Thousands of Louisiana Teachers and Students Had Their Information Leaked After Cyberattack But Were Never Notified The 74
p The 74
ppAmericas Education News SourceppCopyright 2023 The 74 Media IncppThis story was produced in partnership with The Acadiana Advocate a Louisianabased newsroomppIt was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St Landry Parish but she didnt think much about it even after her Facebook got hacked ppNow shes left to wonder whether the two are connected ppHer Social Security number and other personal information were stolen in a ransomware attack against her former employer the St Landry Parish School Board an investigation by The 74 and The Acadiana Advocate revealed The reporting included a data analysis by The 74 of some 211000 files that a cybercrime syndicate leaked online in August after the district refused to pay a 1 million ransom ppThe 12000student district some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information but the stolen files analysis tells a different story ppFour months after the attack the joint investigation revealed that Vidrine was among thousands of students teachers and business owners who had their personal information exposed online More than a dozen victims said they were similarly unaware those details were readily available leaving them vulnerable to identity theftppThe number of cyberattacks on K12 school districts and breaches of their sensitive student and employee data have reached critical levels enough to prompt the Biden White House to convene an August summit on how to tackle the threat and in multiple instances districts have been accused of withholding information from the publicppThey want to brush everything under the rug said Vidrine who worked for St Landry schools for eight years before leaving in 2021 The districts dont want bad publicityppAmong the districts breached documents are thousands of health insurance records with the Social Security numbers of at least 13500 people some 100000 sales tax records for local and outofstate companies and several thousand student records including home addresses and special education statusppA failure to notify families and educators such personal information was leaked experts said could run afoul of Louisianas data breach notification rulesppLouisiana law mandates that schools and other entities notify affected individuals without unreasonable delay and no later than 60 days after a breach is discovered ppBreached entities that fail to alert the state attorney generals office within 10 days of notifying affected individuals can face fines up to 5000 for every day past the 60day mark ppThe St Landry district discovered the cyberattack in late July and reported it to state police and the media within days District administrators dispute that the hack led to a breach of sensitive information but also acknowledged last week they havent taken steps to understand the scope of what was stolen or to notify individual victims ppIn some circumstances entities can delay their notice to victims if doing so could compromise the integrity of a police investigation and law enforcement sources confirmed an active criminal probe Under Louisiana law the state attorney generals office must approve such disclosure delays ppReporters filed a public records request with the state attorney generals office Oct 23 asking for any breach notices from the St Landry district The office responded Nov 2 that the request did not yield any results indicating such a disclosure was never made The office didnt respond to further questions about whether it was looking into St Landrys apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigationppAs time drags on breach victims remain unprotected and unaware of their heightened risk of identity theft James Lee the chief operating officer of Californiabased Identity Theft Resource Center said a fourmonth delay is a long time to not notify somebody of that level of sensitive informationppBecause the school district hasnt issued a notice then its hard to know exactly what happened and why Lee said Thats important because that also leads you to Well what does the individual need to do to protect themselves now that their information has been exposedppRansomware attacks have become a growing threat to US schools and breaches in some of the largest districts have attracted scrutiny But experts said that small and midsized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their farreaching consequences ppThe first indication of a problem with St Landrys computer network came in late July when an employee in the districts central office reported spyware on their device Superintendent Milton Batiste III said in August following the attackppThe ransomware group Medusa believed by cybersecurity experts to be Russian has taken credit for the St Landry Parish leak The syndicate has leveled multiple school district attacks including a massive breach in Minneapolis earlier this yearppA district spokesperson confirmed last week that it refused to pay the ransom in line with what federal law enforcement advises By midAugust the trove of stolen files was publicized on a website designed to resemble a technology news blog a front of sorts and became available for download on Telegram an encrypted social media platform thats been used by terror groups and extremists ppThe threat actors appeared to employ a tactic thats grown in popularity in recent years called double extortion Hackers gain access to a victims computer networks often through phishing emails download compromising records and lock them with encryption keys Criminals then demand the victim pay a ransom to regain access When victims fail or refuse to pay the files are published online for anyone to exploit ppCurrent and former students were affected by the attack though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff ppOne St Landry mother who is also a district employee was outraged when she learned that her sons information was leaked especially because he hasnt attended a district public school for two years The woman who asked not to be identified for fears she could lose her job was livid that the district had claimed employee and student records had been kept safe She said she was offered free creditmonitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach ppIf theyre lying about it and our information did get out there then thats a whole other situation she said Theyre telling all their employees all of our information did not get messed with ppShe implored district leaders to notify the parents of children who had their information exposed including those whose kids are no longer in the school system If she had known her 17yearold son was caught up in the breach she said she could have already taken steps to protect himppDistrict officials said they were unaware of the extent of the breach Tricia Fontenot the districts supervisor of instructional technology said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all She said when the board asked state police for updates it was told an active investigation was in progress and no information could be released It did not give a timeline for when its investigation would be completedppWe never received reports of the actual information that was obtained she said All of that is under investigation We have not received anything in regards to that investigationppThe board Fontenot said decided to trust the processppAs seen in other school district cyberattacks across the country however law enforcements responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students That work is done by the school districts who often hire cybersecurity consultants to help carry out those complex tasksppByron Wimberly St Landrys computer center supervisor maintained that the compromised servers had not been used to store personal information He used the frequency of cyberattacks as grounds to question whether St Landry was the source of the breached datappYou know how many people get hacked a year Can you point that to the school board 100 Wimberly saidppHowever evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming namely the more than 200000 files posted to Telegram that link back to St Landry schools In fact folders that were breached and uploaded to the web point in part to a central office clerk who saved many of the most sensitive files to one of the least secured places