Estimated read time: 3-4 minutes
- A data breach in the Granite School District affected 450,000 current and former students, as well as some employees.
- Compromised data includes Social Security numbers, addresses and health information, and other things.
- The district is notifying affected individuals and working with authorities on the breach.
SALT LAKE CITY — Granite School District announced earlier this week that it suffered a cyber security incident that compromised the personal information of its employees. On Friday, the district issued an update revealing that the data leak also impacted "all current and former Granite School District students."
In a video emailed to media, superintendent Ben Horsley said that encompasses about 450,000 students.
According to the district, it learned of the data leak on Sept. 20, when "suspicious activity on its network" was detected sometime between Sept. 11 and 25. An investigation determined that "an unknown, unauthorized actor gained access to certain computer systems and accessed and/or acquired files stored on those computer systems."
Countermeasures were immediately taken, and the district notified the Utah State Board of Education, Utah Cyber Center and the Federal Bureau of Investigation regarding the breach.
On Sept. 30, the district received a ransom email from the actors of the breach. Knowing they no longer had access to the district's system, Horsley said they "started communicating with those individuals through our insurance company and through forensic consultants and experts."
"We did not, obviously, give in to ransom demands," Horsley said. It was unclear Friday what those demands entailed.
On Oct. 18, after receiving the first list of compromised files, the district sent the first notification to district employees and patrons, notifying them of the incident.
The district said 15% of current and former student files contained Social Security numbers that were accessed. Further, names, last known addresses, phone numbers, any associated health information, grades and assessment results were compromised in the leak.
As for employees, Horsley said the district identified the breach included payroll information, bank account information, names, addresses, date of birth and Social Security numbers
The district said impacted individuals would be notified with an "individualized letter" detailing what information of theirs was impacted. The letters, it said, were expected to be mailed by the end of December.
"At this time, we have no indication that anyone's specific information was subject to actual or attempted misuse as a result of this incident," the district said.
While the district worked to get the information out to those impacted, it provided a guide for parents in the interim with instructions on contacting credit bureaus or help with fraud alerts.
Addressing the question of whether parents and employees should be concerned about the breach, Horsley answered bluntly: "Yes. I'm concerned about it. Not only has my identity been compromised as a result of this breach, but 450,000 of our students' information has been compromised."
He said that in February, his wife was part of a data breach and that his family wasn't notified of it until a couple of weeks ago.
"I get the sense that people are frustrated that we don't have more information. I was not going to wait until we knew absolutely, 100% everything that had occurred, and what had been breached before I notified our employees and our patrons. I didn't feel like that was transparent. I didn't feel like that was appropriate, and it would have put our families behind the eight ball in terms of getting information secured if it wasn't already," Horsley said.
The incident is still under investigation.
Parents and employees can find more information regarding the data breach at graniteschools.org.
