‘Entirely foreseeable event’: CCSD sued by parents over cyberattack
Two parents filed a class-action lawsuit Tuesday against the Clark County School District, alleging it failed to protect sensitive personal information and take steps to prevent a cybersecurity attack that occurred last month.
Erin Timrawi and a parent referred to as “Jane Doe” filed the complaint in District Court.
The complaint said the parents filed the lawsuit “to ensure that CCSD takes steps necessary to rectify its failures and secure the information of its students, parents, and teachers going forward.”
The school district said Thursday it does not comment on pending litigation.
Stephen Hackett, an attorney for the parents, said Thursday that he thinks the complaint speaks for itself.
The district has not been forthcoming with students and families to the extent that “they’ve downplayed the seriousness of the data breach,” he said.
Last month, the nation’s fifth-largest school district — which has about 300,000 students — announced it was affected by a “cybersecurity incident impacting its email environment” that occurred Oct. 5.
In response, the district restricted access to Google Workspace for students and employees to within school and administrative buildings for more than a week. It also outlined additional security measures in an email last month to employees.
Some parents say they have received a suspicious email alleging information has been leaked and including attachments with personal information — such as pictures and contact information — about their children.
The district said in a Wednesday night statement that the investigation into the cybersecurity incident “remains open and active” and that it’s cooperating with the FBI.
“We know that many families and staff are frustrated because of this incident, as are we, and we appreciate the patience being granted in this situation,” the district wrote. “As a district, we are not unique in this vulnerability, as school districts across the country have been victimized similarly, as have private sector entities.”
Last month the district said that it was working to identify those affected and that they would receive a letter in the mail.
The lawsuit filed Tuesday refers to the cybersecurity incident as a “ransomware attack,” which the district has not confirmed.
The complaint alleges that personal information for more than 200,000 people appears to have been stolen by a hacker group known as SingularityMD, which demanded a payment the district refused to make.
According to the complaint, the district hasn’t acknowledged that information is being publicly released or that “third-parties responsible for the attack may still have access to all of the District’s information.”
The incident led to the “compromise and public release of highly sensitive information” related to students, families and employees, the complaint said.
According to the complaint, the attack was an “entirely foreseeable event” that should have been prevented. The document notes that the district was affected by a ransomware attack in 2020.
The complaint alleges that the district “failed to implement reasonable and adequate security procedures,” failed to update software licenses and failed to implement “common password protections to prevent hacking of accounts.”
According to court documents, the district also has failed to adequately notify victims of the attack and hasn’t provided a formal data breach notice.
The complaint says those affected now face a “long-term battle against identity theft as a result of this breach,” noting it poses an “imminent and impending continuing risk.”
Hackett, the parents’ attorney, said Thurdsay that updates on the case and information on how to contact the Sklar Williams law firm will be posted on the firm’s website.
Contact Julie Wootton-Greener at jgreener@reviewjournal.com or 702-387-2921. Follow @julieswootton on X.