Linn-Mar school staff information compromised in cybersecurity breach

MARION — Names and Social Security numbers of thousands of current and former employees may have been stolen over the summer in a cybersecurity breach at the Linn-Mar Community School District, a new filing shows.

While the school district has no evidence of actual or attempted misuse of any information, they could not rule out the possibility of an unknown actor gaining access to 5,698 current and former employees’ personal data, according to a letter submitted Monday to the Iowa Attorney General’s Office by the law firm Mullen Coughlin LLC on behalf of the Linn-Mar district.

No student data was compromised because it is stored on a third-party system not affected by the breach, according to the letter.

Anyone who encounters a security breach that affects at least 500 Iowa residents must provide notice to the state Attorney General’s Consumer Protection Division within five business days after telling affected people.

Last Friday, Linn-Mar provided written notice of this incident to those potentially affected. The district is providing access to credit monitoring services for 12 months at no cost through IDX — a digital privacy protection platform — to people whose personal information was potentially affected.

⧉ Related article: Records: FBI investigated August ‘computer breach’ at Linn-Mar

Linn-Mar also is providing potentially impacted people with guidance on how to better protect against identity theft and fraud, including how to place a fraud alert and security freeze on a credit file, information on protecting against tax fraud, contact details for national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and encouraging them the contact the Federal Trade Commission, their state Attorney General and law enforcement to report attempted or actual identity theft and fraud.

Cybersecurity breach detected

The Linn-Mar district identified unusual activity on its systems around July 31, according to the letter. The district quickly disconnected those systems and launched an investigation to determine the nature and scope of the activity.

Linn-Mar also promptly reported this to federal law enforcement and is cooperating with their investigation, the letter said.

It was determined an unknown actor gained access to certain systems and conducted activity on those systems between July 26 and Aug. 1, according to the letter.

The district publicly announced Aug. 2 that it was investigating the source of why its phones went down and why its computer systems were disrupted. In records obtained by The Gazette last month, Associate Superintendent Nathan Wear described the disruption as a “computer breach.”

Since then, the district has gone through a “lengthy and labor-intensive process” with forensic specialists to identify what information was obtained, according to the letter. This review was completed Sept. 20.

Since the breach, the district also has implemented additional safeguards and training for its employees, according to the letter.

Cedar Rapids schools’ ransomware attack

The Linn-Mar cybersecurity breach happened a month after a ransomware attack closed Cedar Rapids schools and compromised personal information of 8,790 current and former employees.

The Cedar Rapids Community School District later paid an undisclosed ransom to a criminal group that attacked its computers.

On Monday, the Cedar Rapids school board approved additional cybersecurity services. An agreement with Solaris Security was approved to provide additional services with the districts’ existing security infrastructure for the 2022-23 school year, according to board documents.

The board also approved an agreement for data backup through Google’s cloud services. Three vendors submitted quotes to provide the district with a monthly subscription per user. The final selection was determined based on costs, services covered and security.

Due to security concerns, the selected product remains confidential, according to board documents. The annual cost for the services is $29,970.

Comments: (319) 398-8411; grace.king@thegazette.com