Cyber Incident Victim: David Douglas School District

On January 29, 2023, David Douglas School District in Portland, Oregon, experienced a data breach involving the loss or theft of a device or media storage containing sensitive personal information. The breach was discovered on the same day it occurred, though the specific type of device or circumstances of the loss were not detailed in the notification. The compromised data included individuals' names combined with their Social Security Numbers, exposing affected parties to potential identity theft risks. A total of 23,337 individuals were impacted by the incident, including eight Maine residents. The breach notification did not specify whether the affected individuals were exclusively students, staff, or other affiliated parties, nor did it describe the operational systems or security measures in place at the time of the incident.

The district, represented by legal counsel from Constangy, Brooks, Smith & Prophete, LLP, initiated written notifications to affected consumers on June 21, 2023, nearly five months after the breach discovery. Identity theft protection services were provided through IDX/ZeroFox, offering 12 months of credit monitoring, dark web surveillance, and a $1 million identity theft reimbursement policy. The notification submitted to the Maine Attorney General’s office referenced a prior breach notification dated February 24, 2023, indicating another security incident within the preceding 12-month period. No additional details regarding containment efforts, forensic investigations, or device recovery were disclosed in the available report. The delayed notification timeline and absence of technical specifics limited public insight into the breach’s root causes or long-term mitigation strategies beyond the offered protection services.