{
	"id": "5077930f-b94d-459b-bb8b-453bc050255d",
	"created_at": "2026-04-09T02:23:22.739536Z",
	"updated_at": "2026-04-10T03:22:38.475609Z",
	"deleted_at": null,
	"sha1_hash": "03a6305c8da4bdfa2d74b4d0e175f84857247209",
	"title": "Hackers escalate: leak 200k CCSD students' data; claim to still have access to CCSD email system - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 373320,
	"plain_text": "Hackers escalate: leak 200k CCSD students' data; claim to still\r\nhave access to CCSD email system - DataBreaches.Net\r\nPublished: 2023-10-27 · Archived: 2026-04-09 02:02:02 UTC\r\nClark County School District (CCSD) in Nevada informed parents and employees that they became aware of a\r\n“cybersecurity incident” on October 5. Three weeks later, the district had not fully recovered from the attack and\r\nparents were complaining about the district’s lack of transparency about what was stolen in the breach.\r\nDisturbingly, while the district has not disclosed the scope of the breach of student information, the hackers started\r\ndisclosing it  this week – and in the worst way possible — by leaking 200,000 students’ information and numerous\r\nother files with personal information. There may be more to come.\r\nYesterday, Tiffany Lane of News3LV  and Julie Wooten of Las Vegas Review-Journal reported that parents were\r\nincreasingly concerned about the breach after receiving emails purportedly from the hackers with their children’s\r\npersonal information.  One parent described the email they received as, “Warning me that my children’s\r\ninformation was released or hacked into and it had three PDF files. Each one had my children’s picture, all of their\r\ncontact information, email addresses, student ID numbers, my information, our address.”\r\nThat mother was right to be concerned and to think it was related to the breach. Files with those data elements had\r\nbeen stolen and some were leaked this week. As DataBreaches reported yesteday, a number of files that appeared\r\nto be from the district were leaked on a file-sharing site earlier this week. The post with the links to the files was\r\nremoved (probably by the filehost), but DataBreaches described the contents of some of the leaked files and\r\nprovided screenshots and a list of the archive names.\r\nIn response to that post, DataBreaches was contacted by an individual claiming to be from the hackers. They\r\nintroduced themselves as “SingularityMD.” DataBreaches notes that the name “SingularityMD” has no obvious\r\nconnection to the website with the same domain name that automates physician note-talking with AI. The email\r\naddress used was an email address from the Coalinga-Huron Unified School District that the hackers immediately\r\nindicated was not theirs and would not reach them.\r\nThe Hackers Tell Their Side\r\n“SingularityMD” provided this site with a link to a second leak post on a file-sharing site. That post, dated\r\nOctober 25, contained a statement as well as links to yet more files. The statement was intriguing on a number of\r\nlevels, in part because it suggested some detailed knowledge of the district’s security policies and past practices.\r\n[Note: DataBreaches does not know if SingularityMD is really one person or more than one, but will use the\r\nplural form.] Their statement began:\r\nWe SingularityMD (the hack team), would like to make a statement for clarification.\r\nCCSD did not detect a security issue, we emailed them to tell them we had been in their network for a\r\nfew months.\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 1 of 6\n\nFor 6 years they forced students to use their birthday as their password, resetting the passwords back to\r\ntheir birth date each year, they even prevented the students from securing their accounts.\r\nThe statement then made clear that there was an extortion demand:\r\nWe asked for less than one third of the Jesus F Jara’s annual salary in exchange for destroying the stolen\r\ndata.\r\nThe callousness and incompetence of the leadership at CCSD is astounding, not only did they not\r\ncooperate, it is clear they did not communicate with principals and have still not plugged their leaky\r\nship, meaning we still have access to the network.\r\nSuperintendent Jara’s annual salary is $395,000.00 per year. As in a previous extortion demand incident in 2020,\r\nthe district reportedly did not agree to pay. The attackers probably should not have been surprised in light of the\r\ndistrict’s past behavior.