School data breaches alarm Minnesota lawmakers prior to political session

Data breaches at public schools and universities in Minnesota have opened the door for identity thieves to target millions of people this year alone.

For example, cybersecurity folks at Minneapolis public schools say they caught an attack as it happened last year, but more than 100,000 people’s private information still got leaked.

State legislators are now diving deeper into the investigations to see if they can intervene.

More than three decades worth of Social Security and driver’s license numbers, plus other data from the University of Minnesota fell into the hands of a hacker earlier this year.

The criminal claimed to have collected personal identifying information from 7 million people, and it all came from a single cyber storage.

"Internal and external experts determined that the unauthorized party likely gained access to private data from one data warehouse," says Bernard Gulachek, vice president and chief information officer at the University of Minnesota.

At a cybersecurity committee hearing Monday, Gulachek said he’s limited in explaining what happened because of lawsuits and because their investigation is ongoing.

But Rep. Steve Elkins wasn’t satisfied with the details he heard.

"This is really not excusable in this day and age," Elkins said.

Now a state representative, Elkins had another career building data warehouses for schools and other businesses.

He says it seems like the university doesn’t have a good handle on the private information it has, and it stores them in places they obviously shouldn’t.

"Some of the things that are unearthed through this incident will reveal basic shortcomings in data management," Rep. Elkins said.

A total of 32 Minnesota K-12 schools have also publicly reported successful cyberattacks since 2016.

In just 2020, those attacks cost schools $2.7 million.

The cybersecurity committee's chair says it seems inevitable that hackers will target more school systems and their tactics are shifting since large corporations and districts have increased investments in cybersecurity.

"Which unfortunately means some of the smaller entities where they do not have as many resources have become more attractive targets and that includes, unfortunately, places like school systems," said Rep. Kristin Bahner.

Information officers from several districts and the university said the legislature can help by funding grant programs to help schools invest in cybersecurity.