A cyber attack on consultant Carruth Compliance Consulting has resulted in a data breach, potentially compromising the sensitive information of thousands of current and former Oregon school district employees.
The Carruth Compliance Consulting cyberattack, which occurred between December 19th and 26th, 2024, targeted the company’s computer systems. The breach exposed names, Social Security numbers, and financial account information.
In some cases, driver’s license numbers, W-2 information, medical billing information (but not medical records), and tax filings were also affected.
The breach impacts numerous school districts across Oregon, including those within the Linn Benton Lincoln Education Service District (LBL ESD).
This includes the Greater Albany Public Schools (GAPS), Corvallis School District, and Lebanon Community School District.
“There are people potentially impacted by this that haven’t worked for our districts for quite some time.”
Jason Hay, the LBL ESD superintendent.
The Lebanon school district’s notice specified the potential impact on staff employed between 2008 and January 2025, while GAPS noted a potential impact dating back to January 1st, 2009. Superintendent Hay estimates the number of affected individuals could be in the thousands.
Carruth Compliance Consulting, which manages retirement plans for several school districts and nonprofits, notified clients of the data breach on January 13th, 2025.
The company’s statement detailed the investigation launched after detecting suspicious activity on December 21st. They also reported the incident to the Federal Bureau of Investigation.
The school district employees affected are being offered free credit monitoring services by Carruth Compliance Consulting. GAPS has announced that no further retirement account transactions from district employees will be processed by the company for the foreseeable future.
The district is working with Carruth, its insurers, and others to understand the full scope of the incident and ensure all affected employees are notified. Other districts are taking similar steps, collaborating with their cybersecurity coverage carriers and following their recommendations. PACE (Property and Casualty Coverage for Education), which covers most Oregon school districts, is also working with Carruth to assess the impact.
This incident highlights the importance of cybersecurity measures in educational institutions. While no school system was directly breached, the vulnerability of education agencies is evident.
As Superintendent Hay noted, “It’s really sad this is where we’re at.”
The incident underscores the need for best practices for employees regarding data protection after a breach, the role of credit monitoring services following a data compromise, and the potential risks associated with compromised personal information.
Schools must improve their cybersecurity posture to mitigate future risks. The incident serves as a stark reminder of the critical need for robust cybersecurity practices and employee training within educational institutions. The recommendations for schools to improve their cybersecurity posture are crucial for preventing future incidents.
