37°F
weather icon Cloudy

CCSD tech chief went to Disney World in midst of massive data breach, staffers say

Technology employees in the Clark County School District blame last year’s data breach, and its chaotic aftermath, on failed leadership in the department — including a trip to Disney World by the district’s chief information officer in the middle of the crisis.

The data breach on Oct. 4, 2023 — which User Services Director Rick Allen said was one of the largest in the state’s history — exposed over 200,000 people, according to many present and former employees in the technology department. The hacker had access to student accounts at least until Nov. 13, Allen said.

Former product specialist Jesse Henderson told the Las Vegas Review-Journal that he recommends any student in the district freeze their credit and look into identity protection services when they turn 18. He, as well as technology employee Hunter Nolen, said that students’ pictures, addresses and birthdays are on the internet, and that it is not difficult for someone to find it and scam them.

Several employees have criticized Chief Information Officer Marilyn Delmont and Enterprise Technology Officer David Rosario for what they call their failure of leadership, both before and after the breach.

“I know that the exploits, the vulnerability that the hackers used to get in, is one that’s been known for a very long time, and I can almost guarantee that this was brought up to people,” Henderson said, adding that there are automated tools that show red flags. “It’s almost inconceivable to me that that didn’t happen, and that … the executive people just chose not to act on it, or didn’t understand the severity of it, I don’t know.”

In the aftermath, things were not much better, they said.

Delmont, who oversees the district’s Technology and Information Systems Services Division, traveled to Walt Disney World resorts in Florida on the district’s credit card during the breach. The trip was to the Gartner IT Symposium/Xpo 2023 for a conference on artificial intelligence. In total, Delmont’s trip from Oct. 16 to Oct. 19 — just weeks after the breach — cost the district $2,469.48, according to public records sent to the Review-Journal.

Last week, the Review-Journal revealed an April lawsuit filed by Allen, which accused the department of hostility and discrimination. The complaint includes information about last year’s data breach and its aftermath as well as accusations of irresponsible use of funds that hurt schools, which could offer some insight into what may have gone on behind the scenes in two of the school district’s largest crises: the data breach and the budget deficit.

Defendants have filed motions to dismiss portions of the complaint, but have not responded to the remainder.

Delmont did not respond to the Review-Journal’s question about the trip, nor any of the complaints alleged by her employees. CCSD said it did not comment on litigation or personnel matters.

This past week, the Review-Journal spoke to several past and current district technology employees who described similar experiences of discrimination and hostility. Allen’s complaint alleges retaliation due, initially, to his refusal to hire Delmont’s daughter. Other employees said they have faced issues when they have come to his defense.

Technology employees Hunter Nolen and Tamara Pfeffer said that, in February, they were both asked to sign witness statements written by Delmont made out to make Allen seem as though he were lying. Nolen amended it and then signed it, according to a copy sent to the Review-Journal. Pfeffer said she was told to sign it without reading it, and she refused.

Months later, they were among the 26 employees in the user services department that were surplussed — a process in which employees are reassigned to another job in the district, which can sometimes result in demotions. Delmont and Rosario had told CCSD administrators it was a budgetary decision, but employees have said it was a form of retaliation. Pfeffer, Nolen and technology employee Angela Longman all told the Review-Journal that employees who showed loyalty to Allen were targeted. The surplussing decision hurt the employees but also weakened the district’s response in the aftermath of the data breach, they said.

General mismanagement

Anthony Pulido, a former administrator in the department, sent the Review-Journal an email with a list of issues he had with Delmont attending the conference during the breach. He said Delmont was “absent from the district when she was needed most.” He said her absence undermined the district’s response capabilities by being unavailable and heightened the risk for students who were exposed.

“It’s painful to witness a Chief Information Officer using conventions as a pretext for expensive vacations, all funded by taxpayer dollars, while the district’s cybersecurity issues remain unaddressed,” Pulido wrote. “Instead of fixing critical problems, leadership is focused on covering them up. Meanwhile, hundreds of systems, including ccsdapps.net and hr.ccsdapps.net, remain insecure. These aren’t just technical vulnerabilities they represent a failure of leadership that puts every student and staff member at risk.”

After the breach, several of the employees said it took the district a long time before disclosing it to the public. Teachers and parents complained of a lack of information about the breach and its impacts at the time, including a lawsuit filed by parents for what they said was the district’s lack of information and action in its aftermath.

After the fact, Allen said, the responses were weak and the department spent millions of dollars on outside consultants who added little value. Interim Superintendent Brenda Larsen-Mitchell, in a Sept. 27 statement, blamed the potential deficit — originally estimated at $20 million before being reduced to $10.9 million — on unanticipated increased litigation and cybersecurity expenses. In the 2024-2025 tentative budget, the district added $14.9 million to support the purchase of Fortinet Enterprise cybersecurity software and service to help protect the district from cybersecurity threats.

Complaints about top technology officials’ actions during the data breach reflected a greater sense of dissatisfaction among employees who said Delmont and Rosario displayed little technical knowledge and hostility towards those who spoke up.

Henderson described Rosario as “flailing around doing nothing.”

Rosario did not respond to requests for comment.

Nolen said that Delmont often told staff that she did not know much about technology, but that it did not matter because she was a leader.

Delmont was the former administrator and chief information officer at Nevada’s Department of Employment, Training, and Rehabilitation, which faced significant delays during COVID. She was hired by former Superintendent Jesus Jara in January 2022. In 2023, she received $274,779 in salary and benefits, according to CCSD records. Rosario was hired by Delmont and received $102,225.

“Drastic things changed since Marilyn Delmont came to the position,” said Tommy Lien, an employee who has been surplussed twice.

Surplussing

In July, 26 employees in the Technology and Information Systems Services Division were officially surplussed.

In a March board meeting, Pfeffer, Nolen and Angela Longman all testified that their positions were not funded by the federal Elementary and Secondary School Emergency Relief that had been cited as the reason for the cuts.

At the same time, the department spent $30 million on new Chromebooks despite the fact that Google had extended the life of Chromebooks that CCSD already had, making the addition unnecessary, according to Allen’s complaint.

The complaint also said Rosario also changed the Chromebook distribution so that they were sent to a warehouse instead of schools, which meant that as of Feb. 25 of this year, 40,000 Chromebooks remain unused.

With the surplussing of employees came both chaos and a loss of institutional knowledge, Nolen and Henderson said. Nolen referred to Henderson, who left amid the surplussing for a job at the city of North Las Vegas, specifically as a “genius tech guru.” It was Henderson who eventually fixed the password amid the data breach in one morning, he said.

“Not only did she use taxpayer funds to go to Disney World, she then shrank her IT staff,” Nolen said in an interview with the Review-Journal.

Henderson and Pfeffer both said they continue to be contacted for help on issues they used to work on.

“There’s no one in the district that knows the front end and the back end like I do to actually help support these techs and these schools and these teachers to help these students be able to learn the most efficient way,” Pfeffer said.

Pfeffer, who has been on crutches for three years, also accused the district of not having the proper accommodations for her in an interview with the Review-Journal. She and several other employees also described Rosario as treating employees with autism in a particularly condescending way, which is also included in Allen’s complaint.

“If it’s not one thing, it’s another after another after another with them. There’s no winning with them at this moment,” Pfeffer said.

Contact Katie Futterman at kfutterman@reviewjournal.com.

MOST READ: POLITICS & GOVT
Don't miss the big stories. Like us on Facebook.
THE LATEST
MORE STORIES