蜜桃影视

Get stories like this delivered straight to your inbox. Sign up for 蜜桃影视 Newsletter

Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes 鈥� and subsequent data breaches 鈥� have played out in your own community. Here鈥檚 what we uncovered about a massive attack on the school district in St. Landry Parish, Louisiana.

The school district in Louisiana鈥檚 St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack 鈥� long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general鈥檚 office. 

A December 2023 investigation by 蜜桃影视 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack. 

Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status.

Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online. 

鈥淭hey want to brush everything under the rug,鈥� said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. 鈥淭he districts don鈥檛 want bad publicity.鈥�

Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary. 

After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district鈥檚 supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws. 

鈥淲e never received reports of the actual information that was obtained,鈥� she said in November 2023. 鈥淎ll of that is under investigation. We have not received anything in regards to that investigation.鈥� 

Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general鈥檚 office was on the  phone with the district, questioning them 鈥渄irectly in response to the article鈥� and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal. 

Under Louisiana鈥檚 breach notification law, schools and other entities are required to notify affected individuals 鈥渨ithout unreasonable delay,鈥� and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general鈥檚 office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark.

School board attorney Courtney Joiner responded a day later to the attorney general鈥檚 office, saying they were working 鈥渢o address the notice issue without further delay.鈥�

In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their 鈥渟ensitive information may have been obtained by an unknown malicious third-party,鈥� records show. Officials didn鈥檛 send a formal notice to the AG鈥檚 office until Jan. 10, 2024.

Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter 鈥渨ell after the fact鈥� she and her colleagues had been victimized. 

鈥淚 really thought it was too little, too late,鈥� she told reporters. 鈥淭his should have happened much earlier.鈥� 

School officials couldn鈥檛 be reached for comment for this story.

This story was supported by a grant from the Fund for Investigative Journalism.

Did you use this article in your work?

We鈥檇 love to hear how 蜜桃影视鈥檚 reporting is helping educators, researchers, and policymakers.