Latest news with #KeptintheDark
Yahoo
10-03-2025
- Business
- Yahoo
Kept in the Dark: Inside the Somerset, Mass., School Cyberattack
Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here's what we uncovered about a massive attack on the school district in Somerset, Massachusetts. When a ransom note landed in the inboxes of high school leaders in Somerset, Massachusetts, the district hired consultants to negotiate — unsuccessfully — with the hackers. The district wound up paying a ransom to resolve the July 2020 cyberattack, according to documents obtained by The 74 through public records requests. In the eyes of the cybersecurity company brought in to consult, the school system got a good deal. Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter The hacker, who used an encrypted email service and the name Kristina D Holm, threatened to leak 50 gigabytes of data if Somerset school officials didn't hand over 60 bitcoin which, at the time, was worth about $660,000. 'If we don't reach an agreement we will start leaking your private data,' the hacker wrote, noting that for bitcoin they would also offer 'a list of security measures' to prevent future breaches. The note also provided documents to prove the writer had infiltrated district servers. Emails reveal that Coveware, a cybersecurity company that specializes in negotiating with hackers, got the ransom down to $200,000 after the firm made a $170,000 counteroffer. An invoice obtained by The 74 describes the ransom payment as being for 'technical consultant services and remediation.' 'Typically in situations where they drop very significantly and within range of our budget, we would recommend accepting the offer as we have seen these groups take offers away if they think we are nickel and diming them on the price,' Coveware incident response director Garron Negron wrote in a July 30 email ahead of the payment. The district didn't respond to requests for comment for this story. Records show that Beazley, the school district's cybersecurity insurance provider, approved the ransom payment and was a key player in selecting third-party vendors like Coveware for Somerset Berkeley's incident response. Six days after the attack, school officials contacted lawyers with the firm BakerHostetler to assess the cyberattack's impact and its data breach reporting obligations, but it wasn't until November — four months later —that the firm told them a 'programmatic review of the files' had been completed. 'Baker reviewed a sample of documents for each of the largest hit counts and helped narrow the scope for manual review,' staff attorney Damon Durbin wrote, adding that the preliminary review uncovered at least two Social Security numbers. Once the district approved a statement of work, Durbin wrote, consultants would 'conduct the review and produce a notification list that Baker will review with the District in order to determine notification obligations.' The school district reported the hack to local and federal law enforcement, records show, but not until after lawyers were on the scene. William Tedford, then the Somerset Police Department's technology director, requested in a July 31 email that the district furnish the threat actor's bitcoin address 'as soon as possible,' so he could share it with a Secret Service agent who 'offered to track the payment with the hopes of identifying the suspect(s).' 'There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,' Tedford wrote, adding that officials with the state police cybersecurity program had also offered to help. 'All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved,' said Tedford, who was promoted to department chief in August 2024. While law enforcement seemed willing to follow the school district's lead, the incident did open Somerset Berkeley to police scrutiny. In early August, Tedford pressed school officials about sexual misconduct allegations that the threat actor claimed to have stumbled upon and attempted to use as leverage during ransom negotiations. The hacker wrote: 'I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools. This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.' Tedford asked if the accusation was legitimate and if the police had been notified. 'I need to cover these bases now that we have been made aware of this claim,' Tedford wrote in an Aug. 3 email. 'It's clear the attorneys don't want law enforcement involved, and that's fine, but this is a different issue.' In an emailed response, district Superintendent Jeffrey Schoonover said the police department is 'well aware of that situation,' which was related to an incident during an out-of-town show choir event. 'After a thorough investigation, no charges were filed,' Shoonover wrote, adding in a later email that an officer 'interviewed dozens of kids' in response to 'this entire unfortunate event.' In August 2020, the district was working on its talking points to the public and it's clear the consultants weren't far away. The 74 obtained a draft FAQ in which school officials were crafting their answer to the question: Why was the community not advised when this cyberattack first happened? They answered that they would 'have preferred to notify the public earlier' but couldn't 'to ensure the privacy of student records,' that they were unsure what, if any, records may have been compromised and that they were encouraged to 'wait to release any information until the investigation' was further along. In red italics next to the text are the words: Pending revisions from consultants. Somerset Berkley was 'unable to provide any further information' about whether the district paid a ransom, the document also notes. The public wasn't notified of the July attack until September, when Schoonover wrote in a letter that data breach victims would be contacted once its investigation was finalized — but he didn't divulge the $200,000 ransom payment. The district submitted a breach notice to Massachusetts regulators in December 2020 — five months after the incident — and disclosed that 85 commonwealth residents had their information exposed. Stolen records include Social Security, driver's license and credit card numbers.
