97°F
weather icon Clear
Las Vegas, NV
Education

‘Entirely foreseeable event’: CCSD sued by parents over cyberattack

(Review-Journal file)
(Review-Journal file)
More Stories
Dads in Schools Founder Troy Martinez poses for a portrait after holding a meeting for the prog ...
Dads in Schools violence prevention program implemented at 37 CCSD campuses
Las Vegas City Hall is shown Tuesday, June 11, 2024. (K.M. Cannon/Las Vegas Review-Journal) @KM ...
Governments in Southern Nevada release heavily redacted public records
The Clark County Board of Trustees gathers for a school board meeting at CCSD’s Greer Ed ...
Preliminary results show CCSD trustee races close
Attendees check out a JCB Loadall in the parking lot during an event at the Southern Nevada Tra ...
Trades high school marks first year: ‘Experience, that helps you a lot more’
By / Las Vegas Review-Journal
November 2, 2023 - 3:48 pm
 
Updated November 3, 2023 - 2:08 pm

Two parents filed a class-action lawsuit Tuesday against the Clark County School District, alleging it failed to protect sensitive personal information and take steps to prevent a cybersecurity attack that occurred last month.

Erin Timrawi and a parent referred to as “Jane Doe” filed the complaint in District Court.

The complaint said the parents filed the lawsuit “to ensure that CCSD takes steps necessary to rectify its failures and secure the information of its students, parents, and teachers going forward.”

The school district said Thursday it does not comment on pending litigation.

Stephen Hackett, an attorney for the parents, said Thursday that he thinks the complaint speaks for itself.

The district has not been forthcoming with students and families to the extent that “they’ve downplayed the seriousness of the data breach,” he said.

Last month, the nation’s fifth-largest school district — which has about 300,000 students — announced it was affected by a “cybersecurity incident impacting its email environment” that occurred Oct. 5.

In response, the district restricted access to Google Workspace for students and employees to within school and administrative buildings for more than a week. It also outlined additional security measures in an email last month to employees.

Some parents say they have received a suspicious email alleging information has been leaked and including attachments with personal information — such as pictures and contact information — about their children.

The district said in a Wednesday night statement that the investigation into the cybersecurity incident “remains open and active” and that it’s cooperating with the FBI.

“We know that many families and staff are frustrated because of this incident, as are we, and we appreciate the patience being granted in this situation,” the district wrote. “As a district, we are not unique in this vulnerability, as school districts across the country have been victimized similarly, as have private sector entities.”

Last month the district said that it was working to identify those affected and that they would receive a letter in the mail.

The lawsuit filed Tuesday refers to the cybersecurity incident as a “ransomware attack,” which the district has not confirmed.

The complaint alleges that personal information for more than 200,000 people appears to have been stolen by a hacker group known as SingularityMD, which demanded a payment the district refused to make.

According to the complaint, the district hasn’t acknowledged that information is being publicly released or that “third-parties responsible for the attack may still have access to all of the District’s information.”

The incident led to the “compromise and public release of highly sensitive information” related to students, families and employees, the complaint said.

According to the complaint, the attack was an “entirely foreseeable event” that should have been prevented. The document notes that the district was affected by a ransomware attack in 2020.

The complaint alleges that the district “failed to implement reasonable and adequate security procedures,” failed to update software licenses and failed to implement “common password protections to prevent hacking of accounts.”

According to court documents, the district also has failed to adequately notify victims of the attack and hasn’t provided a formal data breach notice.

The complaint says those affected now face a “long-term battle against identity theft as a result of this breach,” noting it poses an “imminent and impending continuing risk.”

Hackett, the parents’ attorney, said Thurdsay that updates on the case and information on how to contact the Sklar Williams law firm will be posted on the firm’s website.

Contact Julie Wootton-Greener at jgreener@reviewjournal.com or 702-387-2921. Follow @julieswootton on X.

Don't miss the big stories. Like us on Facebook.
THE LATEST
MORE STORIES
recommend 1
Source: Findlay operations nearly idled, losses mount from cyberattack; suit filed
recommend 2
Parents of children sexually abused by school bus driver sue CCSD
recommend 3
CCSD’s budget for 2024-2025 reaches $3.5B
recommend 4
Jewish community members call on action from UNLV to address incidents
recommend 5
Judge orders Meta to detail policies about minors on app
recommend 6
CCSD moves closer to finding new superintendent, hires search firm