Some former employees of Granite School District in Utah are reporting frustration and anger with the district’s incident response to an attack by the Rhysida group. One has written up what he found when he examined the publicly leaked data.
On September 20, 2024, Granite became aware of suspicious activity on its network. An investigation determined that between September 11 and September 25, 2025, an “unknown, unauthorized actor” gained access to certain computer systems and accessed and/or acquired files stored on those computer systems.
By now, however, the district knows that their attackers are known as “Rhysida” because on November 9, Rhysida publicly claimed responsibility for the attack and dumped what they described as 2.4 TB of data with 7,481,051 files. A note on Rhysida’s darkweb leak site claims, “All files was uploaded to public access, data hunters, enjoy” (sic).
More than one month later, does the district know what types of information are in the publicly available leak? Former employees want to know why the district hasn’t disclosed more about how they may be affected.
Students Affected
Before this past week, the district had not publicly disclosed that all students were affected by the breach. A December 13 notice and FAQ on the district’s site now states, “Unfortunately, all student records were accessed. This includes all current and former Granite School District students.” Parents of affected students are reportedly being notified by email that the types of student information included name, address, phone number, any associated health information, grades and assessment results, and in some cases, SSN. The FAQ does not mention that parent or guardian information might also be included.
Employees Affected
The district had previously reported that only current employees were affected. That was incorrect. Over time, their disclosure has changed, but more than one month after Rhysida revealed the attack, the district still has not completed its assessment concerning former employees or dependents and family members of current or former employees.
In an FAQ for employees that was most recently updated on November 27, 2024, the district writes:
Does this breach include the SSN’s of employee dependents on our insurance as well?
Our data mining investigation thus far discovered that payroll information had been stolen. That information did not contain information about dependents or spouses.
Is there any concern that our family members’ information may have been included as well (e.g., if our family is on our district-provided insurance)?
Our data mining efforts show no indication that any family members’ information was part of the data breach. If we uncover anything, we will communicate it promptly.
According to a former employee, those statements by the district are inaccurate, as reported later in this post.
How far back does the breach go so former employees can also take the necessary actions?
At this stage, we have determined that employees’ bank account numbers were compromised back to 7/1/2020. There may be other employees who had additional personally identifiable information (not bank accounts) compromised back further, we are still in the process of determining the extent of that information. No employee’s family members’ personally identifiable information (PII) was compromised as part of this payroll information breach.
As Fox News reported, former employee Sheri Harris didn’t realize she was potentially affected by the breach until she saw a former co-worker’s Facebook post about it last week. She had received no notification whatsoever. Harris said the security breach forced her to cancel her main bank account that she’s had for 20 years, but it’s not clear from the news report if she canceled it as a precaution or if she canceled it because she had spotted some possible fraudulent use of the account. It was her main account and used to pay bills, so the impact has been time-consuming and anxiety-producing, she says.
The district’s most recent breach update of November 27 has this in the FAQ:
How are former employees being notified?
We are still data mining to determine which former employees have been impacted. We are working with our insurance company, which will provide a call center and mailing service for former employees to receive information and support. We are working on determining and providing the addresses of all former employees so they receive notification. If current employees know former employees who were employed after 7/1/2020 but are no longer with Granite, please help alert them to the district information link and this FAQ.
Has the district issued any actual press releases distributed to local media outlets to get the word out to former employees that they may be affected by the breach?
A Former Employee Digs Into the Data Dump
Harris is not the only former employee to express concern. On December 11, DataBreaches received an email from a frustrated and angry former employee. He informed DataBreaches that he had already determined that the district’s early claims about no former employees being affeced was inaccurate, and their claims about no dependent or family members being affected was also inaccurate. Keeping in mind that the following was written before the district’s updated FAQ to students and parents on December 13 but after the last update of November 27 to employees, the former employee wrote to DataBreaches:
The school has publicly reported that only current employee payroll data was in the breach and that it does not include dependents or spouses SSNs etc. The data breach actually includes payroll data dating back to 1999 and DOES include employees who are retired or no longer there. I have verified this with someone who I know who retired years ago and their information was in the breach. The data also includes SSNs and other information for spouses and dependents.
Aside from this, payroll data appears to be a small part of the breach as a majority of the breach appears to be student records, some dating back to scanned copies from the 1980s. Many of these records include student social security numbers / socialsecurity cards / passports etc. The student records include:
- Student transcripts
- Student enrollment / transfer etc records
- Student immunization records
- Student report cards
- Student referral to services
- Student birth certificates
- Court documents involving guardianship records of students
- Police records involving students and internal investigations
- Student visa/immigration documents
- Adult education records including copies of driver’s licenses and/or social security cards
- In some cases parent driver’s license / social security cards / passports etc where they have been asked for these to confirm
identity.
Note that DataBreaches’ correspondent reported all this on December 11 — two days before Granite’s update for students and parents, and even when Granite now reported that all students were affected, they did not disclose the range of personal or parental information that was accessed. The correspondent’s email also contained significant information of interest to former employees as well as spouses and dependents that has not been revealed or confirmed by the District as yet.
DataBreaches did not go through the data leak to attempt to validate all of the former employee’s claims.
“I understand that the school needs time to go through the files,” he wrote, “however, it took me approximately 3 hours to determine that the breach included all payroll back to 1999, had dependents / spouses, and mostly consisted of student records. I believe they should be reporting the extent of the breach.”
As of this morning, he has still not been notified by the district.
Update of 12/21/2024: 450,000 students.