IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cameron County DA Forces School District to Disclose 'Vast' Data Breach

A Texas district attorney asked a local school district on Dec. 9, and again on Dec. 19, to notify up to 30,000 people that a security breach had exposed their confidential information, before making the announcement himself.

(TNS) — Cameron County District Attorney Luis Saenz on Tuesday said he disclosed the San Benito school district's technology security breach Monday evening after district officials refused his requests that they notify as many as 30,000 employees and other victims whose confidential information was stolen.

Meanwhile, school district officials stated they were following the process of identifying the hacking victims.

"On Dec. 9, I requested of the district to please notify the victims of the stolen confidential information — and they didn't," Saenz said Tuesday. "On Dec. 19, I again requested of the district to notify the victims of the stolen confidential information and again they didn't. So I had no choice but to make the announcement myself."

On Tuesday evening, school district officials stated they had been in the process of identifying the victims.

"The district never refused to provide a disclosure of the data security matter and previously advised the DA multiple times that it would do so but as of yesterday afternoon was still in the process of identifying the persons who may have been affected," district spokeswoman Isabel Gonzalez stated on Tuesday evening. "This is the customary and proper way to disclose such an incident."

"At the time the district was contacted by the DA regarding the incident, preparations to disclose the incident were already well underway," she stated. "Yesterday, the DA elected to provide notice of the incident before the process of fully identifying all affected persons had been completed. The district responded by confirming the DA's notice and to assure the community that all possible steps have been taken are being taken to address the situation."

On Monday evening, the district attorney's office released a media statement revealing "a criminal element" had stolen "vast amounts of confidential information" after district officials refused his pleas to notify about 25,000 to 30,000 district employees and other victims, Saenz said Tuesday.

More than three hours later, district officials released a statement, disclosing they were notifying victims of the incident in which hackers had stolen their confidential information.

"I urged them again to please notify the victims — this needs to be done immediately," Saenz said, adding he gave officials a 5 p.m. Monday deadline to notify victims.

"I gave them a deadline or I was going to release it myself," he said. "A crime has been committed so you have to notify the victims. Everyone who has been hacked needs to be notified immediately. There are teachers, employees who need to know so they can do what they have to do (to protect themselves)."

Saenz said Monday's deadline was the second he gave officials since Dec. 9, "a couple of days" after he found out about the hacking of the school district's cybersecurity network.

After he gave officials his first deadline, their attorneys requested more time in which to notify victims, he said.

"Once we became aware of the breach, I immediately urged the school district to notify the quote-unquote victims," he said. "I urged the district — they resisted. I'm very concerned about the victims being notified."

Saenz said his office is investigating the incident to determine the date in which the security breach occurred, adding the law requires victims be notified of security breaches at least 60 days after they are discovered.

"That's the $64 million question," he said, referring to the date of the breach.

The breach may have occurred about Nov. 1, he indicated.

At about 5:20 p.m. Monday, Saenz released his media statement notifying victims.

"My office has confirmed that there has been a breach of computer security at the San Benito CISD," he wrote. "Namely, we learned a criminal element accessed the San Benito CISD computer technology and stole vast amounts of confidential information ... If you believe you have been a victim of this computer security breach, please notify the police or the Texas attorney general immediately."

At about 8:52 p.m. Monday, officials released their statement, notifying victims the district was sending them letters.

On Tuesday evening, district officials released a second statement.

"San Benito Consolidated Independent School District recently concluded an investigation into a cybersecurity incident involving unauthorized access to certain devices within the district's network," Gonzalez stated.

"When the district became aware of the incident, it immediately took affirmative steps to address the issue and notified the FBI," she stated. "The district is not being investigated by the FBI but rather is assisting with the FBI's investigation by providing valuable information that was gathered by the district and the district's cybersecurity partners. To assist in its response to the incident, the district engaged outside cybersecurity experts to advise and conduct an investigation."

"The investigation determined that an unauthorized party took certain files from the District's network," she stated. "The district has conducted a thorough and exhaustive review of those files and is in the process of sending notification letters directly to individuals whose sensitive personal information was identified in the files. The district takes seriously its responsibility to protect all information it maintains. To help prevent a similar incident from occurring in the future, the District has implemented additional measures to enhance the security of its network."

The investigation into the school district's security breach continues, Saenz said.

"There's still a lot of investigating to do on the hacking," he said.

Saenz described the security breach as "a really sophisticated hack."

The case involves the biggest security breach his office has investigated, he said.

"We've had numerous individual victims who have been hacked but this is the biggest, for sure," he said. "This is the only school district ... with so many victims."

On Tuesday, school board President Ramiro Moreno, Superintendent Theresa Servellon and board attorney Steven Weller did not respond to requests for comment.

Editor's note: This story has been updated to include new statements from the DA and school district.

©2022 Valley Morning Star (Harlingen, Texas). Distributed by Tribune Content Agency, LLC.