Kept in the dark: Inside the St. Landry Parish Schools ransomware attack
boonchai wedmakawand via Getty Images
A 74 investigative series: Meet the hired guns who make sure school cyberattacks stay hidden. Here’s what we uncovered about a massive attack on the school district in St. Landry Parish, Louisiana.
This article was originally published by The 74.
The school district in Louisiana’s St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack — long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general’s office.
A December 2023 investigation by The 74 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack.
Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status.
Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online.
“They want to brush everything under the rug,” said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. “The districts don’t want bad publicity.”
Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary.
After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district’s supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws.
“We never received reports of the actual information that was obtained,” she said in November 2023. “All of that is under investigation. We have not received anything in regards to that investigation.”
Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general’s office was on the phone with the district, questioning them “directly in response to the article” and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal.
Under Louisiana’s breach notification law, schools and other entities are required to notify affected individuals “without unreasonable delay,” and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark.
School board attorney Courtney Joiner responded a day later to the attorney general’s office, saying they were working “to address the notice issue without further delay.”
In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their “sensitive information may have been obtained by an unknown malicious third-party,” records show. Officials didn’t send a formal notice to the AG’s office until Jan. 10, 2024.
Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter “well after the fact” she and her colleagues had been victimized.
“I really thought it was too little, too late,” she told reporters. “This should have happened much earlier.”
School officials couldn’t be reached for comment for this story.
This story was supported by a grant from the Fund for Investigative Journalism.
NEXT STORY: Salt Typhoon hackers exploited stolen credentials and a 7-year-old software flaw in Cisco systems