Yahoo
03-03-2025
- Yahoo
Kept in the Dark: Inside the Providence Schools Ransomware Attack
Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here's what we uncovered about a massive ransomware attack on the Providence, Rhode Island school district. After the Providence, Rhode Island, school district fell victim to a September 2024 cyberattack by the Medusa ransomware gang, school officials said an ongoing investigation found 'no evidence that any personal information for students has been impacted.' Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter An investigation by The 74, including a review of stolen files captured in the 217-gigabyte leak, indicates otherwise. Sexual misconduct allegations involving both students and teachers, children's special education records and their vaccine histories were posted online after Providence Public Schools did not pay the cybercriminals' $1 million ransom demand. The district's failure to acknowledge that students' records had been exposed — even after being informed otherwise by The 74 — means that parents and students were likely unaware that their private affairs had entered the public domain. In October 2024, Providence schools notified 12,000 current and former employees that their personal information, such as their names, addresses and Social Security numbers, had been compromised. But the letter never makes mention of students' sensitive records. In response to The 74's findings in mid-October 2024, a district spokesperson didn't acknowledge that students' sensitive information was compromised. He said the district 'has been able to confirm that some [of its] files' were accessed by an 'unauthorized, third party,' and that 'security consultants are going through a comprehensive review' to determine whether the leaked files contain personal information 'for individuals beyond current and former staff members.' Meanwhile, in an unsolicited phone call to The 74, a state education department spokesperson appeared to contradict that, saying 'no one had actually gone in to see the files.' Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had 'significant difficulty sustaining attention to task' and who 'wandered around the classroom setting without purpose.' Another special education plan notes a 3-year-old boy 'randomly roamed the room humming the tune to 'Wheels on the Bus,' pushed chairs and threw objects.' A single spreadsheet lists the names of some 20,000 students and their demographic information, including disability status, home addresses, contact information and parents' names. Another contains information about their race and the languages spoken at home. A 'termination list' included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who 'retired in lieu' of being fired and a middle school English teacher who 'resigned per agreement.' Another set of documents reveals a fifth-grade teacher's request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her 'less effective as an educator if I am not supported with the accommodations because I can not sleep at night.' In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they 'have a safe at work as well as one at home.' Following an investigation published by The 74 and The Boston Globe in October, the district sent a letter to families acknowledging that students' personal information, such as vaccine records and special education details, were exposed in the attack. In response to an inquiry from The 74, a district spokesperson said in a November statement that educators remain 'committed to transparency and the security of personal information.' 'During these types of incidents, districts typically start with limited information on what occurred and then gain more information over the course of the investigation,' the statement continues. 'As we navigated the initial uncertainty of the situation, PPSD prioritized taking real-time action and communicating with all stakeholders as we gathered more information.'
