The Clark County School District (CCSD) in Nevada, the fifth-largest school district in the US, is continuing to address a serious cybersecurity incident and class action lawsuit by parents. A group of hackers, calling themselves SingularityMD, have claimed responsibility for breaching the district’s network and accessing sensitive information of students, parents, and employees.
The incident, which was first reported on October 16, 2023, has caused widespread concern and outrage among the affected community.
How the CCSD Data Breach Occurred
According to the CCSD’s official notice of cybersecurity incident, the district became aware of a cybersecurity incident impacting its email environment on October 5, 2023. After discovering the incident, the CCSD engaged a team of forensic experts to investigate the incident. The CCSD also contacted law enforcement agencies to further investigate the incident.
The investigation revealed that the unauthorized party accessed the personal information related to students, parents, and employees. The CCSD is still working to identify all individuals whose information was impacted by this incident. Affected individuals identified by the CCSD should receive a data breach notification letter via first-class mail outlining steps to protect their personal information.
The CCSD claims it has not received any reports of actual or attempted misuse of the impacted information, but numerous reports by parents and new media outlets appear to contradict CCSD’s claims.
The Hacking Group Responsible
The hackers have identified themselves as SingularityMD, a group that claims to be motivated by exposing security flaws and demanding ransom payments. In an email to DataBreaches.net, a website that covers data breaches and cybersecurity news, SingularityMD claimed that they had been in the CCSD’s network for many months and that they had access to all types of private and personal data, including student photos, student and family email addresses, student ID numbers, financial reports, staff salaries, and grant information.
SingularityMD also criticized the CCSD for lax security measures, such as forcing students to use their birthdate as passwords for six consecutive years. They threatened to leak more data if their ransom demands are not met.
The Hackers Contacted Parents
Some parents reported receiving emails from SingularityMD, warning them about the compromise of their children’s personal information. These emails reportedly had PDF files with stolen data, such as student photos, email addresses, and student ID numbers. Some parents confirmed the legitimacy of the data relating to their children.
These emails were intended to pressure the CCSD to pay the ransom and to scare the parents into taking action. The hackers also gave a link to a website where they said they posted more leaked data.
The Status of the Data Breach and Response
The CCSD has not confirmed or denied the authenticity of the leaked data or the ransom demands. However, it has stated that it is working with law enforcement agencies and forensic experts to investigate and resolve the incident.
The CCSD has also advised parents and employees to monitor their credit reports and bank accounts for any suspicious activity.
Some media reports state that the CCSD has sent out a very limited number of data breach notices to some parents.
Steps You Can Take to Protect Yourself and Your Children
If you are a parent or an employee of the CCSD, you should take the following steps to protect your personal information:
- Review your credit reports for any unauthorized accounts or inquiries. You can obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting www.annualcreditreport.com.
- Consider placing a fraud alert or a security freeze on your credit files. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. A security freeze prevents creditors from accessing your credit report without your consent. You can contact each of the three major credit reporting agencies to place a fraud alert or a security freeze:
- Monitor your bank accounts and credit card statements for any unauthorized transactions. If you notice any, contact your bank or credit card company immediately.
Be wary of any emails, phone calls, or letters that claim to be from the CCSD or SingularityMD and ask for your personal information or money. Do not click on any links or open any attachments that you do not recognize or trust. The CCSD will not contact you by email or phone to ask for your personal information or money.
Educate your children about online safety and privacy. Teach them to never share their personal information, such as their name, address, phone number, email, password, or student ID number, with anyone online. Remind them to use strong and unique passwords for their online accounts and to change them regularly. Encourage them to report any suspicious or inappropriate messages or requests to you or a trusted adult.
Parents File Data Breach Class Action
The CCSD is now facing a class action lawsuit from several parents who claim that the district failed to protect the personal information of their children and other employees from a cyberattack that occurred in October 2023.
The lawsuit, filed on November 2, 2023 in the Clark County District Court, alleges that CCSD was aware of its cyber vulnerabilities but did not take adequate measures to prevent or mitigate the attack, which resulted in the theft and exposure of sensitive data by the hacker group known as SingularityMD.
According to the class action, SingularityMD demanded a ransom from CCSD, which the district refused to pay. As a result, the hacker group started leaking the personal information of over 200,000 people online, including student and employee records, medical information, social security numbers, and health insurance information.
The lawsuit claims that this data breach poses a serious risk of identity theft and fraud for the affected individuals, and that CCSD has not been transparent or cooperative with the investigation.
The lawsuit seeks to hold CCSD accountable for its negligence and breach of contract, and to compel the district to take steps to secure its information systems and provide adequate identity protection services to the victims of the cyberattack. The lawsuit also seeks unspecified damages for the plaintiffs and other members of the class action.
CCSD Class Action Inquiry