In a letter to those affected, the organization’s CEO Dr. Joel Boyd said the attack involved malicious encryption first detected on Sept. 15, 2024. In response, Mastery officials shut down affected systems, contacted federal law enforcement and enlisted cybersecurity experts to investigate and contain the breach. An internal investigation has since confirmed that the attacker accessed and downloaded data.
Though a version of the letter posted on Maine’s state website leaves blank what information was involved, a June 9 blog post by the technology research firm Comparitech said it had confirmed the compromised data includes names, dates of birth, taxpayer ID numbers, passport numbers, bank account information, credit card information, biometrics, user names, passwords, medical information, student records and other information. Comparitech said the ransomware group DragonForce, which operates a ransomware-as-a-service business in which customers pay to use their malware and infrastructure to launch attacks and collect ransoms, took credit for the attack, claiming to have stolen 171 GB of data. Mastery Schools has not confirmed this.
While Boyd said investigators have not seen evidence of identity theft or fraud linked to the breach, Mastery is offering complimentary credit monitoring and identity protection services through Experian IdentityWorks to those impacted. The service is available for a limited time and must be activated by Aug. 31, 2025.
To bolster cybersecurity going forward, Boyd said Mastery has expanded its use of multifactor authentication and enhanced endpoint monitoring across its network. He also said the organization is cooperating with government agencies and continuing to evaluate its practices with assistance from privacy and security professionals.
Editor's note: This story was developed in collaboration with GPT-4 and reviewed and edited by CDE Editorial staff.
