School District Sold Old Computers, but Did It Erase Sensitive Data?

A computer company owner says an auction house sold him San Benito school district computers containing employees’ and students’ personal data.

David Avila, co-owner of Brownsville-based RDA Technologies, said his company bought about 700 district computers during a July 23 South Texas Auction Co. auction before discovering that at least 11 computers’ hard drives contained district data including employees’ and students’ names, phone numbers, addresses, students’ grades and some bank account information.

Avila said auction information indicates the auction house sold more computers to other buyers. South Texas Auctions has declined to disclose whether other buyers purchased district computers.

The law requires computers be purged of “sensitive information” before they’re sold, Avila said.

On Oct. 19, his company notified district officials that it had found personal information on some computers’ hard drives, Avila said, adding the law requires any victims of breached confidential information be notified within 60 days.

On Dec. 7, the district posted on its website a statement regarding its “inadvertent sale of San Benito CISD computer devices to an electronics recycler, which may have contained historical data of the district.”

“Based upon the representations made by RDA Technologies regarding the information alleged to be contained on the devices purchased by the company, no Social Security numbers or other sensitive personal information was included,” the district stated.

However, Avila said his company has discovered what he called “sensitive information” in 11 computers, one of which was destroyed while 10 have been placed in “quarantine.”

Avila said the company has not inspected 503 other district computers purchased through the auction house.

On Oct. 28, Todd English, the district’s technology director currently on paid administrative leave, reviewed the computers at the company’s offices, Avila said.

Last week, the Valley Morning Star inspected a computer, which Avila selected, and found a teacher’s bank account number; a teacher’s partial bank account number; a teachers list including names, user names and emails; students’ names, identification numbers and grades; a list of failing students including names; a migrant students’ list including names, student identification numbers and grade levels; and IP and MAC numbers to district copiers and printers.

Meanwhile, Avila said district officials have offered $138,619 to buy the computers he purchased for about $29,000, an assertion district officials denied in a statement. Avila said he declined the offer.

Avila said he also declined the district’s offer to sign a nondisclosure agreement in exchange for $27,525, and he has filed a report with the Texas Attorney General’s Office, stating he purchased school district computers containing some sensitive information.

District officials posted the Dec. 7 statement to their website “to inform faculty, staff and current and former students of a potential data security incident that involved the inadvertent sale of San Benito CISD computer devices to an electronics recycler, which may have contained historical data of the district.”

“We recently learned that a local electronics recycler, RDA Technologies, purchased devices from the district that may have unintentionally contained data collected in the normal course of our operations,” the district stated. District officials stated they had not received evidence that the computers contain confidential information.

The district said it had reported this matter, as well as the actions of RDA, to the Consumer Protection Division of the Texas Attorney General’s Office. To help prevent something like this from happening again, the district is reviewing its procedures relating to device disposal and will reinforce education of its staff on these procedures.

Meanwhile, authorities are investigating the cyber extortion hacking group Karakurt’s breach of the district’s technology system, Cameron County District Attorney Luis Saenz has said, adding that he was trying to determine whether former employees and students were also victims.

It was reported last week that the district on Dec. 30 mailed 21,653 letters to individuals, including 12,080 minors whom it identified as affected by the breach discovered around Nov. 1.

(c)2023 Valley Morning Star (Harlingen). Distributed by Tribune Content Agency, LLC.