Individuals whose sensitive information was made public after a July 2023 cyberattack on the St. Landry Parish School Board were not notified for five months 鈥� long after state law mandates and only after a newspaper investigation prompted the Louisiana Attorney General鈥檚 Office to contact the district and warn school officials of their obligations. 

The long-delayed notification was revealed in emails and other records obtained by The Acadiana Advocate this month in response to a Jan. 9 public records request. 

They showed that within hours of the reporters revealing that a data breach exposed sensitive information about thousands of teachers and students, a lawyer with the state attorney general鈥檚 office was on the phone to the school district. The attorney, focused on consumer protection, questioned them 鈥渄irectly in response to the article,” one email states.

The Dec. 4 investigation, co-published by The Advocate and 社区黑料, contradicted school district assertions that no sensitive student, employee or business owners鈥� information had been exposed online after the July attack. It found the St. Landry Parish School Board likely violated a state data breach notification law when it failed to notify victims or the state attorney general for months. 

L. Christopher Styron, the lawyer with the state attorney general鈥檚 office, reacted swiftly, calling the district to inquire about the incident. He followed up with an email outlining St. Landry鈥檚 data breach response obligations under state law 鈥� rules that school officials had failed to follow. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for each day past the 60-day mark.

The late-in-the-year series of events prompted St. Landry officials, who long held that no sensitive data was stolen or published online, to take action. Officials told state lawyers it alerted victims that their information had been compromised. It鈥檚 unclear how many victims among thousands of students, district employees and local and out-of-state businesses, received the letter. Medusa, a nefarious cybercrime syndicate that has carried out numerous devastating attacks on school districts in the last year, took credit for the St. Landry breach. 

The school board鈥檚 attorney Courtney Joiner wrote in a response email to Styron a day later that he was 鈥渨orking with the School Board to address the notice issue without further delay.鈥� 

In a letter dated Dec. 21, schools Superintendent Milton Batiste III acknowledged to an unverified number of victims that 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� according to the records. Officials didn鈥檛 send a formal notice to the attorney general鈥檚 office until Jan. 10, a day after The Advocate filed its public records request.

Donna Sarver, who worked as a math teacher in St. Landry for three years before leaving in 2020, is among those whose personal information was compromised. In an interview last week, she blasted the district for sending her a letter in the mail 鈥渨ell after the fact鈥� that she had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she said. 鈥淭his should have happened much earlier.鈥�

Sarver and other data breach victims, including parents, students and business owners whose tax records are held by St. Landry schools, were unaware until the late December notification that district leaders had failed to secure their sensitive information and left them unknowingly exposed to identity theft for months.

It took the district 149 days after the breach to tell victims they 鈥渕ay have been impacted by the incident鈥� and another 19 to formally notify the attorney general. 

Officials with the school board declined to answer any questions for this story. A list of written questions were submitted but officials had yet to respond by the time of publication. The attorney general鈥檚 office didn鈥檛 respond to interview requests. 

St. Landry鈥檚 response resembles that of school districts across the country, investigative reporting by 社区黑料 has revealed. Cybergangs have ramped up their attacks on school districts and now routinely threaten to leak sensitive files in a bid to coerce seven-figure ransom payments. As federal officials warn of the burgeoning threat鈥檚 impact on students and teachers, education leaders nationwide have sought to downplay the attacks鈥� severity and obscure any subsequent harm to individuals.

James Lee, the chief operating officer of California-based said the delay by St. Landry officials is 鈥渞eflective of a problem we have鈥� nationally where cyberattack victims have grown increasingly resistant to filing breach notices. 

鈥淚n many instances, it鈥檚 because the decision to issue a notice resides 100% with the organization that loses control of the information,鈥� Lee said. 鈥淗ighlighting circumstances like this will help us address these gaps so we can get better notifications to consumers when their information has been compromised and they鈥檙e at risk.鈥� 

鈥楩or reasons that are unknown鈥�

In August 2023, the 12,000-student district some 63 miles west of Baton Rouge acknowledged its computer network had come under attack but told the public the breached servers didn鈥檛 contain any sensitive employee or student information.

But 社区黑料鈥檚 data analysis of some 211,000 leaked records revealed they contained the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status. 

Similarly, the district appeared to offer inaccurate, misleading and contradictory claims in its delayed response to the attorney general, its letter to data breach victims and statements to the press.

In its letter to the AG鈥檚 office, the district stated that the stolen files had been 鈥渞ecovered.鈥� However, a check by 社区黑料 last week revealed they remain readily available for download on Telegram, the encrypted social media platform Medusa uses to make public the records of victims who don鈥檛 pay to keep them private. 

Superintendent Batiste wrote in that Jan. 10 notice that the district鈥檚 computer network had been encrypted by 鈥渁 malicious person or group鈥� in July but that St. Landry had never received a ransom demand. 

Yet, among the cache of district documents available on Telegram is a text file titled 鈥淟OOK!!!!,鈥� which includes a link to Medusa鈥檚 dark-web outpost, complete with a $1 million ransom demand and a countdown clock warning education leaders their time to respond is running out. The note also contained links to Medusa鈥檚 Telegram channel and to a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� with a video highlighting the St. Landry records in its possession. 

It was in August 2023, that the Louisiana State Police Cyber Crime Unit notified school officials that 鈥渁n unknown number of files containing sensitive information鈥� had been compromised, the letter states. That same month, Batiste had assured the public otherwise. 

Files posted to a Medusa leak site 鈥渨ere recovered by the Cyber Crime Unit鈥� with the state police, Batiste鈥檚 letter continues, 鈥渂ut, for reasons that are unknown, the files recovered from the dedicated leak site by the Cyber Crime Unit were not provided to us until December 6鈥� 鈥� two days after the newspaper investigation published. 

鈥楬ow do you recover it?鈥�

The cybercriminals behind the St. Landry breach employed 鈥渄ouble extortion,鈥� a growing ransomware strategy where hackers break into a victim鈥檚 computer network through phishing emails, download compromising records and lock them with an encryption key. Criminals demand a ransom payment from victims to unlock the encrypted files and leak them online if they refuse to pay. The stolen information is routinely flaunted on the dark web and other shady corners of the internet. 

In asserting to reporters last year that the Medusa hack didn鈥檛 lead to a breach of sensitive information 鈥� despite overwhelming evidence that it had 鈥� district officials acknowledged they hadn鈥檛 taken any steps to understand the scope of what was stolen or to notify individual victims. 

Byron Wimberly, the district鈥檚 computer center supervisor, insisted at the time that sensitive records had not been stored on the hacked servers. The files that were uploaded by the ransomware gang, he suggested, must have originated somewhere other than St. Landry schools 鈥� even though thousands of them contain district letterhead and more than a dozen victims verified the validity of their stolen information. 

Tricia Fontenot, the district鈥檚 supervisor of instructional technology, told reporters late last year that law enforcement investigators had never filled them in on the stolen data or if any sensitive information had been leaked at all. 

鈥淲e never received reports of the actual information that was obtained,鈥� Fontenot said. 鈥淎ll of that is under investigation. We have not received anything in regard to that investigation.鈥�

Fontenot鈥檚 statement contradicts Batiste鈥檚 timeline to the AG saying state police informed them in August that files containing sensitive information had been accessed. A state police spokesperson said in an email last week the agency finished its investigation on Aug. 20. 

Reached by phone last week, Fontenot declined to comment.

The Dec. 21 letter that school officials sent to data breach victims states that the district was hacked by 鈥渁n unknown malicious鈥� threat actor but isn鈥檛 explicit to recipients about whether their information was included.

It remains unclear how many of the thousands of data breach victims identified in the news outlets鈥� investigation 鈥� including teachers, staff, students and sales tax filers from across the country 鈥� received the Dec. 21 notice. 

The data breach letter states that victims were being notified months after the incident because 鈥渢he process of obtaining and then reviewing the acquired files took several months.鈥�

鈥淲e are now in the process of notifying individuals whose personal information we believe to have been included in the acquired files, including you,鈥� the letter states, acknowledging that stolen information contains individuals鈥� names, addresses, birth dates, Social Security numbers and driver鈥檚 licenses. 

Louisiana鈥檚 data breach notification law doesn鈥檛 apply to some types of sensitive files exposed in the breach, such as student disciplinary records. 

School districts nationwide, along with other government agencies and for-profit companies, routinely hire cybersecurity experts and attorneys to investigate the scope of data leaks and to notify breach victims in compliance with state laws, partly because of the complexities involved. A federal breach notification law doesn鈥檛 exist and state requirements vary. 

School officials told reporters last year they expected law enforcement to investigate the attack’s impact on individual data breach victims. Lee of the nonprofit Identity Theft Resource Center said such a practice would be highly unusual. 

鈥淚n fact, I don鈥檛 think I鈥檝e ever heard of that kind of arrangement,鈥� he said. 鈥淢ost organizations do hire their own cybersecurity experts whether it鈥檚 a school district or it鈥檚 a nonprofit or a commercial entity.鈥� 

Sarver, the former St. Landry math teacher, said school leaders left data breach victims to fend for themselves by waiting months to tell them their personal information had come up for grabs on a website maintained by criminals.

