Linn-Mar school staff information compromised in cybersecurity breach
No student data impacted in summer cybersecurity breach; staff names and Social Security numbers may have been stolen
MARION — Staff names and Social Security numbers may have been stolen in a cybersecurity breach at the Linn-Mar Community School District over the summer, a new filing shows.
While the school district has no evidence of actual or attempted misuse of any information, they could not rule out the possibility of an unknown actor gaining access to 5,698 current and former employees data, according to a letter submitted to the Iowa Attorney General’s Office on Oct. 10, by Mullen Coughlin LLC Attorneys at Law on behalf of the Linn-Mar Community School District.
No student data was impacted as student data is stored on a third-party system that was not affected, according to the letter.
Anyone who encounters a security breach that affects at least 500 Iowa residents must provide notice to the Attorney General’s Consumer Protection Division within five business days after telling affected people.
On Oct. 7, Linn-Mar provided written notice of this incident to those affected. The district is providing access to credit monitoring services for 12 months through IDX — a digital privacy protection platform — to people whose personal information was potentially affected by the incident at no cost.
Linn-Mar also is providing impacted people with guidance on how to better protect against identity theft and fraud including how to place a fraud alert and security freeze on a credit file, information on protecting against tax fraud, contact details for national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and encouraging them the contact the Federal Trade Commission, their state Attorney General and law enforcement to report attempted or actual identity theft and fraud.
Cybersecurity breach detected
The district identified unusual activity on its systems around July 31, according to the letter. The district quickly disconnected those systems and launched an investigation to determine the nature and scope of the activity.
Linn-Mar also promptly reported this to federal law enforcement and are cooperating with their investigation.
It was determined an unknown actor gained access to certain systems and conducted activity on those systems between July 26 and Aug. 1, according to the letter.
The district publicly announced Aug. 2, it was investigating the source of why its phones went down and its computer systems was disrupted. In records obtained by The Gazette last month, Associate Superintendent Nathan Wear described the disruption as a “computer breach.”
Since then, the district has gone through a “lengthy and labor-intensive process” with third-party forensic specialists to identify what information was obtained, according to the letter. This review was completed Sept. 20.
Since the breach, the district also has implemented additional safeguards and training for its employees, according to the letter.
Cedar Rapids schools’ ransomware attack
The Linn-Mar cybersecurity breach happened a month after a ransomware attack closed Cedar Rapids schools and compromised personal information of 8,790 current and former employees.
The Cedar Rapids Community School District later paid an undisclosed ransom to a criminal group that attacked its computers.
The Cedar Rapids school board Monday approved additional cybersecurity services. An agreement with Solaris Security was approved to provide additional services with the districts’ existing security infrastructure for the 2022-23 school year, according to board documents.
The board also approved an agreement for data backup through Google’s cloud services. Three vendors submitted quotes to provide the district with a monthly subscription per user.
The final selection was determined based on costs, services covered and security. Due to security concerns, the selected product remains confidential, according to board documents. The annual cost for the services is $29,970.
Comments: (319) 398-8411; grace.king@thegazette.com
Gloss