\r\nBut of note, the threat actors claimed that they still have access to the district’s network. That last claim received\r\nsupport last night when an email arrived for DataBreaches that appeared to be from a named student at CCSD. \r\nThe From: line had the format: FIRSTNAME Lastname [STUDENT] \u003cfirstname.nnnnnnn@nv.ccsd.net\u003e. A check\r\nof the Master Register file leaked by the group indicated that a student by that name is enrolled at the George E.\r\nHarris Elementary School.  A check of the header for the email returned: X-Spam-Status: No, score=-0.1\r\nrequired=.6 tests=DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,\r\nRCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL.  So it appears that the\r\nhackers still have access to the district’s email server. The extent of their access to other parts of the network is\r\nunknown to DataBreaches, and the hackers did not provide this site with a way to contact them with questions. In\r\nany event, their post of October 25 continued:\r\nWe are not short sighted, and so we kept our end of the bargain. After all we are already working on\r\ndata collection for two other organizations. Should we have received payment, the data would be\r\ndestroyed and we hope to demonstrate that with the next organization who pays.\r\nThe statement then repeated what was evident from their first leak: that they do have personal information on\r\nstudents. This time, though, they started leaking more student information:\r\nAs promised to them in our initial correspondence we are now leaking the 200k student profiles we\r\nextracted from their network yesterday, these profiles include a photo, birth date, person ID, student\r\nNumber, State Student ID, Email, Language, Race / Ethnicity, Household names, relationships and\r\ncontact information, outside household contact information.\r\nOne final tip for CCSD, we will continue to cause trouble until you pay, or you finally kick us out of\r\nyour network.\r\nA list of twelve zipped archives, by grade, with links to the zipped archives followed the statement. There was also\r\na Master Register, containing “A list of all 300k+ students, birthdate, grade.” All of the zipped archives were on a\r\nclearnet file-sharing site. And because the earlier leak post had been removed, the October 25 leak also reposted\r\nthe earlier leak’s links to clearnet and deep web sites.\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 2 of 6\n\nOnce again, DataBreaches reached out to CCSD via their web site contact to ask for a statement about the leak of\r\npersonal information of students. DataBreaches also asked the district whether it was true that the attackers still\r\nhad access on October 24, the day they claimed to have exfiltrated the data on 200k students.  Note: that inquiry\r\nwas sent earlier in the day before DataBreaches received an email demonstrating that the hackers still have access\r\nto the email server.\r\nOnce again, no reply was received from the district. Other news outlets report similar outcomes: the district is not\r\nresponding to specific questions from the media seeking the kinds of information parents and employees want to\r\nknow.\r\nYesterday, DataBreaches reported student personal information in the first leak included attendance records,\r\nincident reports, and some medically related information. There were also other files in that first leak. In contrast,\r\nthe second leak was specific to student demographic information, as described in their statement. The following is\r\na screenshot of a “Person Summary Report” that has been redacted by DataBreaches. It is one of 14,804 such pdf\r\nfiles in the leaked “1st Grade CCSD” archive.  The data elements in the report contain the student’s name, their\r\nstudent ID, their date of birth, their person ID, their student email address, their picture, and household members’\r\ninformation including parents’ and siblings names, cellphone numbers, email addresses, and other contact\r\ninformation.  Race and ethnicity information is also included and other fields permit reporting of non-household\r\nrelationships:\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 3 of 6\n\nImage: DataBreaches.net\r\nIn addition to the individual grade archives, there was also the Master Register file in the newer leak.  The Master\r\nRegister file has 331,265 rows, one for each student. The Master Register .csv file contained students’ first,\r\nmiddle, and last names, their date of birth, their school and grade, their race and ethnicity, as well as their start\r\ndate and end date.\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 4 of 6\n\nThe Master Register .csv file contained students’ first, middle, and last names, their date of birth,\r\ntheir school and grade, their race and ethnicity, as well as their start date and end date. Image and\r\nredaction: DataBreaches.net \r\nLessons Learned?