Full Report
A December 2024 cyberattack on a prominent administrator for retirement plans has exposed the information of thousands of public school teachers and employees across the U.S.
Analysis Summary
# Incident Report: Compromise of Carruth Compliance Consulting Affects Thousands of School Employees
## Executive Summary
In December 2024, Carruth Compliance Consulting, an administrator for public school retirement plans, suffered a cyberattack resulting in the exfiltration of sensitive personal data belonging to tens of thousands of teachers and school employees across the U.S. The extortion group Skira Team claimed responsibility for the incident, which provided attackers access to names, SSNs, and financial account details. Response efforts included investigation, notification to affected parties, and facing subsequent legal action.
## Incident Details
- Discovery Date: December 21, 2024 (When suspicious activity was identified)
- Incident Date: Between December 19 and December 26, 2024 (Period when systems were accessed)
- Affected Organization: Carruth Compliance Consulting (Third-party administrator for 403(b) and 457(b) retirement plans)
- Sector: Education Administration / Retirement Services
- Geography: Primarily U.S. (Affected schools in Maine, Massachusetts, Vermont, Pennsylvania, Oregon, California, Illinois, New York, etc.)
## Timeline of Events
### Initial Access
- Date/Time: On or near December 19, 2024
- Vector: Not explicitly stated, but system intrusion occurred.
- Details: Attackers accessed Carruth's environment, leading to the identification of "suspicious activity" on December 21, 2024.
### Lateral Movement
- **Details:** Implied movement occurred as attackers were able to copy files from the system, suggesting network or system navigation to locate sensitive data repositories.
### Data Exfiltration/Impact
- **Details:** Hackers copied files containing names, Social Security numbers, financial account information, driver's license numbers, W-2 information, medical billing information, and tax filings. Beneficiaries' data may also have been compromised.
### Detection & Response
- **Details:** On December 21, 2024, Carruth "identified suspicious activity" on certain computer systems. They hired a third-party specialist to investigate. Notifications were sent to affected school districts starting in January 2025. Most impacted schools finished notifying employees by February 24 or 25, 2025.
## Attack Methodology
- Initial Access: Not explicitly detailed (Likely a successful infiltration vector like phishing or exploitation of an internet-facing service).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed (Necessary to access and copy files).
- Discovery: Not detailed (Used to locate target data sets).
- Lateral Movement: Implied, necessary to access core data stores.
- Collection: File copying of PII and financial data containing SSNs, W-2s, and account info.
- Exfiltration: Data copied from the system (Method not specified).
- Impact: Theft of highly sensitive personal and financial information for over 40,000 individuals.
## Impact Assessment
- Financial: Unspecified, but multiple class-action lawsuits have been filed against Carruth Compliance Consulting.
- Data Breach: Personally Identifiable Information (PII) and Protected Financial Information (PFI) for over 40,000 U.S. public school teachers and employees.
- Operational: Minor—The company identified impact on "operability of certain computer systems." Major impact was felt externally through disruption of data privacy.
- Reputational: Significant reputational damage to Carruth Compliance Consulting, leading to contract loss mentions (e.g., one district terminating services).
## Indicators of Compromise
- Network indicators: None provided (Defanged).
- File indicators: None provided.
- Behavioral indicators: Suspicious activity identified on systems between 12/19/24 and 12/26/24.
## Response Actions
- Containment: Not explicitly detailed, assumed efforts to stop ongoing unauthorized access after suspicion was noted on 12/21/24.
- Eradication: Not detailed.
- Recovery actions: Hired a third-party specialist for investigation; notified affected school districts who then notified their employees.
## Lessons Learned
- Reliance on third-party vendors (like Carruth) handling sensitive PII creates significant single points of failure for large groups (in this case, thousands of school employees).
- Sensitive data storage (SSNs, financial records) must be aggressively protected and segmented, as its compromise resulted in widespread downstream harm.
## Recommendations
- Organizations using third-party retirement or HR administrators must conduct thorough security assessments of the vendor's controls, particularly regarding PII storage and access.
- Implement stronger multi-factor authentication and network segmentation to limit "blast radius" if an administrative service provider is compromised.
- Review vendor contracts to ensure adequate liability and breach notification protocols are in place prior to relying on their services.