Three more public school districts have reported a data breach that affected employees participating in their 403(b) and 457(b) defined contribution plans, bringing the total number of schools struck by the breach to 15, according to notifications filed with the Maine attorney general’s office on March 4.
The recent notifications follow earlier filings made by 12 public schools and community colleges beginning Feb. 28. To date, the breach has exposed the personal information of 76,899 retirement savers, the filings showed.
The cyber thieves accessed the data without authorization by hacking the computer systems of Carruth Compliance Consulting, a third-party service vendor the schools used to administer their 403(b) and 457(b) retirement plans.
The stolen personal data included individuals’ names and a combination of their Social Security numbers and financial account information. In more limited circumstances, the data also included drivers’ license numbers, W-2 information, medical billing information and tax filings.
CCC determined that the hack occurred between Dec. 19 and Dec. 26, during which time files were copied from their systems. When CCC became aware of suspicious activity, it began working with third-party specialists to investigate what happened and alerted the FBI.
It notified the affected educational institutions Jan. 13, according to the filings.
CCC did not respond to a request for comment. In a notice posted on its website, the company provided information about the cyber event and its response. “The confidentiality, privacy and security of information in our care is among our highest priorities,” it said.
The three most recent school districts to report the breach were Multnomah Education Service District, Centennial School District and Bend-La Pine School District, all in Oregon. Of the three, Multnomah was the hardest hit, with 11,067 employees affected, followed by Bend-La Pine with 9,749 and Centennial with 7,664.
None of the three schools responded to a request for comment.
“An investigation revealed that unauthorized access to Carruth’s network occurred in late December 2024, resulting in the compromise of sensitive employee (current and former) data for Carruth’s clients, including Centennial,” Centennial said in a statement on its website.
In a notification letter to affected employees on Feb. 28, the schools explained what they did once they learned of the breach incident. They also offered employees complimentary credit-monitoring and identity-theft protection services through IDX, a data-breach and recovery-services firm. The services include 12 months of credit and dark web monitoring as well as a $1 million insurance reimbursement policy.
The hack is the latest in a string of cyber breaches that leaked the personal information of retirement savers at other institutions. On Feb. 20, Inspira Financial Trust — a provider of health, wealth and retirement services — notified more than 2,300 customers that their personal data was improperly accessed by a third-party call center representative. That followed a cyber breach at retirement plan administrator The Pension Specialists, an incident that affected more than 71,000 retirement savers.
