One of the convenient fictions of ransomware attacks is that the cybercriminals who operate ransomware schemes have no interest in the data they’re encrypting – they just want to get paid. By this logic, ransomware attacks aren’t data breaches because the data isn’t exfiltrated or stolen – just encrypted and left where it is.And it’s a popular fiction, at that. The latest ransomware victim caught peddling this fiction is Dorchester County, South Carolina, where School District officials have acknowledged that 25 of 64 servers operated by the district were infected with ransomware. The infection prompted the district to pay $2,900 in ransom to have the data decrypted, according to a report by a local ABC News affiliate.“A thorough investigation determined this was a ransom request and there was no identity theft involved and no student or staff information had been accessed or compromised,” the District said in its statement. This, even though if you read further in the statement, Dorchester County makes clear that student data was compromised.“Data on 24 of the 25 servers (has been) successfully retrieved and restored, but the data on one server was corrupted rendering it inaccessible by us or anyone else,” the District said. That data included information on 26,000 students, which was being re-entered by hand. That included 32 students for whom no paper backups of their school records were available to restore. That information “is currently being redeveloped through the joint efforts of parents, teachers, and staff.”In short: the statement both assures parents that no student data was affected by the breach, while speaking in detail about the fact that 26,000 students’ records were affected by the breach.Nice try. As this blog has noted before: such statements are blatantly false. Any data encrypted by the ransomware was, by definition, “accessed” by the malware and constitutes a breach. It is worth noting that this is the definition that the U.S. Department of Health and Human Services uses when determining whether protected health information has been leaked, in violation of the HIPAA patient data privacy law.