IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

San Benito School Officials Share Cyber Attack Details

Cyber criminals breached the district's data system repeatedly between April and October 2022, stole data including Social Security numbers and bank account information, and posted it on their website in the dark web.

cyberattack security. red padlock alert broken showing that cyber attack and risk. vector illustration.
(TNS) — The San Benito school district's cybersecurity breach leading to more than 21,000 current and former employees' and students' stolen confidential information occurred in April, officials said.

Meanwhile, "sophisticated cyber criminals" breached the data system "intermittently" from April 6 to Oct. 10, Leonila Pena, the district's executive director of student support services, told the school board.

Amid an investigation, Cameron County District Attorney Luis Saenz has confirmed the Karakurt cyber data extortion group breached the district's technology network.

On Nov. 1, the Texas Education Agency alerted Region One Educational Services officials the district's data network had been breached, Pena told board members during a presentation.

"It was determined that an unauthorized party gained access to the district's network and took certain files from the district's servers prior to Nov. 1," she said during a meeting Tuesday. "The unauthorized cyber criminals intermittently accessed our network between April 8, 2022 and Oct. 10, 2022."

In response, officials contacted authorities including the FBI, she said.

INVESTIGATION



From Nov. 4 to Dec. 16, the district conducted an investigation into the cyber attack, Superintendent Theresa Servellon told board members.

"On Nov. 1, when we found out, we didn't know there was sensitive personal identifiable information," she said.

The hackers placed the stolen data including Social Security numbers and bank account information on their website in the dark web, Pena said.

On Dec. 30, district officials mailed 21,653 letters to victims' last-known addresses, including those of 12,080 children after identifying them, she said.

"The district was not aware, at that time, of any specific individuals whose information might have been involved and for that reason the disclosure was not made at that time," Pena said.

On Dec. 16, the district had 60 days to notify victims, Lynn Sessions, an attorney with Houston-based Baker Hostetler, told board members, citing law.

VICTIMS' NOTIFICATION



Late last month, Saenz said he released a media statement announcing the data breach after district officials "resisted" his request.

However, officials decided against making a "blanket" announcement so employees and students whose information was not stolen would not "panic," Sessions told board members.

"In order to make legally compliant disclosure, Texas law provides that a public entity must be able to identify the persons involved," Pena said. "The professionals that the district involved in the matter advised SBCISD to make full and complete disclosure after identifying exactly whose information was involved and whose information was not involved."

"The district was advised not to make a blanket statement because, one, the district did not want to alarm persons whose information was not involved and, two, if the district had disclosed the situation before confirming that the cyber criminals did not have control of its system, then the cyber criminals could have sought to lock the district out of its own system," she said. "So that means we could have been held at ransom or our system could have been locked."

Pena said officials have taken steps to bolster security.

"Security measures taken include but are not limited to enhancing authentication methods, deploying an end-point detection and response tool in addition to our existing anti-virus protection, decommissioning involved servers, streamlining user permissions and continuing to train our employees on recognizing and preventing cybersecurity threats," she told board members.

DECISION AGAINST 'BLANKET' ANNOUNCEMENT



Meanwhile, board member Orlando Lopez wanted to know why officials did not announce the breach after its discovery.

"This information has been on the dark web for six months now," he said, adding, "it affected my family — my son."

"My understanding is some people already got affected by the time they got their letters," Lopez said. "What (do) other school districts do — do they send out a blanket statement — 'Hey, listen, for your information there was a breach. We don't have all the information yet but we're going to do an investigation?'"

In response, Sessions said officials did not want employees and students whose information was not stolen to "panic."

"We've had a few districts that have, I'll say prematurely, gone out on the front end," she said. "What we have learned is that without having answers to questions like specifically who's affected, what type of information is impacted by an incident ... that actually creates panic in a different way than what we're dealing with right now."

EXTENT OF BREACH



Amid discussion, board member Oscar Medrano asked officials whether they had determined whether the loss of personal information went back as long as 20 years.

"I don't think we know how far the data goes that affected employees may have been involved in this," Sessions told him.

'PANIC'



Meanwhile, many residents have received letters mailed to wrong addresses.

In response, board President Ramiro Moreno requested officials release information in English and Spanish.

"The biggest question is people are getting correspondence that doesn't pertain to them," he said. "This is causing a panic. It's human nature, I understand that, that people are going to panic and I believe many members of our community did panic and rightfully so. If we shoot out that correct information to our community both in English and Spanish that might help alleviate some of the panic."

NO 'SUGAR-COATING'



In a tense exchange, board member Ariel Cruz warned officials against "sugar-coating" the situation.

"There are some things that we as a school district, we as a board, need to be accountable for, and this is one of those things," she said. "I want all our community members to know that we are sorry that this happened, we have put things into place and we are doing what needs to be done for our community. If my identity is taken ... I want to be informed. The fact is this is a school district, these are community members. Trying to sugar-coat this is not sitting well with me and I know it's not sitting well with a lot of people."

In response, Servellon strongly denied the claim.

"What are we sugar-coating?" she asked Cruz. "There's nothing being sugar-coated, I feel. I feel we have been very forward with our information. Everything we've given you is factual. It's not that we're not taking ownership. What's going on is how we followed a process — a very deliberate process and a very delineated process and (if it's) being said we were not transparent or we were holding back information, that is not accurate."

CALL FOR TOWN HALL MEETING



During discussion, Cruz requested officials hold a town hall meeting to inform the community about the loss of personal information.

"That way the people that have legitimate concerns get their concerns heard," she said. "If there's an individual who feels they may have been affected and they didn't get a letter because they changed addresses, they can reach out to see if their name did pop up and they can get the letter sent to the correct place. I think that would be extremely helpful for the community."

©2023 Valley Morning Star (Harlingen, Texas). Distributed by Tribune Content Agency, LLC.