Thousands of public school workers impacted by cyberattack on retirement plan administrator

A December 2024 cyberattack on a prominent administrator for retirement plans has exposed the information of thousands of public school teachers and employees across the U.S.

Dozens of public schools across the country reported data breaches to regulators in Maine, Massachusetts, Vermont and several other states this week, warning that sensitive data was stolen through Carruth Compliance Consulting — a company that provides third-party administrative services to public school districts and non-profit organizations for their 403(b) and 457(b) retirement savings plans. 

Most of the data breach notices are identical, and a Recorded Future News analysis of Maine’s breach site found 11 public schools and colleges impacted across Pennsylvania, Oregon, California, Illinois and New York. In total, more than 40,000 teachers and school employees were impacted. Dozens of other schools reported breaches to other state regulators, indicating the number of people impacted is likely much higher.

A new cybercriminal operation named Skira Team took credit for the attack on Thursday, claiming to have stolen data from 36 public schools.

Carruth Compliance Consulting did not respond to requests for comment.

The company posted its own notice on its website in January explaining that on December 21, the company “identified suspicious activity that impacted the operability of certain computer systems within our environment.” 

The Oregon-based firm hired a third-party specialist to investigate the incident and found that systems were accessed between December 19 and December 26. The hackers copied files from their system that included names, Social Security numbers and financial account information. 

In some instances, the hackers stole driver's license numbers, W-2 information, medical billing information and tax filings. The company noted that if employees provided them with the personal information of beneficiaries, their information was likely also affected.

In all of the breach notification letters, the company said it informed the specific school district or school about the incident and each determined which of their employees had been impacted. Most schools and districts completed the review by February 24 or 25. 

The company has already been hit with multiple class action lawsuits over the data breach and several law firms are contacting victims. 

Some school districts are posting their own notices, including Seattle Public Schools, which warned that anyone employed there between 2008 and 2024 was affected. At least one school district said they will no longer work with Carruth Compliance Consulting going forward. 

The incident emerged at the same time that another popular school contractor, PowerSchool, said about 6,500 of its more than 18,000 clients were impacted in a hack announced in January.