Riverhead Central School District's administrative office on Osborn Avenue. File photo: Denise Civiletti

(Updated: March 29, 11:45 a.m.) A data breach response firm hired by the Riverhead school district following a cyber attack incident in early December has begun contacting as many as 19,500 individuals to offer identity protection services.

Letters received by a former district employee and several former and current students were obtained by RiverheadLOCAL.

The letter advises recipients that their personal information, including their name, address and Social Security number, was “potentially exposed” in a “ransomware incident” experienced by the school district “on or about Dec. 3, 2021.”

The letter sent to parents and guardians of students, both current and former, said an unauthorized person accessed the district’s “environment,” resulting in the “potential access” of approximately 422 files/folders. “The elements of your child’s personal information that were potentially disclosed may have included your child’s: name, parent or other family member names, addresses and date of birth.” The district told parents and guardians that there is no evidence that their child’s information has been “misused as a result of this incident.”

The letters, signed by School Superintendent Augustine Tornatore, were sent by Identity Theft Guard Solutions (IDX), the firm hired by the district late last month to provide identity protection services to potential victims in the data breach.

The letter offers complimentary identity protection services to people whose Social Security numbers might have been exposed in the breach.

“Out of an abundance of caution, we have arranged for you to enroll in a complimentary, identity theft protection services through IDX, the data breach and recovery Serices experts,” the letter to adults states. “IDX identity protection services include twelve (12) months of credit and CyberScan monitoring, a $1 million reimbursement insurance policy and fully managed identity theft recovery.”

The letter directs the recipient to enroll in the complimentary monitoring service at an IDX website or by calling a toll-free hotline.

The letter to parents and guardians does not offer identity protection services. It tells parents/guardians the district is not aware of anyone experiencing fraud as a result of the incident and encourages them to “remain vigilant, review your child’s accounts, and immediately report any suspicious activity or suspected misuse of your child’s personal information.” The letter to parents and guardians includes a page of “important additional information” about things they can do “to safeguard their child’s personal information, such as fraud alerts and security freezes.”

The IDX website, where affected individuals can enroll in the identity protection program states “no social security numbers or financial account information of any current or former students were impacted as a result of this incident.”

“We are working with cybersecurity counsel to determine the actions to take in response to the incident,” the letter continues. “Together, we continue to investigate and closely monitor the situation. Additionally, we notified the Department of Homeland Security and the Federal Bureau of Investigation’s cybersecurity unit, 1C3, of this incident. Further, we are taking steps to strengthen our security posture to prevent a similar event from occurring again in the future.”

Under a proposal from IDX signed by the superintendent Feb. 28 and approved by the board of education March 8, IDX will provide single credit bureau monitoring for adults, “CyberScan” dark web monitoring, $1 million reimbursement insurance and fully managed identity recovery, for one at the rate of $10.99 per enrolled adult and $7.99 per enrolled minor (without the credit bureau monitoring.) IDX will also prepare and mail via USPS first class mail a notification letter to approximately 19,500 people for a cost of $20,959.50.

The scope of potentially affected individuals is not known. One of the recipients of the district’s letter who contacted RiverheadLOCAL graduated from Riverhead High School more than 15 years ago. Another recipient is the parent of a student currently enrolled at the high school. Others in touch with this website graduated several years ago. Another person is a former employee who retired from the district several years ago.

District officials could not be reached for comment this evening.

The IDX proposal, dated Feb. 22, identifies the Riverhead Central School District as a client of Wilson Elser. Wilson Elser is a national law firm with expertise in cybersecurity and incident response following a cyber breach, according to its website.

The board of education on Dec. 14 unanimously approved an engagement agreement with an unnamed “Incident Response Counsel And Forensic Investigator for services related to the district’s cyber incident effective December 6, 2021.”

On Jan. 11, the board unanimously approved “an engagement agreement for consulting services related to the district’s cyber incident effective December 6, 2021.”

The district did not attach either agreement with the meeting agendas.

Citing the ongoing investigation, the district has not provided much information about the Dec. 3 incident, which shut down the district’s computer and technology infrastructure.

While the superintendent’s office confirmed to RiverheadLOCAL that the outage was caused by a ransomware attack, as was stated in a robocall to staff that Friday morning, the district’s public relations firm said in an email on Monday, Dec. 6 that the district could not “confirm or deny that it was a ransomware attack.”

Tornatore said in an interview Dec. 13 the group that executed the attack was believed to be foreign but the people who paid for the attack are believed to be domestic and “knew Riverhead.”

“It was a very different entry point into our system than other districts may have experienced. So this means that somebody paid this group…to specifically do this to Riverhead,” Tornatore said, adding that the current belief is that the attack compromised the district through an email. He declined to specify further because of the ongoing investigation into the incident.

Tornatore said during that interview that the documents compromised in the attack were separate from the district’s cloud-based student management system or staff payroll system, which are outsourced to vendors like Google, and which contain sensitive data like social security numbers. The district believes those services were not compromised, Tornatore said. However, he said, the district was not sure that any personal information wasn’t stored in those compromised documents.

Editor’s note: This article has been updated twice to clarify the differences between letters received by adults and letters received by parents/guardians of minors.

The survival of local journalism depends on your support.
We are a small family-owned operation. You rely on us to stay informed, and we depend on you to make our work possible. Just a few dollars can help us continue to bring this important service to our community.
Support RiverheadLOCAL today.

Avatar photo
Denise is a veteran local reporter, editor, attorney and former Riverhead Town councilwoman. Her work has been recognized with numerous awards, including investigative reporting and writer of the year awards from the N.Y. Press Association. She is a founder, owner and co-publisher of this website.Email Denise.