her computers desktop ppThe records identify more than 2700 current and former St Landry Parish students including their full names race and ethnicity dates of birth home addresses parents phone numbers and login credentials for district technology Spreadsheets listed students who were eligible for special education services and those who were classified as English language learnersppThe health records that include Social Security numbers and other personally identifiable information for at least 13500 people far exceed the number of individuals currently employed by the district Thats because the records also encompass former employees retirees and those who have since died as well as their dependents including spouses and children Attached to the records are scanned copies of formal documents about major life events Births marriages divorces and deaths ppThousands of people who have received retirement benefits from the school district had their full names published along with Social Security numbers and health insurance premiumsppAlso included are some 100000 sales tax records for local and outofstate companies that conducted business in St Landry Parish with affected individuals extending far beyond Louisiana borders Local victims include the owners of a diner a gun store and an artist who makes soap with goat milk It also includes a metal pipe company in Alabama an Indianapolisbased cannabis company and a senior official at Ring the Amazonowned surveillance camera company headquartered in Santa Monica CaliforniappUnlike most states Louisiana lacks a central sales tax agency Instead there are 54 different collection agencies that range from sheriffs offices to parish governments to school boards St Landry Parishs sales tax collection office is overseen by the St Landry Parish School Board Louisiana schools largest source of local revenue is derived from sales taxes ppThousands of other files appeared to get captured at random a limited set of files with student disciplinary records a collection of wedding photographs documentation for campus security cameras and artistic renderings of Jesus ChristppAmelia Lyons the coowner of a St Landry Parish glass business whose information was exposed said a call from a reporter was the first time she had heard about the breach a reality she called alarming ppI feel like I should have gotten a more formal notification about this Lyons saidppThe St Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles Las Vegas Minneapolis and suburban Washington DC ppRansomware attacks on the national education sector have surged by 80 in the past year alone according to a recent report by the nonprofit Institute for Security and Technology Earlier this year hackers waged attacks on seven Louisiana colleges over four months among them Southeastern Louisiana University which also faced a data breach and claims it hadnt been forthcoming with the public ppIts also not the first time St Landry schools have fallen victim In 2020 the school board took its system offline for at least two weeks following a similar cyberattackppWhile hacker groups have grown more sophisticated school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats said Kenny Donnelly executive director of the Louisiana Cybersecurity Commission which was created to help schools and other entities bolster their defenses As a result schools are lowhanging fruit said Donnelly who said that educators should expect to see even more attacks in the coming years ppEducational entities are going to be a soft target he said If theyre not being hit theyre going to be hit if theyre not doing the things they need to do to get their networks and their security in order ppStill experts say leaders at small and midsized districts are often surprised when they become the targets of international cybercriminalsppTheyre such a small fish in the ocean they think why would anybody bother with them said Doug Levin the national director of the nonprofit K12 Security Information eXchange Its improbable that hackers targeted St Landry specifically he said and more likely that a district employee opened a spam email and clicked on a phishing link ppIts a question of them throwing their fishing hook in the barrel and just waiting to see who bites Levin said They dont know who their next victim is going to be and they dont really care ppWhen a small or mediumsized district takes the bait the impact can be substantial because theyre often among their communities largest employers In the roughly 80000resident St Landry Parish the breached health insurance records represent roughly 1 in 6 residentsppData breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen ppI just want the district to be professional said Vidrine the former science teacher A notification that this happened Were tending to it and you need to protect yourself We made a mistakeppThe district also faces risks of civil liability said Chase Edwards an associate law professor at the University of Louisiana at Lafayette A failure to notify affected individuals is what class actions are made of Edwards said ppThe school district has a duty to protect any private information they collect Edwards said and are both legally and ethically obligated to notify breach victims ppAbout 125 million US children are the victims of identity theft each year according to a recent report by the research firm Javelin Social Security numbers and other personal information about children are particularly valuable to thieves who can use the records to obtain credit cards and loans without detection for years ppBecause children dont typically have credit cards they also dont receive credit reports that can alert them when something is amiss Lee said Darkweb marketplaces that sell personal information often put a premium on childrens Social Security numbers which Lee said are primarily used by fraudsters to apply for jobs Once victims learn theyve been compromised the problem is not easy to address and can have lifelong impacts he said ppDeath certificates and obituaries included in the St Landry breach present their own unique set of risks Even after death Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as ghostingppPeople whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves Lee said Such criminals he said are often part of very sophisticated networks based overseasppIts not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies Lee said Thats not the hacker of today Theyre not sitting in their parents basement Theyre in call centers in Dubai and in Cambodia and in North AfricappIts important that potential victims freeze their credit Lee said and implement robust privacy protections on their online accounts including twofactor authentication and unique login credentials stored in password managersppA finance and technology executive whose information was compromised in the St Landry breach knows firsthand the headaches that come with identity theft Following a previous incident he said someone used his information to file a false tax return ppThe executive who asked not to be named because he wasnt authorized to speak with the press has never stepped foot in St Landry parish Yet his data was exposed because his former employer conducts business there Having stringent security measures in place offered him peace of mind he said when he learned from a reporter that his information had again been exposed ppFontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders including the school board attorney will identify a course of actionppBut St Landry should take immediate steps to protect breach victims including a notification to the state cybersecurity commission said Donnelly its executive director ppThat they didnt notify us of this its disappointing said Donna Sarver a math teacher who worked for the district for three years before leaving in 2020 She and other victims she said now have to fend for themselves ppBut its a poor parish and I dont think they do anything unless they really really have toppThis story was supported by a grant from the Fund for Investigative JournalismppGet the most critical news and information about students rights safety and wellbeing delivered straight to your inboxppSupport The 74s yearend campaign Make a taxexempt donation nowppMark Keierleber is an investigative reporter at The 74ppStephen Marcantel is a rural reporter at The Acadiana Advocate in Lafayette Louisiana