Extensive US public school employee data compromise reported from Carruth Compliance Consulting breach

Oregon-based third-party retirement plan administrator Carruth Compliance Consulting had information from more than 40,000 public school teachers and employees in California, Illinois, New York, Oregon, and Pennsylvania exfiltrated following a December attack by the newly emergent Skira Team hacking group, which purported the theft of data from 36 public schools across the U.S., according to The Record, a news site by cybersecurity firm Recorded Future.

Infiltration of Carruth Compliance Consulting systems between Dec. 19 and 26 primarily resulted in the exfiltration of individuals' names, Social Security numbers, and financial account details but W-2 data, driver's license numbers, tax filings, and medical billing details had also been stolen in certain cases, said the firm in a website notice.

Data breach notices have also been filed by other public schools — including Seattle Public Schools, which confirmed that the incident impacted all individuals who have been employed from 2008 to 2024 — indicating a much higher attack toll.

Such an incident, which came amid the disclosure of the widespread PowerSchool hack, has since prompted several class action lawsuits against Carruth Compliance Consulting.