Cyber Incident Victim: Crown Point Community School Corporation
Date:
Nov 2022
Location:
United States of America
Summary
A cyber incident at Crown Point Community School Corporation involved unauthorized access to its network, disrupting IT systems and prompting temporary school closures. The breach potentially exposed sensitive personal information including names, Social Security numbers, financial account details, and driver's license data. Following an investigation with third-party specialists, the district implemented enhanced security measures, notified affected individuals, and offered complimentary credit monitoring services. A contracted vendor responsible for breach notifications erroneously sent incorrect or duplicate mailings to over 1,600 individuals, exacerbating community confusion. This event occurred amid increasing cyberattacks targeting Indiana schools, with common threats including ransomware and phishing campaigns that have prompted statewide cybersecurity upgrades and reporting mandates.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 21, 2022, Crown Point Community School Corporation detected unusual activity on its computer systems, prompting an immediate investigation with third-party forensic specialists. The investigation revealed unauthorized access to certain systems between November 17 and November 21, 2022, during which an actor potentially accessed sensitive data. The district closed schools for students on November 28, 2022, due to significant network disruptions caused by the incident. By June 7, 2023, Crown Point completed a comprehensive data review confirming that personal information—including names, Social Security numbers, payment card details, financial account information, and driver’s license/state ID numbers—may have been compromised. The district mailed notification letters to affected individuals with valid addresses starting July 26, 2023, and established a dedicated assistance line for inquiries. Crown Point also offered complimentary credit monitoring and identity restoration services to potentially impacted individuals. During the notification process, the district’s vendor, Dauntless Discovery, erroneously sent duplicate or incorrect mailings to over 1,600 individuals, exacerbating community confusion. Crown Point demanded a refund from Dauntless Discovery and requested a formal apology, though the vendor had not responded as of the July 2023 update. The district reported the incident to federal law enforcement and implemented policy enhancements to prevent future breaches.
The incident occurred amid a surge in cyberattacks targeting Indiana schools, with 46 reported incidents or attempts since July 2021. Crown Point’s disruption mirrored tactics identified in a U.S. Government Accountability Office report, including phishing, ransomware, distributed denial-of-service attacks, and video conferencing intrusions. Other Indiana districts incurred significant costs responding to similar events: Baugo Schools spent $10,000 on firewall upgrades, Logansport committed $30,000 annually for continuous monitoring, Mooresville allocated $80,000 yearly for cyber protection, and Duneland Schools paid $281,703 for cybersecurity services over one year. Indiana’s 2021 cybersecurity law required schools to report incidents to the state within 48 hours, positioning it among only 10 states with such mandates. Crown Point’s response aligned with state recommendations, emphasizing credit report monitoring, fraud alerts, and security freezes for affected individuals. The district’s forensic review and notification process spanned seven months, reflecting the complexity of assessing data exposure. No identity fraud linked to the breach had been confirmed as of July 2023, though the district urged vigilance regarding financial accounts and personal information.