DA’s office probing San Benito security breach

SAN BENITO — Authorities are investigating a cyber extortion hacking group’s breach of the San Benito school district’s technology system which led to the theft of as many as 30,000 employees’ and students’ confidential information.

On Wednesday, Cameron County District Attorney Luis Saenz confirmed the Karakurt group is behind the cybersecurity breach believed to have occurred about Nov. 1.

“We’re investigating the security breach,” he said.

Saenz said the breach led to the theft of 25,000 to 30,000 district employees’ and students’ confidential information.

As part of his investigation, he is trying to determine whether victims also included former employees and students, he said.

“We’re trying to determine exactly to what extent,” he said, referring to the number of victims.

Suspended IT director files grievance

On Wednesday, attorney John Shergold said district Superintendent Theresa Servellon suspended Todd English, the district’s technology director, for reporting the security breach to her and district Police Chief Juan Sosa on Nov. 3.

English, who discovered the breach on Nov. 1, also contacted the FBI, Shergold said.

Shergold said Servellon placed English on paid administrative leave on Nov. 15.

On Nov. 18, English filed a grievance which led to a Dec. 9 district hearing whose findings are pending, Shergold said.

“He claims he was retaliated against for reporting the security breach,” he said. “Todd’s concern is to protect the security information of all students involved, the parents and the employees of the school district. That’s why he went to law enforcement.”

By 5 p.m. Wednesday, district officials had not responded to messages requesting comment on English’s claim of retaliation.

Karakurt negotiations

Saenz declined to comment on details surrounding the Karakurt group, describing the breach as “a really sophisticated hack.”

Meanwhile, Sylvia Wood, spokeswoman with the Texas Association of School Boards, declined to comment on whether the agency, on behalf of the San Benito school district, negotiated with the hackers in an effort to stop them from distributing the district’s confidential information.

“San Benito CISD has cybersecurity coverage through the TASB Risk Management Fund, which is the largest provider of risk management coverages and services to school districts and other public education entities in Texas,” she stated. “The fund, which is administered by the Texas Association of School Boards, does not comment on individual member claims or incidents reported to the TASB Risk Management Fund.”

On Wednesday, the Valley Morning Star filed a request under the Texas Public Information Act for information regarding negotiations with Karakurt.

According to information from the FBI and the Cybersecurity and Infrastructure Security Agency, or CISA, Karakurt is a “data extortion group” also known as the Karakurt Team and Karakurt Lair.

“Karakurt actors have employed a variety of tactics, techniques and procedures, creating significant challenges for defense and mitigation,” the CISA states on its website.

“Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the agency states. “Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

“Karakurt actors have contacted victims’ employees, business partners and clients with harassing emails and phone calls to pressure the victims to cooperate,” the agency states. “The emails have contained examples of stolen data such as social security numbers, payment accounts, private company emails and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred.”

DA, school district notifying breach victims

Earlier this week, Saenz said district officials had not notified victims of the breach including employees and students’ parents to allow them to take steps to protect their bank accounts and other potential targets.

The law requires victims be notified of security breaches at least 60 days after they are discovered, he said.

On Monday evening, he released a media statement aimed at notifying the victims, Saenz said.

In his statement, Saenz revealed “a criminal element” had stolen “vast amounts of confidential information.”

More than three hours later, district spokeswoman Isabel Gonzalez stated officials were sending letters to victims.

Meanwhile, officials remained in “the process of identifying the persons who may have been affected,” she stated, adding, “this is the customary and proper way to disclose such an incident.”