Madison Elementary School District 38 has started notifying 35,000 people of a data breach following a ransomware attack via Interlock in April 2025. Interlock alleged to have stolen 75 GB.
In its notification, MESD states:
On or about April 7, 2025, Madison Elementary School District 38 (“Madison”) learned that a third-party threat actor (such threat actor claimed to be a group named “Interlock”) had conducted a ransomware attack on Madison’s network via social engineering upon a Madison employee that may have resulted in the exposure of affected individuals’ personal information.”
The letter doesn’t specify the type of data impacted but MESD is offering those affected free access to IDX identity protection services, which suggests Social Security numbers and/or financial data is involved.
Madison Elementary School District also enlisted the help of Arete to determine what data had been compromised. According to an emergency purchase order, this cost just over $21,700 and involved analyzing nearly 100 GB of data.
As previously mentioned, Interlock said it had stolen 70 GB of data, which included nearly 49,000 files across 4,247 folders. The proof pack showed the names of these folders, which included “Accounts Receivable,” “Gifts & Donations,” “Images,” and “Videos.”
While MESD has confirmed that this ransomware attack was carried out by Interlock, it hasn’t confirmed whether or not a ransom was demanded/paid. Comparitech has contacted the school district for more information and will update this article if it responds.
Who is Interlock?
Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data.
Since October 2024, we’ve tracked 29 confirmed and 34 unconfirmed attacks via the group. It hasn’t claimed any new victims this month so far.
Across the 29 confirmed attacks, nine were carried out on educational institutions — all of which are based in the US. This includes School District Five of Lexington and Richland Counties and Central Point School District 6.
Interlock’s most recently confirmed attacks (from August 2025) were for Box Elder County and Pocono Farms Country Club Association, Inc. In the case of Box Elder County, 4.5 TB of data was allegedly stolen, while Pocono Farms Country Club had 106 GB stolen.
So far this year, Interlock has added 49 victims to its data leak site. 19 of these attacks have been confirmed by the entity involved.
Ransomware attacks on the US education sector
2025 has seen 32 confirmed ransomware attacks on US schools, colleges, and universities, and we are monitoring a further 60 unconfirmed. Across these confirmed attacks, over 150,000 records have been breached with this attack on Madison being the second largest based on records affected.
Cherokee County School District is the largest with over 46,000 impacted in its attack in March 2025–also claimed by Interlock.
Uvalde Consolidated Independent School District is the only confirmed attack this month so far (hackers unknown). The district was shut for a week following the attack but has been able to restore its systems this week and has confirmed that no data was stolen in the attack.
Last month, Trico Community Unit School District #176 and the University of St. Thomas were targeted in attacks. Kairos claimed the attack on Trico after allegedly stealing 180 GB of data, while St. Thomas was claimed by INC with 1.8 TB of data allegedly stolen.
About Madison Elementary School District 38
Located in Phoenix, Arizona, Madison Elementary School District currently serves around 6,000 students across eight schools. It was established in 1890.
