Clark County officials did not acknowledge the security breach “was a ransomware attack, that the information is being publicly released, that it includes highly sensitive information, including medical information, or that the third-parties responsible for the attack may still have access to all of the District’s information.”

Colorado law requires government agencies to report data security breaches within 30 days of discovery to the attorney general.

The Attorney General’s Office considers the attack a breach if it affects 500 or more Coloradans.

It is unclear how many data breaches have occurred among Colorado agencies. Lawrence Pacheco, an Attorney General’s Office spokesman, could not provide this information.

The threat cyberattacks pose to individuals and national security is real and growing.

The U.S. Government Accountability Office said risks to IT systems are on the rise, as malicious actors are increasingly capable of carrying out cyberattacks.

Attackers will sometimes demand payments to unlock highjacked systems. In the case with JeffCo, hackers have demanded a “fee for disposal” of the stolen data.

Attacks against education institutions is becoming more commonplace.

Last month, The Denver Gazette reported that the Colorado Department of Higher Education, which oversees the state’s postsecondary system, waited eight weeks to notify the Attorney General’s Office about a data breach discovered in mid-June that affected thousands of records containing personal data going back two decades.

And in March, officials with Denver Public Schools disclosed the personal information of as many as 15,000 employees was stolen in a “cybersecurity incident” that lasted for a month.