Parts of the Dark Web "awash" with school children's personal data

Parts of the Dark Web “awash” with school children’s personal data

NBC News has collected and analyzed a trove of children’s personal information it discovered on the Dark Web. Even though this information may not be as useful to cybercriminals as credit card details or login credentials, the information is still out there, where we don’t want it.

So what is it, and how did it get there?


Modern ransomware gangs don’t just encrypt data, they frequently steal it too. If their ransom demands aren’t met, they leak the stolen data via their Dark Web sites. These data leaks have lead to information about (amongst others) businesses, police officers, hospital patients, and school children ending up on the Dark Web.

And schools and school districts have been very popular targets for ransomware attacks. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by a ransomware analyst.

Ransomware threat actors are always looking for low-hanging fruit. And schools have always been easy targets for ransomware, because of their limited budgets, especially for security. All of which was made worse by the demand for distance learning created by the Coronavirus pandemic.

What information is out there?

Some schools may not be able to tell you how much, and what, information they have about your child if you ask them. But the evidence says it’s even worse than you might expect; it isn’t just the information you may have handed over to the school when you filled out the application. Over time, information like medical conditions or your family’s financial status may get added. Some information, like social security numbers or birthdays, will be a constant in the child’s life, and that information in the wrong hands can set up a child for identity theft throughout their life, and at any time in their life.

The NBC article provides a few examples that may raise your eyebrows.

A few months after a ransomware attack on Toledo Public Schools in Ohio, which lead to students’ names and social security numbers being published online, a parent discovered that someone had started trying to take out a credit card and a car loan in his elementary school-aged son’s name.

Following an attack on Weslaco Independent School District, data relating to approximately 16,000 students was leaked, including: Their names, dates of birth, race, social security numbers, gender, immigration status, whether they were homeless or economically disadvantaged, and if they’d been flagged as potentially dyslexic.

Can the information be removed?

The chances of permanently removing information from a ransomware leak site are slim to none. By the time the victim of a ransomware attack pays the ransom, their data has already been stolen, so they have nothing more than the word of criminals that it will be destroyed or kept safe. There is little incentive for ransomware gangs not to trade the data of payers and non-payers alike on some Dark Web forum. And when data has been shown on a leak site, anyone could have grabbed a copy.

What is the Dark Web?

Maybe it’s a good idea to clear up some of the misconceptions about the Dark Web. There are two “dark” regions on the World Wide Web: The Deep Web, and the Dark Web.

The Deep Web is an unindexed part of the web, which includes anything behind a login screen, for example. The indexed part of the web—the part that can be found by search engines—is likely to be a small fraction of the entire web, which makes the Deep Web enormous.

The Dark Web is a part of the web that can only be accessed via Tor. The Dark Web is designed to hide the location (strictly, the IP address) of everyone and everything on it. And if you can’t trace the real IP address of a user or a website, you can’t find them, arrest them, or shut them down. Which is why the Dark Web is where you’ll find ransomware leak sites.

Unlike the Deep Web, the Dark Web is extremely small, but it is very popular with criminals, for obvious reasons. Alongside ransomware leak sites, the Dark Web also hosts forums where cybercriminals can buy and exchange information, and marketplaces that sell anything and everything that’s illegal.

What can you do?

School cybersecurity is increasingly important, and parent-pressure makes a difference. Ask your school about its approach to cybersecurity, and what information about your child it keeps. Should you or your children’s information become part of a data breach you may want to read some more about identity theft, and credit monitoring.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.