\r\nCCSD is the fifth largest school district in the nation, and this is not their first cyberattack (they suffered a\r\nransomware attack three years ago). What did they do after the first one to harden their security? Looking at their\r\nbudget for the past few years, there has been only one entry specifically described as “Service, Cyber Security.”\r\nMosaic451 LLC had contracts for the 2021-2022 and 2022-2023 school years for $930,300 and then $931,000.\r\nFor the 2023-2024 year, however, the district’s proposed expenditure for them was $369,813. No other service\r\nwas listed in the budget summary specifically for “cybersecurity.” Did the district decide it no longer needed some\r\nservices, or did it have an alternative plan or providers to address them, or is there some other explanation? When\r\nwas the district’s last risk assessment and what did it do in response to it? Will the hackers tell us how they gained\r\naccess if the district doesn’t? And what lessons did the district learn about communications and transparency from\r\nthe 2020 incident?\r\nTransparency is Crucial\r\nOn October 16, Fox5 cited a statement by the district that disclosed that their investigation to that point had found\r\nthat the attacker had accessed a “limited amount of personal information.” They did not define “limited.”\r\nWhen parents and students expressed concerns, did the district reveal more about what it knew so far? The district\r\ngave them a nonspecific statement that it was still working to determine the scope and people who were affected\r\nwould get letters about how to protect themselves.\r\n“Rest assured that we are committed to sharing information as it becomes available,” CCSD said. Then why didn’t\r\nit share that it knew student data had started being leaked this week? “Cooperating with the FBI” is not a reason to\r\nnot disclose unless the FBI has specifically requested you not disclose, and in that case, entities always report that\r\nthey have been asked to delay or withhold notification so as not to interfere with an investigation.  CCSD has not\r\nclaimed that they have been asked not to disclose by the FBI, so reference to the FBI is irrelevant to their failure to\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 5 of 6\n\ndisclose. How long would it take for the district to review the first leak and recognize whether those files did come\r\nfrom their system or not?\r\nThe district states that those with questions can call a dedicated assistance line at 888-566-5512 between 6:00 a.m.\r\nand 6:00 p.m., Monday through Friday, excluding holidays. Will 200,000 parents now start calling them?  And\r\nwill callers be able to get through if there is a flood of calls?\r\nSchool districts tend to be soft targets for hackers. But decisions about transparency affect trust between the\r\ndistrict and the community and at this point, it would be understandable if taxpayers, parents, and some employees\r\nwant heads to roll for keeping them in the dark. But who should be held accountable for the breach and who\r\nshould be held accountable for the lack of transparency? By accountability, DataBreaches does not mean throwing\r\nan underpaid and overworked IT employee under the bus.\r\nVictims of a breach — students, their parents, and employees — should not be first finding out from criminals\r\nthat their personal information has been stolen and leaked publicly. They should be finding out first from the\r\nentity that was responsible for securing their data.\r\nA Note to SingularityMD\r\nPlease provide a way to contact you to ask questions. Email, Telegram, Jabber, Tox, Signal….  take your pick and\r\nlet me know. Thanks.\r\nUpdate: they gave me a way to contact them.\r\nSource: https://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nhttps://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/"
	],
	"report_names": [
		"hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system"
	],
	"threat_actors": [
		{
			"id": "e3780667-cbca-4671-a9ff-073305fdc58b",
			"created_at": "2023-11-10T02:00:07.49368Z",
			"updated_at": "2026-04-10T02:00:03.435856Z",
			"deleted_at": null,
			"main_name": "SingularityMD",
			"aliases": [],
			"source_name": "MISPGALAXY:SingularityMD",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775701402,
	"ts_updated_at": 1775791358,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03a6305c8da4bdfa2d74b4d0e175f84857247209.pdf",
		"text": "https://archive.orkl.eu/03a6305c8da4bdfa2d74b4d0e175f84857247209.txt",
		"img": "https://archive.orkl.eu/03a6305c8da4bdfa2d74b4d0e175f84857247209.jpg"
	}
}