Yahoo
24-02-2025
- Yahoo
Kept in the Dark: Inside the St. Landry Parish Schools Ransomware Attack
Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here's what we uncovered about a massive attack on the school district in St. Landry Parish, Louisiana. The school district in Louisiana's St. Landry Parish waited five months to notify people that their Social Security numbers and other sensitive information were made public after it fell victim to a July 2023 ransomware attack — long after state law mandates and only after a newspaper investigation prompted an inquiry from the Louisiana attorney general's office. A December 2023 investigation by The 74 and The Acadiana Advocate contradicted school district assertions that no sensitive information about students, employees or business owners had been exposed online after the attack. Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Stolen files, the investigation found, include thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records, including home addresses and special education status. Four months after the attack, more than a dozen breach victims told reporters they were unaware their information was readily available online. 'They want to brush everything under the rug,' said Heather Vidrine, a former St. Landry teacher whose information was exposed in the breach. 'The districts don't want bad publicity.' Threat actors with the Medusa ransomware gang claimed a cyberattack on the St. Landry school system in July 2023, and the district reported it to the local press and police within days. Cybercriminals published reams of stolen files after the district did not pay its $1 million ransom demand, yet district leaders denied the breach affected sensitive records even after reporters presented them with extensive evidence to the contrary. After notifying state police about the attack, district officials were never told about the nature of the data that was stolen or if anything was stolen at all, Tricia Fontenot, the district's supervisor of instructional technology, said. In the face of cyberattacks, districts routinely hire cybersecurity consultants and attorneys to review the extent to which any sensitive information was exposed and to comply with state data breach notification laws. 'We never received reports of the actual information that was obtained,' she said in November 2023. 'All of that is under investigation. We have not received anything in regards to that investigation.' Just hours after the newspaper investigation revealed the data breach, a consumer protection lawyer with the state attorney general's office was on the phone with the district, questioning them 'directly in response to the article' and informing them of their data breach notification obligations under state law, emails obtained by The Advocate reveal. Under Louisiana's breach notification law, schools and other entities are required to notify affected individuals 'without unreasonable delay,' and no later than 60 days after a breach is discovered. Entities that fail to alert the state attorney general's office within 10 days of notifying affected individuals can face fines up to $4,000 for each day past the 60-day mark. School board attorney Courtney Joiner responded a day later to the attorney general's office, saying they were working 'to address the notice issue without further delay.' In a Dec. 21, 2023, letter, Superintendent Milton Batiste III acknowledged to an undisclosed number of victims that their 'sensitive information may have been obtained by an unknown malicious third-party,' records show. Officials didn't send a formal notice to the AG's office until Jan. 10, 2024. Math teacher Donna Sarver was among the district educators who received the data breach notification. She blasted school leaders for sending the letter 'well after the fact' she and her colleagues had been victimized. 'I really thought it was too little, too late,' she told reporters. 'This should have happened much earlier.' School officials couldn't be reached for comment for this story. This story was supported by a grant from the Fund for Investigative Journalism.
Yahoo
17-02-2025
- Yahoo
Kept in the Dark: Inside the Minneapolis Schools Cyberattack
Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here's what we uncovered about a massive attack on Minneapolis Public Schools. Four days after an attack by a notorious ransomware gang disrupted the Minneapolis, Minnesota, school district's computer network, accessing reams of students' and educators' sensitive information, officials contacted the FBI and laid out what happened. Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter The district 'immediately initiated an investigation' after its Feb. 17, 2023, discovery that school system files had been encrypted by ransomware, officials told the federal law enforcement agency. A day later, Minneapolis schools hired a third-party forensics investigation firm to negotiate the hacker's demand for $4.5 million in bitcoin. Yet when school officials notified students and parents, they vaguely described what happened as an 'encryption event' and offered a drastically different story than the one in their Feb. 21 report to the FBI. According to records obtained by The 74 through public records requests, the district told families in a Feb. 24 email that its investigation 'has found no evidence that personal information was compromised.' The statement was sent after cybersecurity experts advised district communications staff that 'sharing the least amount of information' as possible was 'in the best interest' of district security. Threat actors with the ransomware gang Medusa — known for encrypting and stealing sensitive records from cyberattack victims and then threatening to publish them in what's known as a 'double-extortion' scheme — took credit for the attack. Medusa ultimately published a trove of sensitive school district files online. The leaked documents detail campus sexual misconduct cases, child abuse inquiries, student mental health crises and suspension reports. Minneapolis school leaders didn't acknowledge for nearly two weeks after the attack that sensitive records may have been compromised — and waited months to notify breach victims directly by letter. The district didn't respond to requests for comment. As Minneapolis recovered from the attack, records show, it turned first to its insurance provider and cybersecurity lawyers, who were paid as much as $370 an hour to negotiate with the hackers, investigate the breach and keep information about the incident outside of public view. An insurance company, which held a $1 million liability policy on the district with a $100,000 deductible, was the first point of contact in the event of a cyberattack, according to a school system incident response plan obtained by The 74. The cyber insurance provider will 'facilitate breach counsel and forensic investigation teams,' the plan notes, and deploy 'experienced negotiators' to communicate directly with the hackers. The policy also states it would cover the district's liability for bad press, fines and 'regulatory proceedings' related to a cyberattack. 'The insurer will typically have an approved panel vendor list for breach counsel, computer forensics and incident response teams,' the plan notes. Attorneys with the leading cybersecurity and data privacy law firm Mullen Coughlin were hired to carry out a 'privileged investigation,' according to its report to the FBI, with the firm relaying that information about the attack should not be released publicly. 'Per [Minneapolis Public Schools'] request, all questions, communications and requests in connection with this notification should be directed to Mullen Coughlin,' according to the notification to the FBI, which was signed by an associate attorney with the third-party law firm. Mullen Coughlin didn't respond to The 74's request for comment. Forensic investigation work was conducted by the cybersecurity incident response company Tracepoint, a subsidiary of the government and military contractor Booz Allen Hamilton, which Bloomberg News has dubbed 'the world's most profitable spy organization.' The researchers prepared 'a report detailing the forensic analysis process and analysis' at Mullen Coughlin's direction, records show. On March 14, 2023, the researchers held a meeting with district administrators where they went 'through the list of what TA [the threat actor] might've accessed,' and answered questions. The data leak had a direct, detrimental impact on breach victims, records show. In an email to the district in March, one educator reported that someone withdrew more than $26,000 from their bank account. Another person got a direct Twitter message from the 'Medusa contact team,' urging the person to respond to the threat actors immediately or else 'we will ensure your popularity.' In March, Medusa ransomware actors posted the district's stolen files online after the school system did not pay what the cybercriminals said on a leak site was a $1 million ransom — a markedly lower figure than the $4.5 million the district reported to the FBI. The breached files, according to an analysis by The 74, include confidential and highly sensitive records about individual students and teachers. It wasn't until September 2023 — seven months after the attack — that 105,617 people were notified the 'hacking' incident exposed their sensitive information, according to a data breach notice sent to the Maine attorney general's office. The notice states that the process to identify that information had been completed in July — a month and a half before officials notified victims.'Although it has been difficult to not share more information with you sooner,' the letter to victims notes, 'the accuracy and the integrity of the review were essential.' As of Dec. 1, 2024, all schools in Minnesota are now required to report cyberattacks to the state but that information will be anonymous and not shared with the public.
