San Benito CISD disputes buyer’s claims that computers contain confidential data

SAN BENITO — A computer company owner said Friday an auction house sold him San Benito school district computers containing employees’ and students’ personal data.

David Avila, co-owner of Brownsville-based RDA Technologies, said his company bought about 700 district computers during a July 23 South Texas Auction Co. auction before discovering at least 11 computers’ hard drives contained district data including employees’ and students’ names, phone numbers, addresses, students’ grades and some bank account information.

Avila said auction information indicates the auction house sold more computers to other buyers.

On Thursday, South Texas Auctions declined to disclose on whether other buyers purchased district computers.

“They sold it to several buyers,” Avila said during an interview. “Where are the rest of the computers?”

The law requires computers be purged of “sensitive information” before they’re sold, Avila said.

“Legally, it’s their job to wipe out or destroy hard drives,” he said.

On Oct. 19, his company notified district officials it had discovered personal information on some computers’ hard drives, Avila said, adding the law requires any victims of breached confidential information be notified within 60 days.

“We notified them to take proper action,” he said. “It’s their obligation to notify people.”

‘SENSITIVE INFORMATION’

On Dec. 7, the district posted on its website a statement regarding its “inadvertent sale of San Benito CISD computer devices to an electronics recycler, which may have contained historical data of the district.”

“Based upon the representations made by RDA Technologies regarding the information alleged to be contained on the devices purchased by the company, no Social Security numbers or other sensitive personal information was included,” the district stated.

Co-owner of Brownsville-based RDA Technologies David Avila reviews hard drive data at his office Friday, Jan. 6, 2023, from the San Benito Consolidated Independent School District computer towers that Avila purchased though an auction house. (Miguel Roberts/The Brownsville Herald)

However, Avila said his company has discovered what he called “sensitive information” in 11 computers, one of which was destroyed while 10 have been placed in “quarantine.”

Avila said the company has not inspected 503 other district computers purchased through the auction house.

“There is sensitive information, and I have this hard drive,” he said.

On Oct. 28, Todd English, the district’s technology director currently on paid administrative leave, reviewed the computers at the company’s offices, Avila said.

On Friday, the Valley Morning Star inspected a computer, which Avila selected, finding a teacher’s bank account number; a teacher’s partial bank account number; a teachers list including names, user names and emails; students’ names, identification numbers and grades; a students failing list including names; a migrant students list including names, student identification numbers and grade levels; and IP and MAC numbers to district copiers and printers.

Meanwhile, Avila said district officials have offered $138,619 to buy the computers he purchased for about $29,000, a claim district officials denied in a statement.

Avila said he declined the offer.

Avila, who added he has refused the district’s offer to sign a non-disclosure agreement in exchange for $27,525, said he has filed a report with the Texas Attorney General’s Office, stating he purchased school district computers containing some sensitive information.

District officials posted the Dec. 7 statement to their website “to inform faculty, staff, and current and former students of a potential data security incident that involved the inadvertent sale of San Benito CISD computer devices to an electronics recycler, which may have contained historical data of the district.”

“We recently learned that a local electronics recycler, RDA Technologies, purchased devices from the district that may have unintentionally contained data collected in the normal course of our operations,” the district stated.

NO ‘EVIDENCE’

On Thursday, district officials stated they had not received “evidence” the computers contain confidential information.

“RDA has made unsubstantiated claims that the devices contained sensitive data but to date the district has not received any evidence or credible indication that any confidential information for any student or employee was on the devices,” district spokeswoman Isabel Gonzalez stated. “Based upon the representations made by RDA Technologies regarding the information alleged to have been found on the devices, it does not appear that any Social Security numbers or other sensitive personal information was included.”

Co-owner of Brownsville-based RDA Technologies David Avila reviews hard drive data at his office Friday, Jan. 6, 2023, from the San Benito Consolidated Independent School District computer towers that Avila purchased though an auction house. (Miguel Roberts/The Brownsville Herald)

“Moreover, the district has not received any other reports of devices containing historical data,” she stated. “The district was able to conduct a brief review of the equipment RDA purchased but the inspection did not reveal any confidential information. Regardless, out of an abundance of caution, the district has continued to work with RDA Technologies regarding the matter but RDA has not been cooperative with any of the district’s proposed solutions. The district has also reported this matter, as well as the conduct of RDA, to the consumer protection division of the Texas Attorney General’s Office. To help prevent something like this from happening again, the district is reviewing its procedures relating to device disposal and will re-enforce education with its staff on these procedures.”

BACKGROUND

Meanwhile, authorities are investigating the cyber extortion hacking group Karakurt’s breach of the district’s technology system, Cameron County District Attorney Luis Saenz has said, adding he was trying to determine whether former employees and students were also victims.

On Friday, Gonzalez stated the district on Dec. 30 mailed 21,653 letters to individuals, including 12,080 “minors” whom it identified as affected by the breach discovered around Nov. 1.

“Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom,” the FBI and the Cybersecurity and Infrastructure Security Agency state on their website. “Known ransom demands have ranged from $25,000 to $13 million in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.”

Last month, Sylvia Wood, spokeswoman with the Texas Association of School Boards, declined to comment on whether the agency, on behalf of the school district, negotiated with the hackers in an attempt to stop them from distributing the district’s confidential information.

The Valley Morning Star has filed a request under the Texas Public Information Act for information regarding negotiations with Karakurt.