New Jersey’s Bayonne Board of Education yesterday notified students and staff about a November 2023 data breach that compromised Social Security numbers and other personal information.
Ransomware group LockBit first claimed responsibility for the attack on December 3, 2023. That claim was posted with a “timer stopped” message, indicating the ransom might have been paid. However, the claim reappeared on December 12, 2023 with a ransom deadline of December 15, 2023.
The Board has not confirmed LockBit’s claim. We don’t yet know how many people were affected, what other types of data were compromised, what systems were affected, how much the ransom was, whether the school paid the ransom, how attackers breached the school network, or why it took more than half a year to notify victims.
Comparitech contacted the Bayonne Board of Education for comment and will update this article if it responds.
We recommend victims take advantage of the free credit monitoring and identity theft protection service offered by the Board via Experian. Minors are particularly vulnerable to identity theft because they have clean credit reports that they otherwise have no reason to monitor.
Who is LockBit?
LockBit is one of the most prolific ransomware gangs of recent years after first appearing in 2019. The group is most likely based in Russia. Often, LockBit will operate a double-extortion model whereby a ransom is demanded to decrypt systems and delete any stolen data. The group’s leader, Russian national Dmitry Yuryevich Khoroshev, was recently unmasked by law enforcement, and many of the group’s public facing websites were seized by authorities in February.
The raids and seizures haven’t slowed LockBit down much. It added hundreds of new victims to its leak site last month. We’ve tracked 168 confirmed attacks in the US via LockBit since 2018. 21 of these have been on the education sector. LockBit was responsible for 97 confirmed attacks in 2023 and 16 so far this year. We’ve also tracked 146 unconfirmed attacks claimed by LockBit so far this year, 12 of which were in the education sector.
Less than a month prior to the attack on Bayonne, LockBit attacked another New Jersey school district in the township of Union.
Some of LockBit’s other recent victims include Boeing; Change Healthcare; the city of Wichita, KS; Oracle; Crinetics Pharmaceuticals; and Fulton County, GA.
Ransomware attacks on US education
In 2023, Comparitech logged 108 confirmed attacks on US education institutions, affecting 2,041,576 records. The average ransom on this sector in 2023 was $450,000.
So far this year, we’ve tracked 18 confirmed attacks on US education, affecting 24,054 records. LockBit has claimed the attacks on Clackamas Community College, Groton Public Schools, Central School District 13J, Township of Union Public Schools, and Ewing Marion Kauffman School.
In 2023, LockBit was also responsible for attacks on White Settlement Independent School District, Olympia Community Unit School District 16, University of Health Sciences and Pharmacy, Hillsborough County Public Schools, Fauquier County Public Schools, Río Hondo College, William Jewell College, Greensboro College, Atlanta Technical College, and Virginia Union University. The largest of these (based on records affected) was the attack on Greensboro College, which impacted 52,569 people.
About the Bayonne School District and Board of Education
The Bayonne School District in Bayonne, New Jersey consists of 13 schools grades Pre-K thru 12. It enrolls more than 10,000 students and employs 763 full-time staff.
The 10-trustee Board of Education sets the vision and goals for schools in the district and standards for school and superintendent performance.