After the ransomware attack in late January, TUSD officials said for weeks that there was no proof sensitive data was stolen.
"But Bloomberg News found that cyber criminals made off with gigabytes of files, containing tens of thousands of current and former employees' Social Security numbers and other confidential records. They then uploaded the information in February to the dark web for anyone to access with an easily downloadable browser," Bloomberg reporter Jack Gillum found.
"Examples of the leaked files include a high schooler's medical records; another detailed arguments for expelling several students," the report said.
Bloomberg found more than 16,000 numbers and birth dates tied to current and former employees on the dark web.
"Another leaked document included 'confidential records' concerning a high school student's diabetes diagnosis and instructions for their insulin injections," the Bloomberg report said, adding that the student's parents did not respond to inquiries seeking comment.
TUSD data is still available on the dark web for downloading, Gillum confirmed to the Arizona Daily Star on Friday, May 5.
"There are documents showing a confidential settlement agreement with Joann Anderson, a former employee who had previously sued Tucson Unified School District in federal court, alleging discrimination," Bloomberg's article said. It quoted Anderson as saying a school district lawyer had recently told her there was no evidence of a data breach and that nothing was taken.
District Superintendent Gabriel Trujillo was on personal leave and unavailable to comment, TUSD communications director Leslie Lenhart said.
When asked by the Star about Bloomberg's findings, Lenhart provided an email Trujillo sent to staff and families on April 25, a week after the Bloomberg report, updating them on the situation.
Trujillo confirmed in the email that a large amount of sensitive and confidential employee data was accessed and taken.
"Our cyber-security forensic experts are working to confirm, on a person by person, employee by employee basis, the validity of any personal and confidential information that has been posted or published online, particularly social security numbers, birth dates or any other personal health or financial information," Trujillo wrote.
"This requires the team to review tens of thousands of documents and files at a time as well as to determine if each file can be linked to a current or former TUSD employee, parent or student. This work, which is part of our ongoing investigation is time consuming and has not yet been completed. For this reason, we have made no further statements about the validity of any district information that may have been posted on the dark web."
Trujillo encourages employees and families to "remain vigilant" and monitor all banking information, accounts and credit-related information, the email said. If the investigation determines that confidential information was compromised, those affected will receive individual communications on behalf of TUSD.
The district will also work with the Arizona Risk Retention Trust to determine the support and services that will be available if the investigation reveals Social Security numbers were breached, the email said.
Ravi Shah, president of the TUSD Governing Board, declined to comment to the Star on the Bloomberg findings and referred questions to district officials.
Lenhart said TUSD didn't engage with the attackers or pay a ransom.
A ransomware group called Royal, active internationally, was responsible for the "cyber terrorism" attack, Trujillo previously confirmed.
Trujillo told the district governing board in February he was asking "the community for patience" because, "out of an abundance of caution ... we are very limited in what we can say" about specific security steps and other details.
Officials have high confidence two critical district systems, for finance/human resources and student information, are secure, the board was told then by Rabih Hamadeh, TUSD's executive director of technology services.
Hamadeh said TUSD did a "massive password change" for all teachers, students and staff after the attack, and would conduct training for all about new security measures.
He also said that as budget constraints allow, the district will start a phased approach to transition to more cloud computing and cloud storage, under which companies such as Amazon, Google and Microsoft are "responsible with us for protecting your data."
©2023 The Arizona Daily Star (Tucson, Ariz.). Distributed by Tribune Content Agency, LLC.
