Dive Brief:
- A ransomware gang recently claimed credit for a December data breach that targeted an education-focused compliance firm and impacted at least 110,000 school employees across nearly three dozen K-12 districts, according to Comparitech, a cybersecurity and online privacy product review website.
- Carruth Compliance Consulting, which administers retirement savings plans for public school districts, said in January that the cybersecurity incident compromised sensitive personal and financial information including Social Security numbers, financial accounts, W-2s, tax filings, medical billing data, driver’s license numbers.
- Multiple class actions lawsuits are expected over the data breach — with at least one case filed against Carruth Compliance Consulting so far.
Dive Insight:
Carruth Compliance Consulting’s data breach occurred around the same time PowerSchool fell victim to a similar cybersecurity incident.
The breach at PowerSchool, a K-12 cloud-based software provider that serves over 60 million students and 18,000 educational customers, has likely led to millions of students and staff members’ personal data being compromised.
The impacts of ransomware attacks and data breaches are becoming increasingly common for schools, whether they are intentionally targeted or not. In 2024, 1.8 million records in the education sector were affected by ransomware attacks worldwide, a January Comparitech report found.
It’s still unclear how many school districts and K-12 employees were affected by the breach at Carruth Compliance Consulting, which did not respond to a request for comment.
“Attacks like this highlight how far-reaching the impact of these data breaches via ransomware can be. A breach on one provider can affect multiple educational institutions,” said Rebecca Moody, head of data research at Comparitech, in a statement. “Schools and colleges may have the best cybersecurity measures in place, but they're only as good as the third parties they use."
According to Carruth Compliance Consulting’s breach notification, the company identified suspicious activity that impacted operations in some of its computer systems on Dec. 21, 2024. An investigation by a third party found that certain systems had gained unauthorized access, and some of its files were copied between Dec. 19 and Dec. 26. The company also notified the FBI about the incident.
For Oregon’s Hillsboro School District, a victim of the data breach, the district said in a late January statement that it has ceased future retirement account transactions through Carruth Compliance Consulting. The district added that it’s planning to transition to another provider for retirement services.
Districts across several states have been affected by the data breach, including in California, Illinois, New York, Oregon and Pennsylvania, Comparitech said.
Dive Awards
