“It is very confusing — what this means and what to do about it?” questioned Wendy Mistretta, Buffalo school parent, president, District Parent Coordinating Council.
The Buffalo Public School District is dealing with the fallout from the March 12 ransomware attack.
We’ve learned personal student, parent and teacher information has been breached.
Letters arrived Friday and over the weekend to school families and teachers indicating that private information could have been stolen in the cyber attack.
Mistretta says she received three letters about the ransomware attack targeting the district, letters to herself, son and daughter.
Mistretta's letter indicated a federal tax id number, address and bank account information might have been breached.
The student letters also indicates that information including date of birth, race/ethnicity and special education information may have been compromised.
“What was breached for you and your family?” asked Buckley.
“Well, it's not entirely clear still — so potential breach,” replied Mistretta.
Instructions were different on all three letters. Her son's letter gave a website for enrolling in identity theft monitoring services.
“And it says in both their letters that their parents information might be breached too, but there again is no offer to have identity monitoring services,” Mistretta explained.
“It’s not really clear. They know for sure it wasn't the social security number though, which means they do have clear indications of what was not taken,” noted Arun Vishwanath, cyber security expert, school parent.
Vishwanath says the district took too long to notify families.
“They could have right off — when this happened — told all the kids and all the parents — listen just lock the credits of all your children and yourself because there's no cost for doing that,” Vishwanath said.
Parents and the leader of the Buffalo Teachers' union are also upset that the letters came from an outside party, a company named Kroll, with no information directly from the city school district.
“Friday evening, we started getting phone calls from teachers — what's this mail — what's this all about,” recalled Phil Rumore, president, Buffalo Teachers Federation.
Rumore says they are not blaming the district for the cyber attack, but for how it was handled.
“Any idea how many teachers received these letters?” Buckley questioned.
“No, we don’t. We’re surveying our teachers today to ask them if they've received the letter because there were some people that did not receive the letter,” responded Rumore.
The district issued a statement saying it secured the services of Kroll, a fraud and identity theft restoration service at “no cost":
"Information regarding anyone in our system may have been exposed in the attack. The Buffalo Public Schools has secured the services of Kroll to provide Fraud Consultation and Identity Theft Restoration at no cost to those in our system for one year. Kroll is a global leader in risk mitigation and response, and their team has extensive experience helping people who have sustained an unintentional exposure of confidential data.
As a precaution, Kroll has sent correspondence to any individual or vendor who may have had information exposed.
The FBI is still looking into our cyberattack as part of a larger group of investigations. Therefore, the District will not be commenting further on this matter at this time."
But letters to teachers indicated that employment data, direct deposit information and social security numbers may have been breached.
“Our teachers are very upset,” Rumore stated. “You know they have payroll deduction — checks go right into the bank, but you know something — the parents — their kids information — you know they should have been in contact with us right away.”
"It is a very confusing to have that information come from this outside service, Kroll,” Mistretta remarked.
“Right now this seems to be a bit more reactive because it’s now been 60 plus days since the breach,” noted Vishwanath.
There is still is no information on where the cyber attack originated from or if any demands were made to the district.
Vishwanath says the district needs to be more transparent about the exact data breach.