Anyone who has dealings with the San Benito Consolidated Independent School District has a right to ask why district officials have waited two months to disclose a computer breach that could have compromised their personal information.
Cameron County District Attorney Luis Saenz revealed on Dec. 19 that he had asked school officials on Dec. 9 to inform victims, including employees and students’ parents, about the security breach. The district had made no such notifications, at least not until the DA revealed the breach to the newspaper.
“So I had no choice but to make the announcement myself,” Saenz said.
Saenz said the district’s computers were infiltrated by a foreign group that is known to worm into computers and capture data, demanding ransom from the victims for codes that will unlock the information.
In a letter published in this newspaper this week, Superintendent Theresa Servellon stated that the district planned to mail letters today, Dec. 30, to people who were directly affected, and noted that state law allows 60 days for such notification. The letter further notes that the district became aware of the incident in November.
But Saenz and the attorney for the district’s suspended technology director have said that the breach occurred Nov. 1, a date not yet refuted by the district. This would mean district officials waited until the last possible day to directly notify victims of the breach — one that the DA called the biggest his office has ever seen.
What did they do? In the weeks leading up to their plan to control notification of the breach only to the victims, district officials dedicated more than 2,000 words in the form of statements and the letter to the editor largely criticizing the Valley Morning Star and the reporter who reported the story to the public.
We feel those words could have been better spent notifying the public about the breach with a sense of immediacy and urgency as other local governments have done, which is contrary to the school district’s claims that it is customary to wait to notify victims affected until they’re identified.
Servellon’s letter also states that the district did not want to “needlessly alarm people whose information was not involved.” However, as a public entity the district has an obligation to all the people they serve, not just those whose data they know to be compromised. The hack could include other information that as yet remains unknown.
So far the district has been a textbook example of how not to address information that has to be public.
Whether they like it or not, and whether they acknowledge it or not, public officials must know that transparency is required of all government entities. Voters have a right, and a need, to know what their officials are doing and if they acted appropriately. Taxpayers have a right to know how their money is being spent, and the people they serve have a right, and a need, to know their needs are being met.
Parceling out the information to selected people is unacceptable, especially with the possible damage or risk thousands of people face if their personal information falls into the wrong hands. The district attorney said the hackers are known to provide the information to other cybercriminals, possibly enabling them to further harm the victims.
Sending out letters doesn’t cut it. Given the sensitivity of the information and the timing of the attack, they should have issued warnings as quickly as possible and to as many people as possible.
The public’s right to know is one of our country’s primary, and best-known, precepts.
School officials might think disclosure of some information might be embarrassing or bothersome. That’s no excuse. If they become inundated by complaints, and possible legal claims, from people who have suffered as a result of the security breach and the district’s decision to keep the public uninformed, the fallout could be worse than any discomfort they might have tried to avoid.