Yahoo
11-02-2025
- Yahoo
Kept in the Dark: Inside a Trio of Los Angeles School Cyberattacks
Kept in the Dark is an in-depth investigation into more than 300 K-12 school cyberattacks over the last five years, revealing the forces that leave students, families and district staff unaware that their sensitive data was exposed. Use the search feature below to learn how cybercrimes — and subsequent data breaches — have played out in your own community. Here's what we uncovered about America's second-largest school district. The Los Angeles Unified School District was ensnared by three high-profile cyberattacks in the last few years, each of which exposed reams of sensitive information online. Three subsequent class-action lawsuits from parents accused the nation's second-largest district of taking inadequate steps to protect their children's personal records — and failing to tell them that sensitive information had been leaked. The district has since taken multiple actions to shield details about the incidents from public view. Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter Get stories like this delivered straight to your inbox. Sign up for The 74 Newsletter The trio of events encompass a September 2022 ransomware attack that exposed students' highly sensitive psychological evaluations among other records; a January 2022 cyberattack on education technology company Illuminate Education, which compromised sensitive information in Los Angeles and districts nationwide; and a massive June 2024 cyberattack on the cloud computing company Snowflake, a third-party vendor used by the district to store certain records. Threat actors with the Vice Society cybergang took credit for the September 2022 ransomware attack on L.A. schools, posting the records to its dark web leak site after education officials did not pay its extortion demand. In the aftermath of the attack, Superintendent Alberto Carvalho sought to downplay its effect on students. An anonymous law enforcement source told the local press that students' psychological evaluations were included in the leak, a revelation Carvalho refuted as 'absolutely incorrect.' 'We have seen no evidence that psychiatric evaluation information or health records, based on what we've seen thus far, has been made available publicly,' said Carvalho, who acknowledged the hackers had 'touched' the district's massive student information system but said the 'vast majority' of exposed student records involved their names, academic records and home addresses. An investigation by The 74 into the leak uncovered that the breach had, in fact, exposed student psychological evaluations, which contain a startling degree of personally identifiable information about students receiving special education services, including their detailed medical histories, academic performance and disciplinary records. Just hours after our story published, the district acknowledged in a statement that 'approximately 2,000' student psychological evaluations — including those of 60 current students — had been uploaded to the dark web. In a statement to The 74, a district spokesperson said its cybersecurity response protocol 'follows a clear, structured process that prioritizes swift internal assessment and adherence to all applicable state and federal data privacy regulations.' The process, the district said, is 'designed with transparency, compliance and community trust in mind.' Due to the sensitive nature of the information, students may have to 'deal with this breach for the rest of their lives,' attorney Ryan Clarkson told The 74. Clarkson represents students and parents in a class-action lawsuit alleging LAUSD failed to act on known cybersecurity vulnerabilities and provided families insufficient notice that students' personal records had been compromised. 'It's hard to bury it, it's hard to get away from it, it's kind of part of who we are,' Clarkson said in an interview. 'Your psychology as a child is always going to be your psychology as a child.' While the parents of special education students had been left in the dark about the breach, so too were members of the district's special education committee. Carvalho acknowledged at a September 2022 special education committee meeting that L.A. Unified was a 'district under siege' and sought to 'dispel rumors' about the incident, including one that multiple attacks had occurred. He didn't make any statements regarding the impact on sensitive special education records. Carl Petersen, who served on the committee at the time, told The 74 that Carvalho left the committee members without information about the attack's ramifications on children with disabilities. 'At that point it was, 'Oh, this was a very minor thing. We caught them in the system immediately and we shut it down,' said Petersen, who described Carvalho's comments as part of a larger district effort to obfuscate. In January 2023 — four months after the attack — L.A. school officials acknowledged in a submission to the California attorney general's office that sensitive records had been exposed but only listed Social Security numbers included in payroll records and third-party contractor files swept up in the breach. It wasn't until March 2023 that they disclosed to state regulators the leak had also compromised sensitive student records. The letter submitted to the California AG's office doesn't make clear the types of student records that were affected but urges individuals to 'keep a copy of this notice for your records in case of future issues with your child's medical records.' The 74 submitted a public records request for information related to