Cyber Incident Victim: Coastal Preparatory Academy

On June 22, 2020, Coastal Preparatory Academy (CPA) experienced a data breach when former School Operations Manager Shandra Gilles locked Board Chair Chris Millis out of the charter school’s computer systems by refusing to provide administrative passwords. This action effectively paralyzed CPA’s ability to manage its data systems, as Gilles became the sole system administrator. Three days later, on June 25, CPA filed for a civil injunction in New Hanover County Superior Court to compel Gilles to relinquish passwords and restore access. Gilles partially complied with the request, leading CPA to voluntarily dismiss the injunction. Five days after the injunction was resolved, CPA terminated Gilles’ employment.

Following Gilles’ termination, CPA conducted an internal investigation using the recovered passwords, revealing two critical findings. First, Gilles had accessed highly sensitive data including Social Security numbers, student health and residency records, staff employment files, and the school’s financial records. Second, despite the initial court agreement and her dismissal, Gilles continued to access and unlawfully retain this data. In response, CPA filed for an emergency injunction on July 17, 2020, seeking to regain full control of its systems, mandate Gilles’ compliance, and allow forensic experts to verify the deletion of stolen data. The school also accused Gilles of violating state and federal laws and requested contempt charges for noncompliance with the prior injunction. On August 16, 2020, CPA notified affected parents via letter, disclosing that their Social Security numbers and other personal information may have been accessed or misappropriated. The school characterized the breach as an isolated incident involving Gilles alone and emphasized its immediate engagement of legal counsel and forensic consultants to investigate. CPA Board Chair Millis publicly affirmed the school’s swift actions to secure systems and prevent future exposures.