Names, Social Security numbers exposed in data breach at Elmbrook

Data breach at Elmbrook School District exposes personal information about former and current employees
ALEC JOHNSON Milwaukee Journal Sentinel
A breach that exposed the names and Social Security numbers of current and former Elmbrook School District employees continued even after the district was aware of the problem.

The district learned its system had been compromised on Aug. 23, 2022, according to Elmbrook School Chief Strategy Officer Chris Thompson. Files were removed from Aug. 23-27, 2022, an investigation revealed.

“These were professional cyber criminals. This is not something your antivirus software cleans up. I cannot comment on the efforts required to secure our network," Thompson said in a text message to a reporter asking why the breach continued even after the district was aware of the problem.

He declined to share the number of people affected by the breach.

How long it takes to stop a cyberattack depends on its nature and complexity, according to Kahled Sabha, a senior lecturer at the University of Wisconsin-Milwaukee's School of Information Studies, whose specialty is in computer networking and cybersecurity.

"Some breaches can be stopped once they have started & some may take time. ... It may look like the attack has stopped, but then they find out later the malware hid itself from being discovered because it is a very sophisticated malware. So, it all depends on the attack," Sabha explained in an email. "That’s why forensics investigators go through many steps to make sure that the attacked system is completely clean of any malware. Several tests & monitoring have to be done on the attacked system as well as the whole network to make sure it is clean & can be reused."

The district has offered a one-year complimentary membership to a credit monitoring service to those affected.

Once it learned of the breach, the district investigated, with the help of cybersecurity professionals. The initial group of employees affected was informed in late September and October 2022, Thompson said.

Thompson said the breach also targeted other K-12 school districts across the country. He said the district was never locked out of its files nor was there a ransom request for those files.

"We were lucky that we had an early detection program active, so we got an early notice of the attack. That allowed us, first of all, to respond to the attack, but also to engage our cybersecurity insurance, which we had, and access more resources for a cyberdefense strategy," Thompson said in a phone interview. "Over the course of a couple of weeks, that resource was helpful in responding to additional attacks and then also setting our network up for prevention going forward."

All active employees and some of their dependents, if they were on the district's insurance plan, were affected, as well as more recent former employees, Thompson said. The district informed that group of employees in late September and October 2022.

The district then worked with a third-party company to conduct a forensics investigation on all the breached files, which identified additional people whose information was compromised. Thompson said it took longer to identify the others affected by the breach due to the large number of files that had to be reviewed.

To improve the district's data security, Thompson said the district has partnered with a security service firm to provide 24/7 managed services of its network.

"If there are abnormalities, we can guarantee a quick response and augment our district staff, who obviously don't work 24/7," said Thompson.

Data breach 'a great inconvenience'
Former Elmbrook employee Luna Cieslak was among those whose information was compromised. She didn't learn of the breach until late March.

"We had to call the credit card companies. We had to call the bank to put a freeze on our credit line. So down the line, if I'm going to redo a lease on my car, there's a lot of hoops we have to go through to make that happen because they couldn't protect my information. Not only is it a great inconvenience for me or us as a family, but it makes me feel uncertain that my financial well-being is safe," Cieslak said in a phone interview.

Cieslak said she had worked in the district as a health room aide for a few years in the 2000s, primarily at Brookfield Elementary.

"That was also very surprising that I hadn't worked for the school system for so long and still my information was breached. I don't know much about breaches, but that's a big one if they breach information that goes that far back. One can only imagine how far back information has been breached even though this was a breach done last year," Cieslak said.

Thompson said the district has compared the district's procedures around personally identifiable information to state requirements and storage best practices and has implemented those practices. It has also put in place a training program to increase staff awareness about cybersecurity.

"There are many different reasons for our staff to use personally identifiable information, like for federal reporting reasons. Just the procedures around where information lives, where it's transferred to, entities that need it and what happens to it afterwards. I think it's just tightening up that workflow of information across our network and other networks too," said Thompson.