the ransomware attack, including complaints submitted to a hotline LAUSD created in its wake, insurance claims, Carvalho's communications with the FBI and the types of student records that were subject to disclosure. The district denied the requests, stating it could not locate any 'non-privileged responsive records,' meaning that they didn't have to provide any of the records that were responsive because they were legally protected from disclosure. A week after it was discovered, the school board voted unanimously to grant Carvalho emergency spending powers to recover from the 2022 Labor Day weekend attack, allowing the schools chief a year to 'enter into any and all contracts' to address the incident 'without advertising or inviting bids and for any dollar amount necessary.' In August 2023, nearly a year after the attack, Carvalho made a high-profile appearance at the White House, where then-First Lady Jill Biden warned about the growing threat of cyberattacks on students and a need to do more to protect their sensitive data. 'If we want to safeguard our children's futures, we must protect their personal data,' she said at the first-ever K-12 cybersecurity summit. 'Every student deserves the opportunity to see a school counselor when they're struggling and not worry that these conversations will be shared with the world.' Carvalho said quick reaction time by the Los Angeles district and federal law enforcement officials set into motion a response plan that mitigated the attack, limited the number of files breached and avoided class cancellations. His remarks in the East Room didn't touch on the leak of students' mental health records but said the number of stolen files 'could have been much worse' had officials not acted quickly to prevent the cybercriminals from encrypting additional district systems. One action they had no intention of doing, he said, was paying the undisclosed ransom demand because 'we don't negotiate with terrorists.' Los Angeles parent Ariel Harman-Holmes, whose three children are in special education, said she's worried that fallout from the data breach could divert money from the services her children with disabilities need. 'I would rather have those funds go back into the schools and special education rather than spending a ton on litigation or settlements about privacy issues,' said Harman-Holmes, while acknowledging it 'would be very disturbing' if her own child's psychological evaluations were leaked online. As L.A. Unified's response to the attack was being lauded by federal officials at the White House summit, its lawyers were in court with parents who alleged the district's mitigation efforts weren't just inadequate — they violated the law. Three separate lawsuits filed in Los Angeles County Superior Court charge the district had insufficient safeguards in place to secure students' sensitive records and failed to provide enough notice to victims once that information was stolen. An inspector general's office audit two years before the ransomware attack highlighted cybersecurity vulnerabilities yet, the complaints allege, LAUSD failed to take the necessary steps to prevent the attack. Parents also charge the district failed to comply with state data breach notice requirements after it learned that students' psychological records and other files were published online. The most recent complaint was filed in September 2024 against the district and the company InfoSys, which built and manages the My Integrated Student Information System — the district's primary student data portal. The district 'has stated under oath in discovery responses' that InfoSys managed the student information system that was compromised, according to court records filed by the plaintiffs Insufficient cybersecurity protocols allowed the intrusion to go unnoticed for more than two months, the lawsuit alleges, and, once it was discovered, L.A. school leaders failed to provide 'prompt and accurate notice of the data breach.' The breached portal 'is currently the largest student data system in the United States,' the 162-page complaint notes, yet district officials 'prioritized a race to incorporate technology in classrooms, with no regard for the risks of harboring troves of student data in online databases subject to cyberattacks.' Months before the Vice Society ransomware attack began, Los Angeles student records were exposed in a cyberattack on ed tech vendor Illuminate Education, which affected districts nationwide. LAUSD submitted a breach notice to the California attorney general's office in May 2022, some five months after the incident unfolded. The report doesn't disclose the types of information that were exposed or the number of students who had been affected. Then, in June 2024, a threat actor who goes by the name 'the Satanic Cloud' posted a listing on a notorious dark web marketplace, seeking $1,000 in exchange for what they claimed was a trove of more than 24 million L.A. school district records. A second threat actor, known as 'Sp1d3r' similarly posted a listing for records reportedly stolen from the district with a $150,000 price tag. The district said school data maintained by a third-party vendor was caught up in a cyberattack on the cloud computing company Snowflake, but officials didn't disclose the name of the vendor or the types of records that may have been compromised. The district denied a public records request by The 74 seeking information related to the incident, saying that certain files were protected by attorney-client privilege. The incident doesn't appear in a California attorney general's office database of data breaches.
