SAN BENITO: Like thousands of residents here, Ida Rodriguez is concerned a cyber attack on the San Benito school district's technology network could lead to the theft of her savings.

On Dec 30, district officials mailed out more than 21,653 letters to employees and former employees along with students and former students.

Now, officials believe the victims' stolen information lies within the hackers' website inside the so-called dark web.

Last week, Rodriguez, a former district assistant principal, received a letter warning her confidential information was stolen in the cybersecurity breach discovered around Nov 1.

"They can take your life's savings," Rodriguez, who retired in 2016, said Tuesday during an interview. "They have your Social Security number, they have your bank account. The damage is done. I'm just concerned for the community in general. People are complaining they weren't notified on time. Someone really dropped the ball. What a mess."

Like many residents, Raul Garcia, a former maintenance worker who retired about 20 years ago, received a letter addressed to another victim, Diana Garcia, his wife, said.

"Oh my God, I hope my husband's information is out there," she said. "You're looking at people's retirement. It's concerning to us. That's personal information that should be kept private. This is a disaster. Everybody's scared - especially people retired and getting benefits."

Stolen data on dark web

As part of an investigation, Cameron County District Attorney Luis Saenz has confirmed Karakurt, a data cyber extortion group, performed "a really sophisticated hack" to breach the district's security system.

On a government website, the FBI and the Cybersecurity and Infrastructure Security Agency warn Karakurt places its stolen personal information on the dark web, where the group makes it openly available.

A former district employee, who asked that his name not be used, said he has seen his phone number along with his children's and wife's personal information in the dark web.

About two months ago, he began receiving texted codes to log into a website, he said.

"I'm in the process of changing my bank account information," he said. "The kids - forever their information is out there."

Letters mailed to wrong addresses

For days, Facebook has been buzzing with residents' concerns after many began receiving letters addressed to other victims.

"Has anyone gotten someone else's letter from the data security incident that happened at SBCISD?" John M. Escobar posted. "I know of several people, including us, that their letter ended up somewhere else! This is not good! Someone is messing up bad! This should be of great concern to all of us! We need to bring it up to the administration."

In response, Laura L. Carmona stated she received the wrong letter.

"I got one with someone else's name but my address is in San Marcos!" she posted.

The number of letters mailed to wrong addresses was unclear.

"Seems like a lot of people are getting letters at their addresses but the letters are not theirs!" San Juana Limon posted. "Who messed up here? This is of great concern to all of us! Something has got to be done!

District mailed to last-known addresses

On Tuesday, district spokeswoman Isabel Gonzalez stated officials mailed the letters "to the last known addresses that the district had on file for the involved individuals."

"If the district had no valid address on file, the addresses were identified through the National Change of Address database and other publicly available information," she stated.

Officials are requesting victims who received letters mailed to others return them to district offices.

"If you suspect you may have erroneously received a letter or perhaps received one intended for another individual, we respectfully request that you mark the letter as 'wrong address' and return the letter to the return address," Superintendent Theresa Servellon stated.

Investigation findings

A district investigation found the cyberattack occurred before Nov 1, Servellon stated Friday on the district's website.

"On Nov 1, 2022, the Texas Education Agency, through the Region One Educational Service Center's Cybersecurity Department, informed San Benito CISD that sophisticated cybercriminals had allegedly gained unauthorised access to the district's servers based upon San Benito CISD's name appearing as a victim on the cybercriminals' website on the dark web," she stated

"The district immediately initiated its incident response plan and engaged outside cybersecurity experts to assist in its response and conduct an investigation," she stated.

From Nov 4 to Dec 16, the district conducted an investigation which found "an unauthorised party gained access to the district's network and took certain files from the district's servers prior to Nov 1," she stated.

Mail out

Then, officials began trying to identify employees and students whose personal information was stolen.

"During this time, our technology department conducted a thorough and exhaustive review of those involved files to identify each person, the information specific to each person included and to locate each person's contact information to notify them of the incident," Servellon stated. "In addition, the district developed bilingual notification letters and established a dedicated helpline where involved individuals can call to ask questions about the incident."

On Dec 30, officials mailed out 21,653 letters to victims' last-known addresses, with 12,080 letters sent to children, including "additional information about the incident and specific instructions for activating the free, one-year membership to identity monitoring services offered by the district through Experian," Servellon stated.

"San Benito CISD remains committed to protecting the confidentiality and security of the personal information it maintains," she stated. "To help prevent another incident from occurring, the district has worked with outside experts who have advised on enhanced security measures which the district has implemented to further strengthen the security of its network." – Valley Morning Star, Harlingen, Texas/Tribune News Service