Kept in the Dark: Inside the Somerset, Mass., School Cyberattack

Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter

Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here’s what we uncovered about a massive attack on the school district in Somerset, Massachusetts. 

When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate — unsuccessfully — with the hackers. 

The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by The 74 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. 

The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn’t hand over 60 bitcoin which, at the time, was worth about $660,000. 

“If we don’t reach an agreement we will start leaking your private data,” the hacker wrote, noting that for bitcoin they would also offer “a list of security measures” to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. 

Emails reveal that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An invoice obtained by The 74 describes the ransom payment as being for “technical consultant services and remediation.”

“Typically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,” Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. 

The district didn’t respond to requests for comment for this story. 

Records show that Beazley, the school district’s cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley’s incident response.

Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack’s impact and its data breach reporting obligations, but it wasn’t until November — four months later —that the firm told them a “programmatic review of the files” had been completed. 

“Baker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,” staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would “conduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.” 

The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. 

William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 

“All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,” said Tedford, who was promoted to department chief in August 2024. 

While law enforcement seemed willing to follow the school district’s lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations.

The hacker wrote: “I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

Tedford asked if the accusation was legitimate and if the police had been notified.

“I need to cover these bases now that we have been made aware of this claim,” Tedford wrote in an Aug. 3 email. “It’s clear the attorneys don’t want law enforcement involved, and that’s fine, but this is a different issue.”

In an emailed response, district Superintendent Jeffrey Schoonover said the police department is “well aware of that situation,” which was related to an incident during an out-of-town show choir event. 

“After a thorough investigation, no charges were filed,” Shoonover wrote, adding in a later email that an officer “interviewed dozens of kids” in response to “this entire unfortunate event.” 

In August 2020, the district was working on its talking points to the public and it’s clear the consultants weren’t far away. The 74 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? 

They answered that they would “have preferred to notify the public earlier” but couldn’t “to ensure the privacy of student records,” that they were unsure what, if any, records may have been compromised and that they were encouraged to “wait to release any information until the investigation” was further along. In red italics next to the text are the words: Pending revisions from consultants. 

Somerset Berkley was “unable to provide any further information” about whether the district paid a ransom, the document also notes.

The public wasn’t notified of the July attack until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized — but he didn’t divulge the $200,000 ransom payment. 

The district submitted a breach notice to Massachusetts regulators in December 2020 — five months after the incident — and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver’s license and credit card numbers. 

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter