Over 50 U.S. schools impacted in retirement service provider breach

About 50 school districts across the United States have reported data breaches that resulted from hackers breaching the network of retirement service provider Carruth Compliance Consulting.

 

Earlier this month, Carruth Compliance Consulting, which provides third-party administrative services to public school districts and non-profit organizations for their 403(b) and 457(b) retirement savings plans, said that in December, it discovered a major cyber security incident that involved malicious actors accessing its internal systems.

 

“The investigation determined that certain systems on our network were accessed without authorisation between December 19, 2024 and December 26, 2024, and during that time, certain files were copied from our systems. 

 

“CCC then conducted a review to determine what data was potentially copied without authorisation. On January 13, 2025, CCC provided notice of this event,” the company said.

 

The compromised data included employees’ names, Social Security numbers, financial account information, driver’s license numbers, W-2 information, medical billing information and tax filings.

 

Recently, several school districts and educational institutions reported being affected by the data security incident suffered by Carruth. In total, almost 50 public schools have filed data security incident notices with the Maine Attorney general’s Office confirming that more than 150,000 individuals were affected. 

 

The list of affected schools include Seattle Public Schools, North Clackamas School District, Silver Falls School District, Northwest Regional Education Service District, Reynolds School District, Gresham-Barlow School District and more.

 

Carruth has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

The retirement services provider has also offered complimentary identity protection and credit monitoring services through IDX to all affected individuals.

 

Recently, a relatively new hacking group going by the name "Skira" claimed responsibility for the cyber attack on Carruth and listed it as a victim on its data leak site. The group claims that it stole 469 GB of data from Carruth’s systems, but It is unclear whether it has demanded a ransom from the retirement services provider as yet.