As previously reported to the public by the San Benito CISD and the Cameron County District Attorney, the district recently identified and addressed a cybersecurity incident that involved unauthorized access to certain devices in its computer network.
When the district became aware of the incident, it immediately took affirmative steps to address the issue. To assist with its response, the district promptly engaged outside cybersecurity experts to advise and conduct an investigation. As a part of those efforts, the district completed a thorough and exhaustive review of the information involved to identify each individual, the information specific to each individual, and locate each person’s mailing address to directly notify them of the incident. The district is mailing letters to each involved individual upon the guidance of its outside experts to ensure that these individuals are provided with information about the incident and instructions for enrolling in a free, one-year membership of credit monitoring and identity theft prevention services.
Due to the complexity and sophistication of these types of incidents, this investigation and notification preparation took time and was a labor-intensive process. The district will be mailing letters to identified individuals on Dec. 30. This timing is in line with Texas state law, which allows an entity that falls victim to these types of attacks 60 days to investigate and notify individuals and the attorney general’s office. The district not only wanted to fulfill its legal obligations but also ensure that any information provided to the public is truthful, accurate, and does not needlessly alarm people whose information was not involved.
At the same time, the district has been working with the FBI and the Texas attorney general. In addition, the district has responded to multiple requests for information from the CameronCounty district attorney and advised him, from the first contact, that the district has been actively working to notify affected individuals.
While the district has been diligently working to notify individuals with due care, several misleading and false allegations have been made, including fictitious claims raised by the district’s technology director, Todd English.
On Dec. 21, Mr. English’s lawyer advised local media that Mr. English was placed on paid administrative leave on Nov. 15. Mr. English responded by filing an employee grievance against the district, which nonsensically implies that he was “retaliated against” for reporting the incident to Chief Juan Sosa of the San Benito CISD Police Department. As a matter of policy, the district generally does not provide specific information regarding personnel matters; however, given that Mr. English has shared his grievance publicly, the district feels compelled to unequivocally state that his fabricated accusations are wholly untrue and meritless.
The district would also like to take this opportunity to dispel certain inaccuracies within articles published by Mr. Fernando Del Valle of the Valley Morning Star regarding this matter.
An article posted by the VMS on Dec. 20 contained a misleading headline stating that “DA forces San Benito schools to notify victims of … data breach …,” and went on to conclude that the district “refused” to disclose the situation or follow the law until the district attorney intervened. These implications are completely incorrect and under the circumstances, irresponsible. The district advised the district attorney and the VMS in writing that the district had already been thoughtfully working to directly notify individuals whose information was involved long before this matter came to the attention of the district attorney’s office. Once the district attorney made an announcement, the district promptly followed up with confirmation of the situation and stated that notification to involved individuals was imminent.
The idea that the district was “forced” to make a full disclosure is simply false; we advised the district attorney’s office that it would occur well within the required timeframes. We agree that affected persons should be notified as early as possible, but first we had to determine who that is so that unaffected persons don’t get the wrong impression or, as stated above, that any information provided to the public not needlessly alarm people whose information was not involved.
Another article from Mr. Del Valle dated Dec. 19 contained a headline stating that the FBI is investigating a “San Benito CISD technology breach.” To clarify that situation, at the district’s request, the District’s technology security consultant is assisting with the FBI’s investigation into the external threat actor responsible for the cyberattack. The FBI is not investigating the district or its response efforts.
San Benito CISD and certain members of its community have been subjected to a sophisticated cyberattack. We have taken the situation very seriously. It has been priority No. 1 for us since we became aware of the incident in November. Following the advice of experts who do this every day, we planned to announce the incident and directly notify individuals when we could determine whose information was involved and whose was not, and in accordance with the law. Any implication that we did not intend to disclose is simply untrue. It is unfortunate that, in the midst of diligent response efforts premised on communicating to our citizens that we are doing everything possible on their behalf, the community has received inaccurate reports.
Theresa Servellon is superintendent of the San Benito Consolidated Independent School District.
