Ransomware group Qilin today took credit for a September 2025 cyber attack at Uvalde Consolidated Independent School District.
The district shuttered schools from September 15 to 18 when a ransomware attack disrupted access to phones, air conditioning, security cameras, visitor management, Skyward, and more, according to announcement posted on Facebook by Uvalde CSID. In a September 26 update, the district said there was no evidence of unauthorized access to sensitive or personal data.
But Qilin claims otherwise, saying it stole “personal data of employees, financial information, and personal data of students” in a post on its data leak website. To prove its claim, Qilin also posted images of what it says are documents stolen from Uvalde CSID’s servers.
Uvalde CISD has not verified Qilin’s claim. We do not know what, if any, data was compromised, if the district paid a ransom, how much Qilin demanded, or how attackers breached the district’s network. Comparitech contacted Uvalde Consolidated Independent School District officials for comment and will update this article if they reply.
“No employee clicked anything suspicious; this was not caused by staff error,” says the district’s late-September update. “A continuing investigation is underway, and will take a few weeks.”
Who is Qilin?
Qilin is a ransomware gang that began taking credit for attacks on its data leak site in late 2022. Qilin’s malware both steals data and locks down computer systems. It runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.
Comparitech researchers have confirmed 106 Qilin attacks in 2025 to date. We’re tracking another 481 unconfirmed attacks claimed by Qilin that haven’t been acknowledged by the targeted organizations.
Uvalde CISD is not Qilin’s first attack on a school. In the last few months alone, Qilin hit Mecklenburg County Public Schools (VA), Western New Mexico University, Botetourt County Public Schools (VA), Fort Smith Public Schools (AR), and Belmont Christian College (Australia).
Ransomware attacks on US education
So far this year, Comparitech researchers have logged 34 confirmed ransomware attacks on US schools, universities, and other educational institutions.
They include Madison Elementary School District 38 in Arizona, which notified 35,000 people of an April 2025 data breach claimed by the Interlock ransomware group. And the Institute of Culinary Education, which notified 33,000 people of a May 2025 data breach claimed by Payouts King.
Ransomware attacks on schools and colleges can disrupt day-to-day operations such as taking attendance, submitting grades, phone and email communications, billing, payroll, assignments, and more. Ransomware attacks are often two-pronged: they lock down computer systems and steal data. Schools that refuse to pay a ransom face extended downtime, data loss, and putting students and faculty at increased risk of fraud.
The education sector takes longer than any other to notify victims of data breaches: 4.8 months on average.
About Uvalde Consolidated Independent School District
Uvalde Consolidated Independent School District is a public school district spanning Uvalde County, Zavala County, and Real County, Texas. It enrolls 4,150 students and employs almost 300 teachers across eight schools including Uvalde Elementary, Flores Elementary, Batesville School, Morales Junior High School, and Uvalde High School.
