Lake Washington School District

On May 31, 2026, ransomware group cmdorganization listed Lake Washington School District on their dark web victim portal. The district, headquartered in Redmond, Washington, operates 33 elementary schools, 14 middle schools, and 9 high schools serving communities across Kirkland, Redmond, and Sammamish.

Reports indicate the attack disrupted public education operations across schools and administrative systems. The district was founded in 1914—over a century of records potentially at risk from a modern threat actor.

The specific data types have not been publicly disclosed. However, K-12 districts typically maintain extensive records: student enrollment data, grades, disciplinary records, special education documentation (protected under FERPA and IDEA), free/reduced lunch eligibility (income indicators), emergency contacts, medical information, and staff employment records including Social Security numbers.

A district this size—serving tens of thousands of students across 56 schools—generates massive data volumes. Each student file, each employee record, each parent contact form represents personal information that shouldn't leave district systems.

Students—many of them minors—whose educational records, family information, and potentially medical data may now be in attacker hands. Parents who provided sensitive information to enroll their children. Teachers and staff whose employment records and SSNs could be exposed.

Exposed student data is particularly dangerous because it can be used to establish fraudulent identities that won't be discovered until years later when victims apply for credit, jobs, or student loans. Children's clean credit histories are valuable to identity thieves precisely because the fraud goes undetected longer.

School districts focus on educational mission: supporting students, maintaining facilities, recruiting teachers. Cybersecurity competes with classroom technology, building repairs, and staff salaries for limited public funding. Most districts don't have dedicated security teams—IT staff handle everything from printer problems to network defense.

But ransomware groups don't distinguish between well-funded enterprises and public schools. They see data. They see vulnerabilities. They see targets that might pay to restore operations before the school year starts.

Over 110 years of operation means layers of data systems: legacy student information systems, modern cloud platforms, departmental databases, shared drives with archived files. Each technology generation added data without necessarily cleaning up the previous one.

When attackers claim they've exfiltrated district data, the first question should be: how much? But without a current data inventory, the answer is unknowable until forensics complete—and by then, the damage timeline has already started.

Washington state has data breach notification requirements. FERPA governs educational record disclosures. If student records were compromised, the district must notify affected families. But notification requires knowing whose data was taken—and a district serving multiple cities across 56 schools has a complex data footprint.

Summer break provides a narrow window to recover before fall enrollment, but the work of identifying affected individuals doesn't stop for vacation schedules.