In August 2023, Prince George’s County Public Schools disclosed a cyberattack. At the time, they reported that “an estimated 4,500 user accounts out of 180,000 were impacted, primarily staff accounts. The school system is still assessing the full scope of this incident, but as of this time, the main business and student information systems – Oracle and SchoolMAX – do not appear to be impacted by this event.”
In November, the Rhysida ransomware group claimed responsibility for the attack and put the data up for sale. They would later update the listing to leak data that they did not sell (whether they ever really sold any of the data is unknown to DataBreaches).
This week, the district notified the Maine Attorney General’s Office that 99,543 were affected by the attack. Their submitted notification letter states:
The information present in the files that may have been viewed or acquired as a result of this incident varies per person, and includes individuals’ names, financial account information, and Social Security Number.
A second template letter submitted to the state did not disclose all the data types, but was addressed to those who might be employees, prospective employees, or current or former students.
PG County is in Maryland, not Maine.
True, but I correctly reported that their report was to the Maine Attorney General’s Office, where they were required to report it because one or more Maine residents were affected.