Carruth Compliance Consulting, which manages retirement plans for several school districts and nonprofits, notified clients Monday, Jan. 13 that it suffered a data breach in December.
The Greater Albany Public Schools is one of many districts impacted by a data breach last December.
Beyond Portland Public Schools and the Salem Keizer School District, the breach impacts big districts in the mid-Willamette Valley’s Linn Benton Lincoln Education Service District, a kind of super district providing services to schools in its namesake counties.
That includes Greater Albany Public Schools, the Corvallis School District and the Lebanon Community School District, which notified staff about the incident this week.
Jason Hay, the LBL ESD superintendent, said by phone he didn’t know if all 12 districts in its system were impacted. But he noted the data breach’s impact across Oregon, as well as on past and present school staff.
In its notice, the Lebanon school district said the breach potentially affected those staff members employed between 2008 and January 2025.
At GAPS, the breach potentially impacts staff dating back to Jan. 1, 2009.
“There are people potentially impacted by this that haven’t worked for our districts for quite some time,” Hay said.
THE BREACH
In a statement posted earlier this week on its website, Carruth Compliance and Consulting said the company identified suspicious activity on Dec. 21, impacting certain computer systems and prompting an investigation with third-party specialists.
That investigation found the company’s systems were breached between Dec. 19 and Dec. 26, with certain files copied from its systems during that time, according to the statement.
The information potentially affected by the breach includes names, social security numbers and financial account information, according to the company, which also notified the Federal Bureau of Investigation of the breach.
The Greater Albany Public Schools is one of many districts impacted by a data breach last December.
The data also includes, in more limited circumstances according to the company, “driver's license numbers, W-2 information, medical billing information (but not medical records) and tax filings.”
It’s unclear how many current and former employees are potentially affected, though Hay said it could number in the thousands across Oregon.
In its statement about the breach, GAPS said no further retirement account transactions from district employees would be processed by the company for the foreseeable future.
“Please know we are working with Carruth, its insurers and others to understand the full scope of the incident, to ensure all affected employees will be directly notified, and to ensure Carruth is taking appropriate steps to mitigate the impact on our employees.”
Corvallis School District spokesperson Kelly Locey said via email the district notified staff who had 403(b) and/or 457 (b) retirement plans with Carruth about the incident on Jan. 14, but didn’t know how many of its employees were impacted.
NEXT STEPS?
Locey said the district would be working with its cybersecurity coverage carrier and following its recommendations.
The insurance agency that covers most Oregon school districts, PACE (or Property and Casualty Coverage for Education) is indeed working with Carruth to determine the extent of the breach’s impact, Hay said.
GAPS and other districts have said employees could enroll in a free credit monitoring service offered by Carruth and encouraged staff to monitor their accounts.
In recent years, public K-12 school districts have also become a bigger target for cyberattacks, according to a 2023 report from the federal Cybersecurity and Infrastructure Security Agency though — though, to be clear, no school system was breached in this case.
Still, it’s an unfortunate reminder of how vulnerable education agencies have become, according to Hay.
“It’s really sad this is where we’re at,” he said.
©2025 Albany Democrat-Herald, Ore. Distributed by Tribune Content Agency, LLC.
