York School of Technology ransomware Karakurt

The York County School of Technology today notified more than 30,000 students and staff of a data breach that allowed cybercriminals to steal Social Security numbers and other personal information. The breach was first discovered more than a year ago in March 2023, and claimed by the Karakurt ransomware group in May 2023.

In today’s data incident notice, the school explained that it launched an investigation that lasted from April 26, 2023 to March 15, 2024. In total, more than a year passed between the initial intrusion and today’s notice.

Comparitech contacted York County School of Technology for comment, and we’ll update this article if it responds.

In total, 30,914 victims were notified about the incident, which exposed names, Social Security numbers, driver’s license or other state-issued ID card numbers, health and medical information, health insurance information, date of birth, account usernames, and account passwords. Karakurt says it stole 343 GB of data from the school, which it claims also includes addresses, employee info, incident reports, correspondence with government, accounting documents, and more.

That data puts students and staff at risk of identity theft and fraud. Victims should keep an eye on their credit reports and take advantage of the free credit monitoring being offered by the school. Change your school account password immediately, as well as the password on any other accounts that use the same password.

Who is Karakurt?

The Karakurt group, also known as Karakurt Team or Karakurt Lair, specializes in stealing data. It notably does not deploy ransomware that encrypts files. Instead, it steals data and threatens to sell it or release it to the public if the victim doesn’t pay. Ransom demands range from $25,000 to $13 million, according to CISA.

Karakurt breaks into systems by purchasing stolen login credentials or by exploiting known software vulnerabilities.

In April 2022, Bleeping Computer reported it found evidence demonstrating that Karakurt is part of the same operation as the Conti ransomware group.

Karakurt was particularly active in March 2023, having also hacked The Chattanooga Heart Institute.

About ransomware attacks on US education

Ransomware attacks are a growing concern for schools and colleges worldwide. They take down key systems, shut schools for days on end, and prevent teachers from accessing lesson plans and student data.

Comparitech tracked 99 ransomware attacks on education institutions in the US in 2023, affecting nearly 2.1 million records.

Most schools don’t disclose ransom demands, but those that have ranged from $250,000 to $950,000. Schools suffered average downtime of 11.65 days in 2022. The cost of downtime and remediation is often higher than the ransom itself.

See more of our ransomware news coverage regarding US education facilities: