Dozens of school districts and thousands of individuals in the United States are impacted by a data breach resulting from a ransomware attack aimed at retirement services provider Carruth Compliance Consulting.
Carruth Compliance Consulting (CCC) provides administrative services to public school districts and non-profit organizations for retirement savings plans.
In a notification posted on its website on January 13, 2025, Carruth revealed that it had detected suspicious activity on its computer systems on December 21, 2024. An investigation determined that hackers had access to its systems between December 19 and December 26, and that they stole some files.
According to the company, the compromised files stored personal information such as name, Social Security number, financial account information and, in some cases, driver’s license numbers, medical billing information, W-2 information, and tax filings. Impacted individuals are being offered free credit monitoring and identity restoration services.
This week, a relatively new ransomware group named Skira took credit for the attack on Carruth, claiming to have stolen roughly 469 Gb of data, including databases, source code, and the information mentioned by the company in its notification to customers.
At the time of writing, Skira’s Tor-based leak website only names four other victims, the first victim announced in December 2024.
While Carruth has not shared any information on the number of impacted organizations and individuals, dozens of school districts and colleges across several states revealed over the past weeks that they had been hit by the cybersecurity incident.
School districts informed state attorney generals that Carruth was unable to identify affected individuals, and each education institution has been working on identifying the current and former employees whose personal information was shared with the retirement services provider.
In Maine, where organizations are required by the attorney general to disclose the number of individuals impacted by a data breach, to date, nine school districts reported identifying a total of more than 20,000 affected people.
News of the Carruth data breach comes just weeks after it came to light that the information of millions of students and educators in the US and Canada may have been stolen by hackers in a cyberattack targeting education software and services provider PowerSchool.
Related: Indian Stock Broker Angel One Discloses Data Breach
Related: Finastra Starts Notifying People Impacted by Recent Data Breach
Related: 3.3 Million People Impacted by DISA Data Breach
