NJ: Spotswood Public Schools notifying 424 employees impacted by a ransomware incident
Here’s another k-12 data security incident that does not appear to have made news or to have been revealed on a school district’s website (at least as far as DataBreaches.net can determine):
On behalf of Spotswood Public Schools in New Jersey, Baker & Hostetler notified the Maine Attorney General’s Office that Spotswood experienced a ransomware incident on September 11. The district’s notification omits some specific details such as when they first discovered they had a problem, whether files were locked, whether functions were impaired, and whether student data was exfiltrated or only employee information, or both. Nor does the notification indicate who the threat actors were, so there is a lot we do not know at this point.
On October 27, the district learned that personal information for one Maine resident was affected and therefore notified Maine. Had there been no Maine resident, we might not have learned of this incident at this point at all.
All told, according to the district’s notification to Maine, 424 people were impacted by the incident, where the files included the individual’s name and one or more
of the following data elements: Social Security number, driver’s license number, and/or financial account information.
Those affected are being offered one year of credit monitoring, fraud consultation, and identity theft restoration services through Kroll. The notification to the state says that letters will be going out on November 28, but that may be a typo as an attachment (download link) mentions November 18.
Because DataBreaches.net was unable to find any notice on the district’s web site, an email inquiry was sent to their external counsel asking whether any students were impacted by the incident. No reply was immediate received. This post will be updated if more information becomes available.