No evidence found of Little Rock School District data use

FILE — Little Rock School District headquarters are shown in this 2019 file photo.

The Little Rock School District, a victim of a 2022 data security attack, is telling its past and present employees, student families and vendors that there is no evidence that their personal data has been "viewed, used or misused."

However, that announcement -- posted recently on the 21,000-student district's website -- also states that the district is providing no-cost credit monitoring and identity protection services "out of an abundance of caution."

Additionally, the district -- which apologized for the concern caused by the security breach -- is telling affected individuals to be vigilant in monitoring their accounts for identity theft and fraud.

Little Rock Superintendent Jermall Wright first told all district employees and the Arkansas Democrat-Gazette on Dec. 1 that the capital city school district was a victim of a data network breach, and that the district had employed external computer forensics experts to determine the scope of the problem.

The cyberattack -- first detected Nov. 11 -- was also reported to the FBI and the Arkansas attorney general's office.

The School Board in a 6-3 vote at a Dec. 5 public meeting authorized Wright to enter into a settlement -- pay a ransom -- of at least $250,000 with an unnamed third party to end as favorably as possible for the district the cyberattack on the district's data networks.

"The investigation into the attack determined that some information stored on LRSD systems may have been accessed by unauthorized third parties," district leaders said in an April 12 update on the district's website. "That information was reviewed to identify any personally identifiable information that may have been impacted."

The district and its consultants, in the recently completed review, concluded that the information accessed by the threat actors contained individuals' names, addresses, Social Security numbers, financial account information, state and government identification numbers and limited medical information, the statement continued.

"While we are aware that information was taken from our systems by unauthorized third parties, we do not have any evidence that such information was actually viewed, used, or misused," the statement said.

"All such information was returned, and we have obtained assurances that no use was made of the information," the district statement continued.

"We have no evidence that personal information in this incident has been misused in any way. However, out of an abundance of caution, we are providing credit monitoring and identity protection services from Cyberscout at no cost."

Cyberscout is a division of Sontiq, which is an identity security company.

Questions or concerns from employees, student families and vendors can be directed to Cyberscout from 7 a.m. to 7 p.m. Monday through Friday at (833) 570-2993 .

District leaders in the posted statement specifically urged that individuals be on the watch for identity theft or fraud by regularly reviewing their bank accounts and credit reports for suspicious activity.

Incidents of suspected identity theft should be reported to law enforcement or the attorney general.

The district also offered as a source of information on how to protect a person's identity the website

Since November, the Little Rock district has changed all its passwords and is now using a multi-factor authentication process for those accessing the district's data systems from remote points.

The district has also added controls to further segregate systems containing sensitive information, and put in endpoint threat intelligence software with 24/7 monitoring.

District leaders said in the statement that the review of the security breach is now complete and no additional notifications or updates are anticipated.

The data breach in November resulted in the Little Rock School Board meeting on Nov. 21, in a session for which no legally required public notice was given.

District leaders relied on state laws that exempted disclosure of security plans as a reason for the private session, although the laws did not authorize private school board meetings on the topic.

The district has since asked Sen. Clarke Tucker, D-Little Rock, to ask the Arkansas attorney general's office to issue an opinion on the legality of holding private school board meetings when reacting to a cyber or ransomware attack on a district's electronic information systems.

Eric Walker, an attorney for the Little Rock School District, said Monday that the pursuit of the opinion has been delayed by this year's legislative session of which Tucker has been a part. The district is continuing to work with Tucker to request the opinion, Walker said.