and a Report for America corps memberppAshley White is an education reporter at The Acadiana Advocate in Lafayette LouisianappWe want our stories to be shared as widely as possible for freeppPlease view The 74s republishing termsppBy Mark Keierleber Stephen Marcantel Ashley WhiteppThis story first appeared at The 74 a nonprofit news site covering education Sign up for free newsletters from The 74 to get more like this in your inboxppThis story was produced in partnership with The Acadiana Advocate a Louisianabased newsroomppIt was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St Landry Parish but she didnt think much about it even after her Facebook got hacked ppNow shes left to wonder whether the two are connected ppHer Social Security number and other personal information were stolen in a ransomware attack against her former employer the St Landry Parish School Board an investigation by The 74 and The Acadiana Advocate revealed The reporting included a data analysis by The 74 of some 211000 files that a cybercrime syndicate leaked online in August after the district refused to pay a 1 million ransom ppThe 12000student district some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information but the stolen files analysis tells a different story ppFour months after the attack the joint investigation revealed that Vidrine was among thousands of students teachers and business owners who had their personal information exposed online More than a dozen victims said they were similarly unaware those details were readily available leaving them vulnerable to identity theftppThe number of cyberattacks on K12 school districts and breaches of their sensitive student and employee data have reached critical levels enough to prompt the Biden White House to convene an August summit on how to tackle the threat and in multiple instances districts have been accused of withholding information from the publicppThey want to brush everything under the rug said Vidrine who worked for St Landry schools for eight years before leaving in 2021 The districts dont want bad publicityppAmong the districts breached documents are thousands of health insurance records with the Social Security numbers of at least 13500 people some 100000 sales tax records for local and outofstate companies and several thousand student records including home addresses and special education statusppA failure to notify families and educators such personal information was leaked experts said could run afoul of Louisianas data breach notification rulesppLouisiana law mandates that schools and other entities notify affected individuals without unreasonable delay and no later than 60 days after a breach is discovered ppBreached entities that fail to alert the state attorney generals office within 10 days of notifying affected individuals can face fines up to 5000 for every day past the 60day mark ppThe St Landry district discovered the cyberattack in late July and reported it to state police and the media within days District administrators dispute that the hack led to a breach of sensitive information but also acknowledged last week they havent taken steps to understand the scope of what was stolen or to notify individual victims ppIn some circumstances entities can delay their notice to victims if doing so could compromise the integrity of a police investigation and law enforcement sources confirmed an active criminal probe Under Louisiana law the state attorney generals office must approve such disclosure delays ppReporters filed a public records request with the state attorney generals office Oct 23 asking for any breach notices from the St Landry district The office responded Nov 2 that the request did not yield any results indicating such a disclosure was never made The office didnt respond to further questions about whether it was looking into St Landrys apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigationppAs time drags on breach victims remain unprotected and unaware of their heightened risk of identity theft James Lee the chief operating officer of Californiabased Identity Theft Resource Center said a fourmonth delay is a long time to not notify somebody of that level of sensitive informationppBecause the school district hasnt issued a notice then its hard to know exactly what happened and why Lee said Thats important because that also leads you to Well what does the individual need to do to protect themselves now that their information has been exposedppRansomware attacks have become a growing threat to US schools and breaches in some of the largest districts have attracted scrutiny But experts said that small and midsized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their farreaching consequences ppThe first indication of a problem with St Landrys computer network came in late July when an employee in the districts central office reported spyware on their device Superintendent Milton Batiste III said in August following the attackppThe ransomware group Medusa believed by cybersecurity experts to be Russian has taken credit for the St Landry Parish leak The syndicate has leveled multiple school district attacks including a massive breach in Minneapolis earlier this yearppA district spokesperson confirmed last week that it refused to pay the ransom in line with what federal law enforcement advises By midAugust the trove of stolen files was publicized on a website designed to resemble a technology news blog a front of sorts and became available for download on Telegram an encrypted social media platform thats been used by terror groups and extremists ppThe threat actors appeared to employ a tactic thats grown in popularity in recent years called double extortion Hackers gain access to a victims computer networks often through phishing emails download compromising records and lock them with encryption keys Criminals then demand the victim pay a ransom to regain access When victims fail or refuse to pay the files are published online for anyone to exploit ppCurrent and former students were affected by the attack though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff ppOne St Landry mother who is also a district employee was outraged when she learned that her sons information was leaked especially because he hasnt attended a district public school for two years The woman who asked not to be identified for fears she could lose her job was livid that the district had claimed employee and student records had been kept safe She said she was offered free creditmonitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach ppIf theyre lying about it and our information did get out there then thats a whole other situation she said Theyre telling all their employees all of our information did not get messed with ppShe implored district leaders to notify the parents of children who had their information exposed including those whose kids are no longer in the school system If she had known her 17yearold son was caught up in the breach she said she could have already taken steps to protect himppDistrict officials said they were unaware of the extent of the breach Tricia Fontenot the districts supervisor of instructional technology said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all She said when the board asked state police for updates it was told an active investigation was in progress and no information could be released It did not give a timeline for when its investigation would be completedppWe never received reports of the actual information that was obtained she said All of that is under investigation We have not received anything in regards to that investigationppThe board Fontenot said decided to trust the processppAs seen in other school district cyberattacks across the country however law enforcements responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students That work is done by the school districts who often hire cybersecurity consultants to help carry out those complex tasksppByron Wimberly St Landrys computer center supervisor maintained that the compromised servers had not been used to store personal information He used the frequency of cyberattacks as grounds to question whether St Landry was the source of the breached datappYou know how many people get hacked a year Can you point that to the school board 100 Wimberly saidppHowever evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming namely the more than 200000 files posted to Telegram that link back to St Landry schools In fact folders that were breached and uploaded to the web point in part to a central office clerk who saved many of the most sensitive files to one of the least secured places her computers desktop ppThe records identify more than 2700 current and former St Landry Parish students including their full names race and ethnicity dates of birth home addresses parents phone numbers and login credentials for district technology Spreadsheets listed students who were eligible for special education services and those who were classified as English language learnersppThe health records that include Social Security numbers and other personally identifiable information for at least 13500 people far exceed the number of individuals currently employed by the district Thats because the records also encompass former employees retirees and those who have since died as well as their dependents including spouses and children Attached to the records are scanned copies of formal documents about major life events Births marriages divorces and deaths ppThousands of people who have received retirement benefits from the school district had their full names published along with Social Security numbers and health insurance premiumsppAlso included are some 100000 sales tax records for local and outofstate companies that conducted business in St Landry Parish with affected individuals extending far beyond Louisiana borders Local victims include the owners of a diner a gun store and an artist who makes soap with goat milk It also includes a metal pipe company in Alabama an Indianapolisbased cannabis company and a senior official at Ring the Amazonowned surveillance camera company headquartered in Santa Monica CaliforniappUnlike most states Louisiana lacks a central sales tax agency Instead there are 54 different collection agencies that range from sheriffs offices to parish governments to school boards St Landry Parishs sales tax collection office is overseen by the St Landry Parish School Board Louisiana schools largest source of local revenue is derived from sales taxes ppThousands of other files appeared to get captured at random a limited set of files with student disciplinary records a collection of wedding photographs documentation for campus security cameras and artistic renderings of Jesus ChristppAmelia Lyons the coowner of a St Landry Parish glass business whose information was exposed said a call from a reporter was the first time she had heard about the breach a reality she called alarming ppI feel like I should have gotten a more formal notification about this Lyons saidppThe St Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles Las Vegas Minneapolis and suburban Washington DC ppRansomware attacks on the national education sector have surged by 80 in the past year alone according to a recent report by the nonprofit Institute for Security and Technology Earlier this year hackers waged attacks on seven Louisiana colleges over four months among them Southeastern Louisiana University which also faced a data breach and claims it hadnt been forthcoming with the public ppIts also not the first time St Landry schools have fallen victim In 2020 the school board took its system offline for at least two weeks following a similar cyberattackppWhile hacker groups have grown more sophisticated school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats said Kenny Donnelly executive director of the Louisiana Cybersecurity Commission which was created to help schools and other entities bolster their defenses As a result schools are lowhanging fruit said Donnelly who said that educators should expect to see even more attacks in the coming years ppEducational entities are going to be a soft target he said If theyre not being hit theyre going to be hit if theyre not doing the things they need to do to get their networks and their security in order ppStill experts say leaders at small and midsized districts are often surprised when they become the targets of international cybercriminalsppTheyre such a small fish in the ocean they think why would anybody bother with them said Doug Levin the national director of the nonprofit K12 Security Information eXchange Its improbable that hackers targeted St Landry specifically he said and more likely that a district employee opened a spam email and clicked on a phishing link ppIts a question of them throwing their fishing hook in the barrel and just waiting to see who bites Levin said They dont know who their next victim is going to be and they dont really care ppWhen a small or mediumsized district takes the bait the impact can be substantial because theyre often among their communities largest employers In the roughly 80000resident St Landry Parish the breached health insurance records represent roughly 1 in 6 residentsppData breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen ppI just want the district to be professional said Vidrine the former science teacher A notification that this happened Were tending to it and you need to protect yourself We made a mistakeppThe district also faces risks of civil liability said Chase Edwards an associate law professor at the University of Louisiana at Lafayette A failure to notify affected individuals is what class actions are made of Edwards said ppThe school district has a duty to protect any private information they collect Edwards said and are both legally and ethically obligated to notify breach victims ppAbout 125 million US children are the victims of identity theft each year according to a recent report by the research firm Javelin Social Security numbers and other personal information about children are particularly valuable to thieves who can use the records to obtain credit cards and loans without detection for years ppBecause children dont typically have credit cards they also dont receive credit reports that can alert them when something is amiss Lee said Darkweb marketplaces that sell personal information often put a premium on childrens Social Security numbers which Lee said are primarily used by fraudsters to apply for jobs Once victims learn theyve been compromised the problem is not easy to address and can have lifelong impacts he said ppDeath certificates and obituaries included in the St Landry breach present their own unique set of risks Even after death Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as ghostingppPeople whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves Lee said Such criminals he said are often part of very sophisticated networks based overseasppIts not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies Lee said Thats not the hacker of today Theyre not sitting in their parents basement Theyre in call centers in Dubai and in Cambodia and in North AfricappIts important that potential victims freeze their credit Lee said and implement robust privacy protections on their online accounts including twofactor authentication and unique login credentials stored in password managersppA finance and technology executive whose information was compromised in the St Landry breach knows firsthand the headaches that come with identity theft Following a previous incident he said someone used his information to file a false tax return ppThe executive who asked not to be named because he wasnt authorized to speak with the press has never stepped foot in St Landry parish Yet his data was exposed because his former employer conducts business there Having stringent security measures in place offered him peace of mind he said when he learned from a reporter that his information had again been exposed ppFontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders including the school board attorney will identify a course of actionppBut St Landry should take immediate steps to protect breach victims including a notification to the state cybersecurity commission said Donnelly its executive director ppThat they didnt notify us of this its disappointing said Donna Sarver a math teacher who worked for the district for three years before leaving in 2020 She and other victims she said now have to fend for themselves ppBut its a poor parish and I dont think they do anything unless they really really have toppThis story was supported by a grant from the Fund for Investigative JournalismppGet the most critical news and information about students rights safety and wellbeing delivered straight to your inboxppCopyright 2023 The 74 Media Incp
ppAmericas Education News SourceppCopyright 2023 The 74 Media IncppThis story was produced in partnership with The Acadiana Advocate a Louisianabased newsroomppIt was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St Landry Parish but she didnt think much about it even after her Facebook got hacked ppNow shes left to wonder whether the two are connected ppHer Social Security number and other personal information were stolen in a ransomware attack against her former employer the St Landry Parish School Board an investigation by The 74 and The Acadiana Advocate revealed The reporting included a data analysis by The 74 of some 211000 files that a cybercrime syndicate leaked online in August after the district refused to pay a 1 million ransom ppThe 12000student district some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information but the stolen files analysis tells a different story ppFour months after the attack the joint investigation revealed that Vidrine was among thousands of students teachers and business owners who had their personal information exposed online More than a dozen victims said they were similarly unaware those details were readily available leaving them vulnerable to identity theftppThe number of cyberattacks on K12 school districts and breaches of their sensitive student and employee data have reached critical levels enough to prompt the Biden White House to convene an August summit on how to tackle the threat and in multiple instances districts have been accused of withholding information from the publicppThey want to brush everything under the rug said Vidrine who worked for St Landry schools for eight years before leaving in 2021 The districts dont want bad publicityppAmong the districts breached documents are thousands of health insurance records with the Social Security numbers of at least 13500 people some 100000 sales tax records for local and outofstate companies and several thousand student records including home addresses and special education statusppA failure to notify families and educators such personal information was leaked experts said could run afoul of Louisianas data breach notification rulesppLouisiana law mandates that schools and other entities notify affected individuals without unreasonable delay and no later than 60 days after a breach is discovered ppBreached entities that fail to alert the state attorney generals office within 10 days of notifying affected individuals can face fines up to 5000 for every day past the 60day mark ppThe St Landry district discovered the cyberattack in late July and reported it to state police and the media within days District administrators dispute that the hack led to a breach of sensitive information but also acknowledged last week they havent taken steps to understand the scope of what was stolen or to notify individual victims ppIn some circumstances entities can delay their notice to victims if doing so could compromise the integrity of a police investigation and law enforcement sources confirmed an active criminal probe Under Louisiana law the state attorney generals office must approve such disclosure delays ppReporters filed a public records request with the state attorney generals office Oct 23 asking for any breach notices from the St Landry district The office responded Nov 2 that the request did not yield any results indicating such a disclosure was never made The office didnt respond to further questions about whether it was looking into St Landrys apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigationppAs time drags on breach victims remain unprotected and unaware of their heightened risk of identity theft James Lee the chief operating officer of Californiabased Identity Theft Resource Center said a fourmonth delay is a long time to not notify somebody of that level of sensitive informationppBecause the school district hasnt issued a notice then its hard to know exactly what happened and why Lee said Thats important because that also leads you to Well what does the individual need to do to protect themselves now that their information has been exposedppRansomware attacks have become a growing threat to US schools and breaches in some of the largest districts have attracted scrutiny But experts said that small and midsized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their farreaching consequences ppThe first indication of a problem with St Landrys computer network came in late July when an employee in the districts central office reported spyware on their device Superintendent Milton Batiste III said in August following the attackppThe ransomware group Medusa believed by cybersecurity experts to be Russian has taken credit for the St Landry Parish leak The syndicate has leveled multiple school district attacks including a massive breach in Minneapolis earlier this yearppA district spokesperson confirmed last week that it refused to pay the ransom in line with what federal law enforcement advises By midAugust the trove of stolen files was publicized on a website designed to resemble a technology news blog a front of sorts and became available for download on Telegram an encrypted social media platform thats been used by terror groups and extremists ppThe threat actors appeared to employ a tactic thats grown in popularity in recent years called double extortion Hackers gain access to a victims computer networks often through phishing emails download compromising records and lock them with encryption keys Criminals then demand the victim pay a ransom to regain access When victims fail or refuse to pay the files are published online for anyone to exploit ppCurrent and former students were affected by the attack though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff ppOne St Landry mother who is also a district employee was outraged when she learned that her sons information was leaked especially because he hasnt attended a district public school for two years The woman who asked not to be identified for fears she could lose her job was livid that the district had claimed employee and student records had been kept safe She said she was offered free creditmonitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach ppIf theyre lying about it and our information did get out there then thats a whole other situation she said Theyre telling all their employees all of our information did not get messed with ppShe implored district leaders to notify the parents of children who had their information exposed including those whose kids are no longer in the school system If she had known her 17yearold son was caught up in the breach she said she could have already taken steps to protect himppDistrict officials said they were unaware of the extent of the breach Tricia Fontenot the districts supervisor of instructional technology said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all She said when the board asked state police for updates it was told an active investigation was in progress and no information could be released It did not give a timeline for when its investigation would be completedppWe never received reports of the actual information that was obtained she said All of that is under investigation We have not received anything in regards to that investigationppThe board Fontenot said decided to trust the processppAs seen in other school district cyberattacks across the country however law enforcements responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students That work is done by the school districts who often hire cybersecurity consultants to help carry out those complex tasksppByron Wimberly St Landrys computer center supervisor maintained that the compromised servers had not been used to store personal information He used the frequency of cyberattacks as grounds to question whether St Landry was the source of the breached datappYou know how many people get hacked a year Can you point that to the school board 100 Wimberly saidppHowever evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming namely the more than 200000 files posted to Telegram that link back to St Landry schools In fact folders that were breached and uploaded to the web point in part to a central office clerk who saved many of the most sensitive files to one of the least secured places her computers desktop ppThe records identify more than 2700 