SAN BENITO — Thousands of victims of a San Benito school district security breach on Tuesday began receiving letters notifying them hackers stole confidential data including their names, Social Security numbers and financial information such as bank account routing numbers about two months ago.
On Tuesday, victims were calling Kroll Credit Monitoring, which was working with the district to respond to phone calls.
Around Nov. 1, the cyber extortion hacking group Karakurt’s breach of the district’s technology system led to the theft of 25,000 to 30,000 employees’ and students’ confidential information, Cameron County District Attorney Luis Saenz has said, adding he was trying to determine whether former employees and students were also victims.
Meanwhile, district spokeswoman Isabel Gonzalez declined to disclose the number of letters the district mailed on Dec. 30.
Instead, she requested the Valley Morning Star file a public information request for the information including the number of letters the district mailed to current and former employees and students.
Names, Social Security numbers, bank information stolen
In her letter dated Dec. 30, district Superintendent Theresa Servellon told victims a district investigation found “an unauthorized party intermittently accessed our network and a limited number of employee email accounts and took certain files from our servers.”
“San Benito CISD is writing to inform you of a data security incident that involved some of your information,” the letter states. “We then conducted a thorough review of those files and on Dec. 16, 2022, we determined that the files contained your name, social security number and financial information (account and routing numbers).”
Servellon stated the district was giving victims one-year memberships to an identity theft protection service to help them detect use of their stolen personal information.
“We arranged for you to receive a complementary one-year membership to Experian’s IdentityWorks,” the letter states. “This product helps detect possible misuse of your personal information and provides you with identity protection services focused on identification and resolution of identify theft. IdentityWorks is completely free to you and enrolling in this program will not hurt your credit score.”
The letter requests victims to call 855-624-3052, Kroll Credit Monitoring’s phone number, with any questions.
“We apologize for any concerns this incident may have caused you,” the letter states.
‘Sophisticated cyberattack’
Late last month, Saenz confirmed Karakurt, a cyber extortion hacking group, had breached the district’s cybersecurity system.
Saenz, who said the incident marked the first time his office has investigated a school district’s cyberattack, described the breach as “a really sophisticated hack.”
Meanwhile, Servellon stated “San Benito CISD and certain members of its community have been subjected to a sophisticated cyberattack.”
“Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the FBI and the Cybersecurity and Infrastructure Security Agency state on their website. “Known ransom demands have ranged from $25,000 to $13 million in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”
Last month, Sylvia Wood, spokeswoman with the Texas Association of School Boards, declined to comment on whether the agency, on behalf of the school district, negotiated with the hackers in an attempt to stop them from distributing the district’s confidential information.
The Valley Morning Star has filed a request under the Texas Public Information Act for information regarding negotiations with Karakurt.
District denies director’s claim of retaliation
Meanwhile, attorney John Shergold has said Servellon suspended Todd English, the district’s technology director, for reporting the security breach to her and district Police Chief Juan Sosa on Nov. 3.
English, who discovered the breach on Nov. 1, also contacted the FBI, Shergold said.
Shergold said Servellon placed English on paid administrative leave on Nov. 15.
On Nov. 18, English filed a grievance which led to a Dec. 9 district hearing whose findings are pending, Shergold said.
The district has denied English was suspended for reporting the security breach.
“Mr. English responded by filing an employee grievance against the district, which nonsensically implies that he was ‘retaliated against’ for reporting the incident to Chief Juan Sosa of the San Benito CISD Police Department,” Gonzalez stated in a response to Shergold’s comments. “As a matter of policy, the district generally does not provide specific information regarding personnel matters. However, given that Mr. English has shared his grievance publicly, the district feels compelled to unequivocally state that his fabricated accusations are wholly untrue and meritless.”
Background
Late last month, Saenz said district officials had not notified victims of the breach including employees and students’ parents to allow them to take steps to protect their bank accounts and other potential targets.
The law requires victims be notified of security breaches at least 60 days after they are discovered, he said.
At about 5:21 p.m. Dec. 19, Saenz released a media statement aimed at notifying the victims.
In his statement, Saenz revealed “a criminal element” had stolen “vast amounts of confidential information” in its breach of the district’s cybersecurity system.
More than three hours later, district spokeswoman Isabel Gonzalez stated officials were in the process of sending letters to victims.
At the time, officials were in “the process of identifying the persons who may have been affected,” she stated, adding, “this is the customary and proper way to disclose such an incident.”
On Dec. 30, the district mailed its notifications to victims.
“Once the DA made an announcement, the district promptly followed up with confirmation of the situation and stated that notification to involved individuals was imminent,” Gonzalez stated late last month.
“The idea that we were ‘forced’ to make a full disclosure is simply false and we advised the DA’s Office that it would occur well within the required time frames,” Servellon stated. “We agree that affected persons should be notified as early as possible but first we have to determine who that is so that unaffected persons don’t get the wrong impression.”
”We have taken the situation very seriously. It has been priority No. 1 for us since we became aware of the incident in November. Following the advice of experts who do this every day, we planned to announce the incident and directly notify individuals when we could determine whose information was involved and whose was not and in accordance with the law. Any implication that we did not intend to disclose is simply untrue.”
