A malware attack on a state employee's computer resulted in a data breach that exposed the personal information of Texas students in 39 school districts, five of which are in Denton County.
The Texas Department of Agriculture notified school districts about Nov. 22 of an incident on Oct. 26. According to the agency's security notice on its website, an employee's state-issued laptop was attacked by a type of malicious software called "ransomware," which threatens to publish data unless a ransom is paid.
The Texas Department of Agriculture oversees the federal nutrition program that provides school breakfasts and lunches. Because of that, the agency identified more than 700 students whose personal information might have been stolen by an unauthorized person. Officials said that information could include names, home addresses, birth dates, phone numbers and Social Security numbers of students and their families.
"We have no indication right now that any of this information has been misused," said Mark Loeffler, the director of communications for the Texas Department of Agriculture. "We wanted to make sure we knew exactly what the scope was and how many pieces of personal information were compromised before we sent anything out. We had to go through a manual process to confirm that."
The five Denton County school districts affected by the breach include Argyle, Krum, Lake Dallas, Pilot Point and Ponder. The other 34 districts mostly are centered in the North and East Texas regions. The districts also vary in size, ranging from the 138 students enrolled at Karnack ISD on the Texas-Louisiana border to the 15,185 enrolled at Crowley ISD near Fort Worth.
Outside of what was in the Texas Department of Agriculture's security notice, school officials haven't received much more information on how to proceed, they said. Right now, it's unclear which students, if any, have been impacted by the breach.
"At this point, we do not know how many students were affected, but we do know that the category of the breach was with free or reduced information only," Lake Dallas Superintendent Gayle Stinson said in a statement.
Argyle ISD Superintendent Telena Wright said she hasn't gotten much feedback from the agency.
"We've gotten nothing except the notice from TDA with our name on the list," she said. "Our child nutrition director reached out, but hasn't heard anything back yet."
Ponder ISD Superintendent Bruce Yeager said he wasn't even notified by the agriculture department about the breach. He said he heard about it from a district technology employee, who was friends with someone in another affected district. Loeffler said some of the notices the agency sent out to affected districts went into junk or spam folders.
"I've been doing this a long time and this is pretty peculiar," Yeager said. "What's unusual is the way [the Texas Department of Agriculture] posted the notification and you had to go out and find it. The Department of Agriculture had this breach and it's kind of rolled back on us to figure out."
Ponder and Pilot Point posted a notice on their district websites about the breach, while Krum, Argyle and Lake Dallas sent out emails to parents. The Texas Department of Agriculture recommends activating free fraud alerts through Experian, TransUnion or Equifax.
"It is precautionary," Loeffler said of the free fraud alerts. "If there are concerns for parents, that's a step they can take that will bring them peace of mind."
For questions or more information, contact the Texas Department of Agriculture's information security officer Tahjar Roamartinez at 512-936-4117 or at Tahjar.Roamartinez@TexasAgriculture.gov.
CAITLYN JONES can be reached at 940-566-6862.