While the district offered a year of credit monitoring 鈥� a common practice after entities suffer data breaches 鈥� Sarver said she decided not to enroll. The service would last just 12 months; her records could be available forever. 

鈥淗ow do you recover it once it鈥檚 out there?鈥� she said. 鈥淒o you tell the people who got it illegally that you have to take it down and hope they do?鈥�

This story was supported by a grant from the Fund for Investigative Journalism

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn鈥檛 think much about it 鈥� even after her Facebook got hacked. 

Now, she鈥檚 left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by 社区黑料 and The Acadiana Advocate revealed. The reporting included a data analysis by 社区黑料 of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels 鈥� enough to prompt the Biden White House to convene an August summit on how to tackle the threat 鈥� and in multiple instances, districts have been accused of withholding information from the public.

鈥淭hey want to brush everything under the rug,鈥� said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Among the district鈥檚 breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana鈥檚 data breach notification rules.

and other entities notify affected individuals 鈥渨ithout unreasonable delay,鈥� 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven鈥檛 taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general鈥檚 office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn鈥檛 respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is 鈥渁 long time to not notify somebody of that level of sensitive information.鈥�

鈥淏ecause the school district hasn鈥檛 issued a notice, then it鈥檚 hard to know exactly what happened and why,鈥� Lee said. 鈥淭hat鈥檚 important because that also leads you to, 鈥榃ell, what does the individual need to do to protect themselves now that their information has been exposed?鈥欌��

鈥楧ouble extortion鈥�

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry鈥檚 computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog 鈥� a front of sorts 鈥� and became available for download on Telegram, an encrypted social media platform that鈥檚 been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that鈥檚 grown in popularity in recent years called 鈥渄ouble extortion.鈥� Hackers gain access to a victim鈥檚 computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son鈥檚 information was leaked 鈥� especially because he hasn鈥檛 attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

鈥淚f they鈥檙e lying about it and our information did get out there, then that鈥檚 a whole other situation,鈥� she said. 鈥淭hey’re telling all their employees all of our information did not get messed with.鈥� 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

鈥淲e never received reports of the actual information that was obtained,鈥� she said. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥�

The board, Fontenot said, decided to 鈥渢rust the process.鈥�

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry鈥檚 computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

鈥淵ou know how many people get hacked a year? Can you point that to the school board 100%?鈥� Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer鈥檚 desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents鈥� phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That鈥檚 because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff鈥檚 offices to parish governments to school boards. St. Landry Parish鈥檚 sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools鈥� is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach 鈥� a reality she called 鈥渁larming.鈥� 

鈥淚 feel like I should have gotten a more formal notification about this,鈥� Lyons said.

鈥楢 soft target鈥�

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It鈥檚 also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are 鈥渓ow-hanging fruit,鈥� said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

鈥淓ducational entities are going to be a soft target,鈥� he said. 鈥淚f they鈥檙e not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.鈥� 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

鈥淭hey鈥檙e such a small fish in the ocean, (they think) why would anybody bother with them?鈥� said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It鈥檚 improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

鈥淚t鈥檚 a question of them throwing their fishing hook in the barrel 鈥� and just waiting to see who bites,鈥� Levin said. 鈥淭hey don鈥檛 know who their next victim is going to be and they don鈥檛 really care.鈥� 

When a small- or medium-sized district takes the bait, the impact can be substantial because they鈥檙e often among their communities鈥� largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

鈥楢 cause of action鈥�

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

鈥淚 just want (the district) to be professional,鈥� said Vidrine, the former science teacher. 鈥淎 notification that this happened: 鈥榃e鈥檙e tending to it and you need to protect yourself. We made a mistake.鈥欌��

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is 鈥渨hat class actions are made of,鈥� Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don鈥檛 typically have credit cards, they also don鈥檛 receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children鈥檚 Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they鈥檝e been compromised, the problem 鈥渋s not easy to address and can have lifelong impacts,鈥� he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as 鈥済hosting.鈥�

鈥楾he hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of 鈥渧ery sophisticated networks鈥� based overseas.

鈥淚t鈥檚 not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,鈥� Lee said. 鈥淭hat鈥檚 not the hacker of today. They鈥檙e not sitting in their parents鈥� basement. They鈥檙e in call centers in Dubai and in Cambodia and in North Africa.鈥�

It鈥檚 important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn鈥檛 authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims 鈥� including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

鈥淭hat they didn鈥檛 notify us of this, it鈥檚 disappointing,鈥� said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

鈥淏ut it鈥檚 a poor parish and I don鈥檛 think they do anything unless they really, really have to.鈥�

This story was supported by a grant from the Fund for Investigative Journalism.