Massachusetts school notifies 800 people of data breach

Cape Cod Academy, a private college preparatory school in Massachusetts, this month notified at least 781 people of a data breach that occurred in September 2024.

Ransomware group RansomHub claimed responsibility for the breach, saying it stole 616 GB of data from the school. According to RansomHub’s leak site, the group published the data on September 13, 2024, which suggests the school did not meet the ransom demands.

cape cod academy ransomhub

Cape Cod Academy has not verified RansomHub’s claim. The school has not publicly disclosed what personal information was compromised or whether it belonged to students, but it is offering victims free credit monitoring via CyberScout. That suggests the stolen data could be used for identity fraud. However, the credit monitoring might not be available to people under the age of 18, such as current Cape Cod Academy students. The deadline to enroll in credit monitoring is 90 days from the date on the notice letter sent to victims.

The Academy’s notice (PDF) to victims states, “On the morning of September 2, 2024, Cape Cod Academy discovered it was under ransomware after its servers were encrypted and a ransom note was located.”

It goes on to say, “On September 18, 2024, the forensic investigation determined that the threat actor had access to (and claims to have exfiltrated) data from Cape Cod Academy’s environment.”

Out of the 781 notices disclosed by state data breach reporting agencies, 778 went to victims in Massachusetts, and three went to victims in Montana. We will update this article with more complete data from other states when they disclose it.

We do not yet know how attackers breached Cape Cod Academy’s network, or how much money RansomHub demanded in ransom. Comparitech contacted Cape Cod Academy for comment and will update this article if it responds.

Who is RansomHub?

RansomHub runs on a ransomware-as-a-service model in which affiliates pay to use the group’s malware and infrastructure to launch their own attacks and collect ransoms. Some of its more high-profile attacks include those on Rite Aid, the auction house Christie’s, the Florida Department of Health, and Frontier Communications.

The FBI and other federal agencies on August 29, 2024 issued a joint advisory telling organizations to monitor for and defend themselves against RansomHub attacks.

Comparitech researchers logged 58 confirmed ransomware attacks claimed by RansomHub since it began operations in early 2024. Another 311 unconfirmed attacks were claimed by RansomHub but not acknowledged by the targeted organizations. RansomHub recently took the number one rank from LockBit in total number of claimed attacks in the third quarter of 2024, according to Symantec.

Confirmed RansomHub attacks have compromised more than 5 million people’s personal records across the globe. Recent confirmed RansomHub attacks include those on Star Health and Allied Insurance (India), The Yorozu Corporation (Japan), Mairie de Mauguio (France), Grupo Aeroportuario Centro Norte OMA (Mexico), and Saizeriya (Japan).

RansomHub’s global threat extends to schools around the world. It lists the Hong Kong College of Technology, Swinburne University of Technology Sarawak Campus (Malaysia), Università di Genova (Italy), and Cincinnati Public Schools (US) among its confirmed victims.

Ransomware attacks on US education

Ransomware attacks can both steal data from and lock down a school’s computer systems by infecting them with malware. The school must then pay a ransom for a key to unlock the computer systems, and so the attacker will agree to not sell or publish the stolen data.

Ransomware can disrupt systems used for assignments, grades, communications with teachers and staff, billing, payroll, and more. Schools often have to resort to pen and paper until systems are restored, and some have even cancelled classes in the wake of ransomware attacks. If a school refuses to pay, restoration can take weeks or even months, and students and staff whose data was compromised are put at greater risk of identity theft.

Comparitech recorded 47 confirmed ransomware attacks on US schools, universities, and other educational institutions so far in 2024, with an average ransom of $562,500. Those attacks compromised more than 247,000 people’s private records.

Other schools that recently confirmed data breaches due to ransomware attacks include Highline Public Schools, Albany College of Pharmacy and Health Sciences, Mastery Schools, and Texas Tech University Health Sciences Center.

Ransomware gangs claimed another 58 attacks on US schools in 2024 that haven’t been confirmed by the targets.

About Cape Cod Academy

Incorporated in 1976, Cape Cod Academy is a private college prep school in Osterville, Massachusetts. It enrolls more than 300 students in grades K-12.