current and former St Landry Parish students including their full names race and ethnicity dates of birth home addresses parents phone numbers and login credentials for district technology Spreadsheets listed students who were eligible for special education services and those who were classified as English language learnersppThe health records that include Social Security numbers and other personally identifiable information for at least 13500 people far exceed the number of individuals currently employed by the district Thats because the records also encompass former employees retirees and those who have since died as well as their dependents including spouses and children Attached to the records are scanned copies of formal documents about major life events Births marriages divorces and deaths ppThousands of people who have received retirement benefits from the school district had their full names published along with Social Security numbers and health insurance premiumsppAlso included are some 100000 sales tax records for local and outofstate companies that conducted business in St Landry Parish with affected individuals extending far beyond Louisiana borders Local victims include the owners of a diner a gun store and an artist who makes soap with goat milk It also includes a metal pipe company in Alabama an Indianapolisbased cannabis company and a senior official at Ring the Amazonowned surveillance camera company headquartered in Santa Monica CaliforniappUnlike most states Louisiana lacks a central sales tax agency Instead there are 54 different collection agencies that range from sheriffs offices to parish governments to school boards St Landry Parishs sales tax collection office is overseen by the St Landry Parish School Board Louisiana schools largest source of local revenue is derived from sales taxes ppThousands of other files appeared to get captured at random a limited set of files with student disciplinary records a collection of wedding photographs documentation for campus security cameras and artistic renderings of Jesus ChristppAmelia Lyons the coowner of a St Landry Parish glass business whose information was exposed said a call from a reporter was the first time she had heard about the breach a reality she called alarming ppI feel like I should have gotten a more formal notification about this Lyons saidppThe St Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles Las Vegas Minneapolis and suburban Washington DC ppRansomware attacks on the national education sector have surged by 80 in the past year alone according to a recent report by the nonprofit Institute for Security and Technology Earlier this year hackers waged attacks on seven Louisiana colleges over four months among them Southeastern Louisiana University which also faced a data breach and claims it hadnt been forthcoming with the public ppIts also not the first time St Landry schools have fallen victim In 2020 the school board took its system offline for at least two weeks following a similar cyberattackppWhile hacker groups have grown more sophisticated school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats said Kenny Donnelly executive director of the Louisiana Cybersecurity Commission which was created to help schools and other entities bolster their defenses As a result schools are lowhanging fruit said Donnelly who said that educators should expect to see even more attacks in the coming years ppEducational entities are going to be a soft target he said If theyre not being hit theyre going to be hit if theyre not doing the things they need to do to get their networks and their security in order ppStill experts say leaders at small and midsized districts are often surprised when they become the targets of international cybercriminalsppTheyre such a small fish in the ocean they think why would anybody bother with them said Doug Levin the national director of the nonprofit K12 Security Information eXchange Its improbable that hackers targeted St Landry specifically he said and more likely that a district employee opened a spam email and clicked on a phishing link ppIts a question of them throwing their fishing hook in the barrel and just waiting to see who bites Levin said They dont know who their next victim is going to be and they dont really care ppWhen a small or mediumsized district takes the bait the impact can be substantial because theyre often among their communities largest employers In the roughly 80000resident St Landry Parish the breached health insurance records represent roughly 1 in 6 residentsppData breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen ppI just want the district to be professional said Vidrine the former science teacher A notification that this happened Were tending to it and you need to protect yourself We made a mistakeppThe district also faces risks of civil liability said Chase Edwards an associate law professor at the University of Louisiana at Lafayette A failure to notify affected individuals is what class actions are made of Edwards said ppThe school district has a duty to protect any private information they collect Edwards said and are both legally and ethically obligated to notify breach victims ppAbout 125 million US children are the victims of identity theft each year according to a recent report by the research firm Javelin Social Security numbers and other personal information about children are particularly valuable to thieves who can use the records to obtain credit cards and loans without detection for years ppBecause children dont typically have credit cards they also dont receive credit reports that can alert them when something is amiss Lee said Darkweb marketplaces that sell personal information often put a premium on childrens Social Security numbers which Lee said are primarily used by fraudsters to apply for jobs Once victims learn theyve been compromised the problem is not easy to address and can have lifelong impacts he said ppDeath certificates and obituaries included in the St Landry breach present their own unique set of risks Even after death Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as ghostingppPeople whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves Lee said Such criminals he said are often part of very sophisticated networks based overseasppIts not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies Lee said Thats not the hacker of today Theyre not sitting in their parents basement Theyre in call centers in Dubai and in Cambodia and in North AfricappIts important that potential victims freeze their credit Lee said and implement robust privacy protections on their online accounts including twofactor authentication and unique login credentials stored in password managersppA finance and technology executive whose information was compromised in the St Landry breach knows firsthand the headaches that come with identity theft Following a previous incident he said someone used his information to file a false tax return ppThe executive who asked not to be named because he wasnt authorized to speak with the press has never stepped foot in St Landry parish Yet his data was exposed because his former employer conducts business there Having stringent security measures in place offered him peace of mind he said when he learned from a reporter that his information had again been exposed ppFontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders including the school board attorney will identify a course of actionppBut St Landry should take immediate steps to protect breach victims including a notification to the state cybersecurity commission said Donnelly its executive director ppThat they didnt notify us of this its disappointing said Donna Sarver a math teacher who worked for the district for three years before leaving in 2020 She and other victims she said now have to fend for themselves ppBut its a poor parish and I dont think they do anything unless they really really have toppThis story was supported by a grant from the Fund for Investigative JournalismppGet the most critical news and information about students rights safety and wellbeing delivered straight to your inboxppSupport The 74s yearend campaign Make a taxexempt donation nowppMark Keierleber is an investigative reporter at The 74ppStephen Marcantel is a rural reporter at The Acadiana Advocate in Lafayette Louisiana and a Report for America corps memberppAshley White is an education