Louisiana School District Alerts Data Breach Victims Following News Probe

This article was created in collaboration with The Acadiana Advocate, a newsroom located in Louisiana.

Victims of a cyberattack on the St. Landry Parish School Board in July 2023 had their private information exposed and were not informed for five months, well past the required time frame according to state law. It was only after an investigation by a newspaper that the Louisiana Attorney General’s Office reached out to the district to remind them of their legal obligations.

Recent emails and records obtained by The Acadiana Advocate in response to a public records request in January this year disclosed the delayed notification process.

Shortly after the disclosure of the data breach by reporters, a lawyer from the state attorney general’s office contacted the school district regarding consumer protection issues, questioning them directly in response to the article.

An investigation by The Advocate and The 74 revealed that the St. Landry Parish School Board failed to notify individuals affected by the breach shortly after the attack occurred, contradicting their earlier claims.

L. Christopher Styron, an attorney from the state attorney general’s office, promptly addressed the district about their breach notification obligations under state law which they had neglected to comply with.

According to Louisiana’s breach notification law, schools and other entities must notify affected individuals in a timely manner after a breach is discovered, with a deadline of no later than 60 days. Failure to do so may result in fines of up to $5,000 per day past the 60-day mark, if the state attorney general is not notified within 10 days of informing the affected individuals.

As a result of these events, St. Landry officials took action to notify victims, including thousands of students, district employees, and other businesses, about the compromise of their information by the cybercrime syndicate Medusa.

The district’s attorney responded to Styron acknowledging the notification issue and expressing intent to address it promptly.

In a letter dated December 21, schools Superintendent Milton Batiste III informed an unverified number of victims that their sensitive information might have been compromised by the cyberattack.

Former math teacher Donna Sarver, whose personal information was among those exposed, criticized the district for the delayed notification, emphasizing that it should have occurred much earlier.

Victims of the data breach, including various stakeholders, were unaware of the security lapse until the district notified them six months after the incident, followed by an official notification to the attorney general.

The district officials declined to provide additional information for this report despite multiple inquiries. Similarly, the attorney general’s office did not respond to interview requests.

The delayed response by St. Landry district officials aligns with the pattern observed in school districts nationwide, where cyberattacks on educational institutions have escalated, impacting student and teacher privacy. This trend has largely been downplayed by education leaders despite the risks involved.

James Lee of the Identity Theft Resource Center highlighted the challenges in issuing breach notifications due to organizational decision-making processes, emphasizing the need for improved safeguards.

‘For reasons that are unknown’

In August 2023, St. Landry Parish School Board acknowledged a cyberattack on its computer network but initially downplayed the severity, claiming that no sensitive information was impacted.

However, an analysis of leaked records revealed significant breaches compromising personal data of thousands of individuals, contradicting the district’s earlier statements.

Similarly, the district’s responses to the attorney general and victims of the breach appeared inconsistent and misleading.

The district indicated in a letter to the attorney general that the stolen files had been recovered, but recent checks revealed otherwise, as the compromised data remained accessible through criminal channels.

Superintendent Batiste mentioned in the notice to the attorney general that the district’s network was breached without any ransom demands, contrary to the information available on the dark web involving a ransom request linked to the stolen data.

While the state police informed school officials about compromised files containing sensitive information, the district’s delayed response and inconsistent statements raise questions about the handling of the breach.

‘How do you recover it?’

The cybercriminals engaged in a ransomware strategy known as “double extortion” in the St. Landry breach, emphasizing the need for improved cybersecurity measures and victim notifications.

The district’s lack of understanding and response to the stolen data, combined with contradictory statements from officials, reflected a concerning trend in cyberattack aftermaths.

Statements from district staff indicated inadequate communication and investigation into the breach, highlighting gaps in addressing data breaches effectively.

The discrepancy between Fontenot’s statements and the timeline provided by Batiste further underscored the lack of transparency and clarity in handling the cyberattack incident.

Further investigations are required to ascertain the extent of data leakage and the impact on individuals affected by the breach.

The delayed notification to data breach victims and the unclear communication about the breach’s impact underscore the importance of prompt and comprehensive response to cybersecurity incidents.

The notification process for breach victims was delayed due to the time required to review the acquired files, delaying the release of critical information to affected individuals.

Addressing the complexities of data breaches and compliance with state laws necessitates cooperation between cybersecurity experts, attorneys, and educational institutions to mitigate risks effectively.

The delay in notifying victims of the data breach by the school board raises concerns about safeguarding sensitive information and addressing cybersecurity threats promptly.

Amid increased cyber threats to educational institutions, ensuring transparency and accountability in responding to data breaches is essential for protecting student and staff privacy.

Sarver criticized the district’s handling of the breach, emphasizing the long delay in notifying victims about the security lapse and questioning the efficacy of credit monitoring services provided.

The ongoing challenges in recovering compromised data highlight the importance of proactive cybersecurity measures and prompt victim notifications to prevent further breaches.