NewsLocal NewsIn Your ParishSt. Mary Parish

Actions

St. Mary School System says they were hacked - in December

ransomware hackers
Posted

At 5:18 p.m. on the Friday before the Easter holidays, the St. Mary Parish School System issued press release about a "potential cyber concern employee notification."

Officials say student data wasn't accessed, but the personal information of anyone who has worked for the system at any time since 2021 could have been. They say they're notifying all current and former employees, that they have addressed the "vulnerabilities" that the hackers exploited and they have moved all employee data to cloud storage - which is where student data was and why it wasn't accessed.

The notification, which you can read in full below, states that system officials began having connectivity issues that prevented them from accessing the local system back in December. They called law enforcement and tech professionals to look into it, and those investigators confirmed the system had been accessed.

By January 31, it was "confirmed" that the system had had a cyber incident that, under state law, "could" trigger notification of those possible affected. The law requires that notification take place "without unreasonable delay but not later than 60 days from the discovery of the breach."

March 22 is 50 days from January 31 - but the latest date in December is more than 80 days away from March 22. According to the parish calendar, the last day schools and the central office were open was December 21 - which is more than 90 days away from March 22.

The state law requires that the agency that was breached notify anyone who might be affected within 60 days "following discovery by the agency or person of a breach of security of the system."

That's defined as "a breach in the security of the system containing such data, notify any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

If the January 31 date is used for the state deadline count, that implies that it took approximately six weeks to "discover" the breach.

If you want to read the whole law for yourself, scroll down.

We've reached out to the school system to try to get more information about the timeline, and we'll update this story with any response we receive.

Here's the full notification:

Potential Cyber Concern Employee Notification

In December of 2023, the St. Mary Parish School Board began having connectivity issues which prevented the School Board from accessing its local system. School Board officials immediately contacted law enforcement and technology professionals to investigate the matter. Law enforcement and state officials subsequently confirmed that bad actors had accessed the School Board’s local network. The School Board was able to successfully remediate the vulnerabilities within its network while maintaining all its public services. On January 31, 2024, it was confirmed that the School Board had been the victim of a cyber incident, which could potentially require notification under La. R.S. 51:3074 and L.A.C. 16:III.701.

Lengthy measures have been taken to review any potential data leaks. Although there is no evidence that any data was acquired or accessed, as a precautionary measure, the St. Mary Parish School Board is sending notifications to current and former employees (dating back to 2021), whose information may have been impacted. All student data is cloud-based and was never at-risk. Since the incident, all employee data has been transferred to a cloud-based software platform.

Here's the law: