Sacramento-Area School District Waited Months to Disclose Data Breach

Staff members of Natomas Unified School District were notified July 15 that the network shutdown they had been dealing with for several weeks was due to a potential hacker. Usernames and passwords may have been accessed, Deputy Superintendent William Young wrote in the email to the district’s 1,400 staff members.

Students and parents, however, were not provided with the same information. A few days later, families of the district’s 14,500 students were told via a parent portal that they would temporarily lose access to their school accounts due to annual maintenance by the IT department. The message did not mention the suspicious activity on the district’s network.

In late June 2024, the Natomas Unified School District IT department shut down the district’s network system, WiFi network, VPN services and phone lines after identifying suspicious activity on the network. The system remained down for weeks into the summer as IT staff and a third-party forensic service investigated the issue.

In California, any data breach affecting more than 500 residents must be disclosed to those affected and reported to the state attorney general. The law does not specify a time frame in which this disclosure should occur.

It wasn’t until nearly six months after the shutdown that the state Department of Justice and families were officially notified of the data breach. The district and its cybersecurity firm’s investigation concluded Nov. 15, 2024, and the state Department of Justice and students were notified of the breach on Dec. 13, following a Nov. 13 inquiry by the Sacramento Bee.

The notice said that login credentials were made vulnerable, but that they had “no evidence this data was accessed or taken.” The third-party forensic specialist was unable to confirm whether Natomas Unified user names and passwords were accessed by a hacker, but the district said it could not rule this out with certainty.

Natomas Unified spokesperson Deidra Powell said that administrators focused on staff accounts initially because students were out of school for the summer.

“We focused on staff at that time, developing a plan to update all student passwords,” Powell said. “Once it was safe to reactivate those accounts, we did require them to update to stronger passwords.”

Powell said that the Thanksgiving holiday delayed the official disclosure.

Natomas Unified has not shared any information about the nature of the attack or how it was determined that no information was stolen. Powell said that multifactor authentication for staff accounts was already and that a plan was in place to transition to MFA for student accounts.

The district denied a California Public Records Act request filed by the Sacramento Bee on Nov. 13, 2024, seeking communications among district staff and board members, Governor’s Office of Emergency Services reports surrounding the breach, and contracts with third-party cybersecurity firms. Attorneys on behalf of the Bee sent a letter Monday demanding that Natomas Unified disclose records responsive to the November request.

Natomas Unified is one of many school districts across the country to be subjected to a data breach. Just weeks before, El Dorado Union High School District suffered a worse breach in which students’ and staff’s Social Security numbers were compromised alongside other personal information.

Earlier this month, the Sacramento Bee reported that a Folsom-based education technology company suffered a cybersecurity incidentthat could have exposed the personal information of millions of students and teachers nationwide. Folsom Cordova Unified School District is one such district whose students’ and teachers’ data was exposed in the breach. Staff and families were notified of the breach within a few weeks of the district becoming aware of the incident.

Doug Levin, co-founder and director of education cybersecurity nonprofit K12 Security Information eXchange, said that as K-12 schools have become more reliant on technology for the majority of their operations, schools and their vendors are increasingly being targeted by professional criminals overseas who seek money through ransomware attacks or by stealing personal data that can be sold on the dark web to be used for identity theft.

Despite California’s law surrounding reporting data breaches, Levin said that trying to piece together the scope of cybersecurity incidents can be difficult from these reports because they are like “an iceberg sitting in the water — we’re describing what we can see above the waterline.”

“Evidence of something not happening is not the same thing as (there being) no evidence,” he said.

Administrator and staff accounts typically need more protections because they can typically access more sensitive information, Levin said, but it is important that students be informed of cybersecurity incidents even if the organization isn’t sure any info was taken.

“If mine or my student’s information was compromised and the school system withheld it from me, I’d be livid,” he said. “Time is of the essence in terms of informing potential victims. And the longer it goes between when the data was breached and when victims were informed, that’s the amount of time that threat actors can take advantage of people.”

Levin noted that young people especially use the same or similar passwords for their school accounts, personal email, social media apps and banking information, and that threat actors may exploit these accounts to find something valuable.

“I do think it is beholden on school systems to be really consistent with their mission to protect the members of the school community and let them know if there’s a reason to believe that their information may have been accessed,” he said. “If I was a member of this community, I would certainly want to know what happened, but most importantly, what steps they’re going to take to make sure that something like that doesn’t happen again.”

©2025 The Sacramento Bee. Distributed by Tribune Content Agency LLC.