Norman Public Schools: Information 'may have been viewed or taken'

Nov. 24—Nearly three weeks after Norman Public Schools suffered a debilitating cyber attack, the district is reporting that an unauthorized "actor" gained access to certain systems and that information contained on those systems "may have been viewed or taken."

"To date, we have received no indication of any identity theft or fraud as a result of this event," NPS told families in an email sent Wednesday.

The district, meanwhile, is offering identity theft protection services to all "potentially impacted individuals."

For the 2022-2023 school year, the district collected names and Social Security numbers for enrollment purposes, the district reported. If provided, the Social Security of students "were also potentially impacted."

NPS is investigating to determine if other student information was potentially impacted, the email stated.

The district also collects names, addresses, Social Security numbers and financial account numbers from staff for payroll purposes, according to the district.

"This information, which NPS collected from current and former NPS employees — including substitute teachers and summer staff — was potentially impacted," the district reported.

The district will offer identity theft protection services to all who may be affected beginning next week.

The services will be provided for 12 months through IDX, a data breach and recovery services expert, and will include credit and CyberScan monitoring, a $1 million insurance reimbursement policy and fully managed theft recovery services, NPS reported.

The district first reported a "malicious ransomware attack" Nov. 4 and warned families to discontinue using district-issued laptop computers and other devices.

Ransomware is a type of malicious software that threatens to publish or blocks access to data or a computer system, usually by encrypting it, until the victim pays a ransom fee to the attacker.

The attack disabled a majority of district operating systems, including Infinite Campus, Canvas and Seesaw, for about eight days.

NPS was assisted by third-party data forensics and incident response specialists to restore service. The district told families the attack was limited to PC devices, and Apple products "were not affected."

It still is unclear if the district paid a ransom fee. A spokesman confirmed that the district was working with law enforcement, including the FBI, to identify and apprehend the attacker.

"As part of our ongoing commitment to the security of information in our in our care, NPS is reviewing existing policies and procedures and implementing additional safeguards," the district told families this week.