reporter at The Acadiana Advocate in Lafayette LouisianappWe want our stories to be shared as widely as possible for freeppPlease view The 74s republishing termsppBy Mark Keierleber Stephen Marcantel Ashley WhiteppThis story first appeared at The 74 a nonprofit news site covering education Sign up for free newsletters from The 74 to get more like this in your inboxppThis story was produced in partnership with The Acadiana Advocate a Louisianabased newsroomppIt was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St Landry Parish but she didnt think much about it even after her Facebook got hacked ppNow shes left to wonder whether the two are connected ppHer Social Security number and other personal information were stolen in a ransomware attack against her former employer the St Landry Parish School Board an investigation by The 74 and The Acadiana Advocate revealed The reporting included a data analysis by The 74 of some 211000 files that a cybercrime syndicate leaked online in August after the district refused to pay a 1 million ransom ppThe 12000student district some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information but the stolen files analysis tells a different story ppFour months after the attack the joint investigation revealed that Vidrine was among thousands of students teachers and business owners who had their personal information exposed online More than a dozen victims said they were similarly unaware those details were readily available leaving them vulnerable to identity theftppThe number of cyberattacks on K12 school districts and breaches of their sensitive student and employee data have reached critical levels enough to prompt the Biden White House to convene an August summit on how to tackle the threat and in multiple instances districts have been accused of withholding information from the publicppThey want to brush everything under the rug said Vidrine who worked for St Landry schools for eight years before leaving in 2021 The districts dont want bad publicityppAmong the districts breached documents are thousands of health insurance records with the Social Security numbers of at least 13500 people some 100000 sales tax records for local and outofstate companies and several thousand student records including home addresses and special education statusppA failure to notify families and educators such personal information was leaked experts said could run afoul of Louisianas data breach notification rulesppLouisiana law mandates that schools and other entities notify affected individuals without unreasonable delay and no later than 60 days after a breach is discovered ppBreached entities that fail to alert the state attorney generals office within 10 days of notifying affected individuals can face fines up to 5000 for every day past the 60day mark ppThe St Landry district discovered the cyberattack in late July and reported it to state police and the media within days District administrators dispute that the hack led to a breach of sensitive information but also acknowledged last week they havent taken steps to understand the scope of what was stolen or to notify individual victims ppIn some circumstances entities can delay their notice to victims if doing so could compromise the integrity of a police investigation and law enforcement sources confirmed an active criminal probe Under Louisiana law the state attorney generals office must approve such disclosure delays ppReporters filed a public records request with the state attorney generals office Oct 23 asking for any breach notices from the St Landry district The office responded Nov 2 that the request did not yield any results indicating such a disclosure was never made The office didnt respond to further questions about whether it was looking into St Landrys apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigationppAs time drags on breach victims remain unprotected and unaware of their heightened risk of identity theft James Lee the chief operating officer of Californiabased Identity Theft Resource Center said a fourmonth delay is a long time to not notify somebody of that level of sensitive informationppBecause the school district hasnt issued a notice then its hard to know exactly what happened and why Lee said Thats important because that also leads you to Well what does the individual need to do to protect themselves now that their information has been exposedppRansomware attacks have become a growing threat to US schools and breaches in some of the largest districts have attracted scrutiny But experts said that small and midsized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their farreaching consequences ppThe first indication of a problem with St Landrys computer network came in late July when an employee in the districts central office reported spyware on their device Superintendent Milton Batiste III said in August following the attackppThe ransomware group Medusa believed by cybersecurity experts to be Russian has taken credit for the St Landry Parish leak The syndicate has leveled multiple school district attacks including a massive breach in Minneapolis earlier this yearppA district spokesperson confirmed last week that it refused to pay the ransom in line with what federal law enforcement advises By midAugust the trove of stolen files was publicized on a website designed to resemble a technology news blog a front of sorts and became available for download on Telegram an encrypted social media platform thats been used by terror groups and extremists ppThe threat actors appeared to employ a tactic thats grown in popularity in recent years called double extortion Hackers gain access to a victims computer networks often through phishing emails download compromising records and lock them with encryption keys Criminals then demand the victim pay a ransom to regain access When victims fail or refuse to pay the files are published online for anyone to exploit ppCurrent and former students were affected by the attack though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff ppOne St Landry mother who is also a district employee was outraged when she learned that her sons information was leaked especially because he hasnt attended a district public school for two years The woman who asked not to be identified for fears she could lose her job was livid that the district had claimed employee and student records had been kept safe She said she was offered free creditmonitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach ppIf theyre lying about it and our information did get out there then thats a whole other situation she said Theyre telling all their employees all of our information did not get messed with ppShe implored district leaders to notify the parents of children who had their information exposed including those whose kids are no longer in the school system If she had known her 17yearold son was caught up in the breach she said she could have already taken steps to protect himppDistrict officials said they were unaware of the extent of the breach Tricia Fontenot the districts supervisor of instructional technology said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all She said when the board asked state police for updates it was told an active investigation was in progress and no information could be released It did not give a timeline for when its investigation would be completedppWe never received reports of the actual information that was obtained she said All of that is under investigation We have not received anything in regards to that investigationppThe board Fontenot said decided to trust the processppAs seen in other school district cyberattacks across the country however law enforcements responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students That work is done by the school districts who often hire cybersecurity consultants to help carry out those complex tasksppByron Wimberly St Landrys computer center supervisor maintained that the compromised servers had not been used to store personal information He used the frequency of cyberattacks as grounds to question whether St Landry was the source of the breached datappYou know how many people get hacked a year Can you point that to the school board 100 Wimberly saidppHowever evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming namely the more than 200000 files posted to Telegram that link back to St Landry schools