While wealthy parents shell out $57,000 a year for their children to attend the prestigious Riverdale Country School, their investment just bought them something unexpected: a massive data breach. The Bronx institution, which counts JFK and Carly Simon among its notable alumni, fell victim to a ransomware attack in February 2025. Talk about an expensive education.
Cybercriminal group RansomHub didn’t waste time claiming responsibility for the attack. They made off with 42 GB of sensitive data including biographical, contact, and medical information from students, parents, and faculty. By March 5, this private information had racked up over 4,000 views on the dark web. Not exactly the kind of exposure these families were hoping for.
RansomHub snatched 42 GB of student data like trophies, parading it across the dark web for thousands to see.
The school has apparently refused to pay the ransom. Smart move, according to cybersecurity experts. Paying doesn’t guarantee data deletion and only funds more criminal activities. Cold comfort to the 1,000+ students whose personal information is now floating around the internet.
RansomHub, formed just a year earlier in February 2024, has already extorted at least 210 victims using their malware-as-a-service model. Their specialty? Multiple extortion tactics – encrypting and stealing data for ransom. Charming.
Riverdale’s administration is scrambling to contain the damage. They’ve notified affected families, are working with law enforcement, and reviewing their vendors’ security procedures. They’ve also decided to ditch Illuminate Education products after June 2022. A bit late for that now. Following NIST Cybersecurity Framework’s five core functions could have helped the school identify vulnerabilities and better protect sensitive student information.
This breach highlights the alarming trend of cyberattacks targeting educational institutions. A staggering 82% of K-12 schools faced cyber incidents between July 2023 and December 2024. Schools typically lack adequate cybersecurity resources – evidenced by $3.7 billion in requests for the FCC’s measly $200 million cybersecurity program. This incident follows a concerning pattern after 3,000 NYC students had their personal information leaked in a previous Google Drive breach.
While private schools like Riverdale may face fewer regulatory requirements than public institutions, they’re not immune to potential lawsuits from affected families. The school declined to comment on the attack. No surprise there. Luke Connolly, a cybersecurity analyst, emphasized that these cybercriminals lack morals and are solely motivated by financial gain from their attacks.
