Cyber attack on Carruth Compliance Consulting impacted workers at dozens of public schools

Retirement services provider Carruth Compliance Consulting said it suffered a data security incident that compromised the sensitive personal information of thousands of individuals.

 

Headquartered in Tigard, Oregon, Carruth Compliance Consulting provides administrative services to public school districts and non-profit organisations for retirement savings plans. 

 

In a data security incident notice, Carruth said that in December, it discovered suspicious activity in its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“An investigation revealed that unauthorised access to Carruth’s network occurred in late December 2024, resulting in the compromise of sensitive employee data for Carruth’s clients, including Seattle Public Schools.

 

“This data breach potentially impacts all employees who have been employed by SPS between 2008 and today. To be on the safe side, we are assuming that all SPS employees between 2008 and now have been impacted by this breach,” the company said.

 

The compromised data includes employees’ names, Social Security numbers, financial account information, driver’s license numbers, W-2 information, medical billing information and tax filings.

 

Several school districts across the U.S. have reported being affected by the data security incident suffered by Carruth. More than 36 public schools have filed data security incident notices with the Maine Attorney general’s Office confirming that more than 100,000 individuals being affected. 

 

The list of affected schools include Oregon City School District, Greater Albany Public School District in Illinois, Linn Benton Community College in Pennsylvania, Lincoln County School District and Southern Oregon Educational Services District in California.

 

Carruth has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

Recently, a relatively new hacking group going by the name Skira claimed responsibility for the cyber attack on Carruth and listed it as a victim on its data leak site. The group claims that it stole 469 GB of data from Carruth’s systems, but It is unclear whether it has demanded a ransom from the retirement services provider as yet.