In fact folders that were breached and uploaded to the web point in part to a central office clerk who saved many of the most sensitive files to one of the least secured places her computers desktop ppThe records identify more than 2700 current and former St Landry Parish students including their full names race and ethnicity dates of birth home addresses parents phone numbers and login credentials for district technology Spreadsheets listed students who were eligible for special education services and those who were classified as English language learnersppThe health records that include Social Security numbers and other personally identifiable information for at least 13500 people far exceed the number of individuals currently employed by the district Thats because the records also encompass former employees retirees and those who have since died as well as their dependents including spouses and children Attached to the records are scanned copies of formal documents about major life events Births marriages divorces and deaths ppThousands of people who have received retirement benefits from the school district had their full names published along with Social Security numbers and health insurance premiumsppAlso included are some 100000 sales tax records for local and outofstate companies that conducted business in St Landry Parish with affected individuals extending far beyond Louisiana borders Local victims include the owners of a diner a gun store and an artist who makes soap with goat milk It also includes a metal pipe company in Alabama an Indianapolisbased cannabis company and a senior official at Ring the Amazonowned surveillance camera company headquartered in Santa Monica CaliforniappUnlike most states Louisiana lacks a central sales tax agency Instead there are 54 different collection agencies that range from sheriffs offices to parish governments to school boards St Landry Parishs sales tax collection office is overseen by the St Landry Parish School Board Louisiana schools largest source of local revenue is derived from sales taxes ppThousands of other files appeared to get captured at random a limited set of files with student disciplinary records a collection of wedding photographs documentation for campus security cameras and artistic renderings of Jesus ChristppAmelia Lyons the coowner of a St Landry Parish glass business whose information was exposed said a call from a reporter was the first time she had heard about the breach a reality she called alarming ppI feel like I should have gotten a more formal notification about this Lyons saidppThe St Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles Las Vegas Minneapolis and suburban Washington DC ppRansomware attacks on the national education sector have surged by 80 in the past year alone according to a recent report by the nonprofit Institute for Security and Technology Earlier this year hackers waged attacks on seven Louisiana colleges over four months among them Southeastern Louisiana University which also faced a data breach and claims it hadnt been forthcoming with the public ppIts also not the first time St Landry schools have fallen victim In 2020 the school board took its system offline for at least two weeks following a similar cyberattackppWhile hacker groups have grown more sophisticated school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats said Kenny Donnelly executive director of the Louisiana Cybersecurity Commission which was created to help schools and other entities bolster their defenses As a result schools are lowhanging fruit said Donnelly who said that educators should expect to see even more attacks in the coming years ppEducational entities are going to be a soft target he said If theyre not being hit theyre going to be hit if theyre not doing the things they need to do to get their networks and their security in order ppStill experts say leaders at small and midsized districts are often surprised when they become the targets of international cybercriminalsppTheyre such a small fish in the ocean they think why would anybody bother with them said Doug Levin the national director of the nonprofit K12 Security Information eXchange Its improbable that hackers targeted St Landry specifically he said and more likely that a district employee opened a spam email and clicked on a phishing link ppIts a question of them throwing their fishing hook in the barrel and just waiting to see who bites Levin said They dont know who their next victim is going to be and they dont really care ppWhen a small or mediumsized district takes the bait the impact can be substantial because theyre often among their communities largest employers In the roughly 80000resident St Landry Parish the breached health insurance records represent roughly 1 in 6 residentsppData breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen ppI just want the district to be professional said Vidrine the former science teacher A notification that this happened Were tending to it and you need to protect yourself We made a mistakeppThe district also faces risks of civil liability said Chase Edwards an associate law professor at the University of Louisiana at Lafayette A failure to notify affected individuals is what class actions are made of Edwards said ppThe school district has a duty to protect any private information they collect Edwards said and are both legally and ethically obligated to notify breach victims ppAbout 125 million US children are the victims of identity theft each year according to a recent report by the research firm Javelin Social Security numbers and other personal information about children are particularly valuable to thieves who can use the records to obtain credit cards and loans without detection for years ppBecause children dont typically have credit cards they also dont receive credit reports that can alert them when something is amiss Lee said Darkweb marketplaces that sell personal information often put a premium on childrens Social Security numbers which Lee said are primarily used by fraudsters to apply for jobs Once victims learn theyve been compromised the problem is not easy to address and can have lifelong impacts he said ppDeath certificates and obituaries included in the St Landry breach present their own unique set of risks Even after death Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as ghostingppPeople whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves Lee said Such criminals he said are often part of very sophisticated networks based overseasppIts not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies Lee said Thats not the hacker of today Theyre not sitting in their parents basement Theyre in call centers in Dubai and in Cambodia and in North AfricappIts important that potential victims freeze their credit Lee said and implement robust privacy protections on their online accounts including twofactor authentication and unique login credentials stored in password managersppA finance and technology executive whose information was compromised in the St Landry breach knows firsthand the headaches that come with identity theft Following a previous incident he said someone used his information to file a false tax return ppThe executive who asked not to be named because he wasnt authorized to speak with the press has never stepped foot in St Landry parish Yet his data was exposed because his former employer conducts business there Having stringent security measures in place offered him peace of mind he said when he learned from a reporter that his information had again been exposed ppFontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders including the school board attorney will identify a course of actionppBut St Landry should take immediate steps to protect breach victims including a notification to the state cybersecurity commission said Donnelly its executive director ppThat they didnt notify us of this its disappointing said Donna Sarver a math teacher who worked for the district for three years before leaving in 2020 She and other victims she said now have to fend for themselves ppBut its a poor parish and I dont think they do anything unless they really really have toppThis story was supported by a grant from the Fund for Investigative JournalismppGet the most critical news and information about students rights safety and wellbeing delivered straight to your inboxppCopyright 2023 The 74 Media Incp