TUSD’s Cyber Shutdown: District answers why parents not warned students info may be stolen

Published: Apr. 10, 2023 at 7:31 PM MST|Updated: Apr. 11, 2023 at 9:16 AM MST
Email This Link
Share on Pinterest
Share on LinkedIn

TUCSON, Ariz. (13 News) - TUSD notified staff just days after the attack that the cybercriminals claimed to have stolen confidential data, but TUSD leaders didn’t tell parents and students.

The district encouraged the staff to watch their financial accounts and consider cybersecurity measures.

But the superintendent didn’t tell parents even though the hackers claimed it had the students’ information with proof.

13 News Investigates asked Gabriel Trujillo for an interview, but he declined and instead allowed us to talk to Chief Operations Officer Blaine Young.

Four days after the ransomware attack, the cybercriminal group, Royal, sent an email to the district that it had “stolen up to 290 GB of data, including all personal students’ info” -- social security numbers, birth certificates and more.

The hackers sent what it claimed was proof.

Royal warned TUSD in the email, “Just imagine what will happen if such data leak into the internet.”

The same day, the district notified just the staff to review their financial account statements for fraudulent activity.

Chief Operations Officer Blaine Young told 13 News Investigates that staff was told to be vigilant despite the message saying “all students’ info.”

13 News asked Young why not tell parents about the attack and to be vigilant.

“That was no way known from our forensics was seeing that there was any indication what they actually did have when that communication when out,” he said.

Young said the investigation is not over and when the district knows exactly what they’re dealing with they’ll let the TUSD community know.

“As the superintendent, he’s gotta make sure that he’s communicating what is known at a given time, particularly with the staff,” he said.

13 News Investigates wanted to know why TUSD addressed the attack with staff and not tell the parents.

“We were just talking about in an abundance of caution because that was what we knew at the time,” he said. “From my recall that is what I believe was the thinking at the time.”

Cybersecurity experts say if there’s no proof hackers “don’t have all of it” you have to assume they do.

Victor Wieczorek of Guidepoint Security said, “We all have to go on the assumption that our data has been lost one-way shape, or form and it’s a terrible reality to live in.”

Royal did manage to steal information, which was revealed a month later.

Trujillo sent out this notification to the TUSD community that the hackers had sensitive “staff info and the district is working to determine the extent.”

So two notifications about a month apart and still no mention to parents that cybercriminals could have stolen sensitive student information.

13 News Investigates asked if there is any plan to tell parents.

“I have no idea what might be revealed in the future,” he said. “But I assure you that we’re going to be keeping the board and through that process or in conjunction with that process are community updates.”