What Happened?
On September 20, 2024, Granite became aware of suspicious activity on its network. The District took appropriate steps to contain the incident and launched an investigation to determine the nature and scope of the activity. The investigation determined that between September 11 and September 25, 2024, an unknown, unauthorized actor gained access to certain computer systems and acquired files stored on those computer systems.
What Information Was Involved?
Employee and student information was stored on the impacted computer systems. Individuals will be contacted directly by our insurance provider with more detailed information about what personal identifiable information was compromised.
What Are We Doing About It?
Data privacy and security are among Granite’s highest priorities, and we have measures in place to protect information in our care. Our response to this incident included:
- Confirming the security of our systems.
- Determining what data was potentially accessed or acquired.
- Reviewing the contents of relevant data for sensitive information.
- Identifying appropriate contact information to notify individuals associated with that sensitive information.
As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our policies, procedures, and processes related to the storage and access of personal information to reduce the likelihood of a similar future event. We have also notified and are working with requisite state regulatory authorities and law enforcement of this incident.
How Can I Sign Up for Credit Monitoring and Identity Protection Services?
Letters were mailed out to all affected individuals on January 9th. The letters contain instructions and enrollment codes to sign up for these services. Our data vendors can reliably determine current addresses for past students or employees who have moved since their time in Granite. If you do not receive a letter, you were most likely not impacted by the data breach.
Frequently Asked Questions
Parents and Students
What information was accessed?
The data accessed varies some by the student and the time frame they attended Granite School District. We can confirm student’s personal identifiable information,(PII) was compromised. PII is part of a student record, which can contain:
- Name
- Address and phone number
- Any associated health information
- Grades and assessment results
You will receive a personalized letter detailing what information was accessed from IDX. That letter will be sent January 9, 2025.
Which students had information compromised?
Unfortunately, all student records were accessed. This includes all current and former Granite School District students.
What about my child’s social security number?
We have determined that 15% of current and former students had records containing their social security number that was accessed. Your individualized letter will confirm what personal information was compromised.
When will I get information about credit monitoring services?
We have been working with our cybersecurity insurance to provide data breach response services and set up a support center that will provide our students affected (with parental support) with mailing notification, call center support, and identity theft and credit monitoring enrollment. We expect the mailing with specific information to go out on January 9, 2025.
What can I do now to protect my student’s information?
Please click here for instructions on contacting credit bureaus to get a credit report or place a fraud alert on my credit file.
Employees
Has the district ensured that the threat actors no longer have access to our data?
We worked with a forensic security company to ensure that the threat actors no longer have access to our system. This was completed by September 30, 2024.
I would like confirmation of whether I was a victim of this theft. Or if these emails are a general precaution since I am a GSD employee.
Our investigation thus far has determined that all current employees’ personal identifiable information was stolen.
Have you individually contacted the specific people that this affected or are you just sending blanket updates? Should I take measures to change my bank account?
We sent out initial notification of the breach to all employees in October, with follow up emails sent in November and December after we received confirmation that all current employees were impacted. You should take the recommended actions and precautions previously sent.
If my financial institution recommends I change my account, do I need to do anything with my direct deposit?
Yes, once it is changed, we need you to provide this completed form linked here to Payroll in person as soon as possible.
Will free credit monitoring and identity theft be provided to employees? If so, how long?
Yes. We are working with our insurance company to determine the length of time coverage will be provided. More detailed information will be mailed to you on January 9, 2025.
Does this breach include the SSN’s of employee dependents on our insurance as well?
Our data mining investigation thus far discovered that payroll information had been stolen. That information show no indication that any family members’ information was part of the data breach.
What is the District doing to help employees who may have identity theft before they can take steps to protect themselves?
The breach took place in September 2024. We notified employees on October 18, 2024 in order for you to take all appropriate protective actions to secure your identity, such as:
– Placing an alert or freeze on your credit
– Contacting your financial institution for recommendations
– Consider enrolling in the district provided credit monitoring services, when available
What do I do if my personally identifiable information is also compromised?
We encourage employees to enroll in Identity theft and credit monitoring. These services are used to prevent a threat actor from being able to use your identity in harmful ways.
What if I already was looking into my credit for something totally unrelated and you are only allowed to check 1 time for free per year, how will this affect that since checking into this current GSD situation would be twice in one year?
Please work with your financial institution to determine if this would negatively impact you. Credit monitoring services provided will allow for constant monitoring and immediate notification for any change to your credit.
Have you all explored how having a VPN for our district’s network could assist with security?
We do use and have a VPN solution that we employ. It is used if a user needs to access school district resources when they are off-premises. Due to the way our network environment is constructed, we do not employ VPN’s internally at this time. We are also re-evaluating our network to see if instituting additional security measures, like the use of VPNs, will bolster our security.
I recently updated my banking information with payroll for reasons unrelated to the data breach (new employee, changed banks, etc.). Is my new banking information safe?
The district is confident that the threat actors were no longer in our system as of October 1, 2024. The information of any new employees who set up payroll for the first time after that date, or current employees who updated their banking information for unrelated reasons after that date, should be secure. Any banking information provided to the district before October 1st was likely compromised.
What are the steps I can take to protect myself?
Please contact your financial institution to ask what they recommend. We encourage you to follow their advice.
When will credit monitoring be available? And how will we be able to sign up for it?
We are offering complimentary access to credit monitoring services through IDX, a ZeroFox company. If you have been impacted, you will be contacted by them with specific information about those services as soon as it is available. In the meantime, please click here for instructions on contacting credit bureaus to get a credit report or place a fraud alert on my credit file.
Are we going to be given the opportunity to add identity protection to our benefit package even though open enrollment is closed?
Through our insurance provider, free identity protection services will be offered to employees. Information about this will be emailed out as soon as possible. We will evaluate the need for additional services for our employees in the future.
Last May, I changed my direct deposit to a new checking account, however the old checking account I still use. I am getting the new account changed, my question is should I get both of them changed?
Yes, both accounts were likely compromised and you should follow your financial institution’s advice related to both accounts.
Can I request a paper check and/or opt-out of direct deposit?
No. Granite School District’s Board previously made the decision to have GSD a mandatory direct deposit employer.
How far back does the breach go so former employees can also take the necessary actions?
We have determined that employees’ bank account numbers were compromised back to 7/1/2020. There may be other employees who had additional personally identifiable information (not bank accounts) compromised back further, we are still in the process of determining the extent of that information. No employee’s family members’ personally identifiable information (PII) was compromised as part of this payroll information breach.
How are former employees being notified?
We are still data mining to determine which former employees have been impacted along with verifying the addresses of all former employees so they receive notification. If current employees know former employees who were employed after 7/1/2020 but are no longer with Granite, please help alert them to the district information link and this FAQ.
Will there be compensation for employees who received the recommendation from their financial institution that they change their bank account number?
We recognize and regret the burden this has put on employees. Unfortunately, our cybersecurity insurance does not cover compensation for time. To provide this, we would have to reduce funding in other budgeted areas since it is not provided in our coverage. We had allowed for appropriate time off to address these issues prior to the holiday break.
For teachers that enrolled in the Granite provided benefit on identity protection, will this be now paid/reimbursed/not charged?
Our cybersecurity insurance company follows its practice and procedure to set up identity protection under one of the providers they select. To provide this, we would have to reduce funding in other budgeted areas since it is not provided in our coverage.
Enroll in identity theft and credit protection
We are offering complimentary access to credit monitoring services through IDX, a ZeroFox company. If you have been impacted, you will be contacted by them with specific information about those services as soon as it is available.
Questions?
Please send any questions to CustomerService@graniteschools.org. Granite will reply as soon as possible, and common questions will be added to this FAQ page.