NEW HANOVER COUNTY — According to a letter sent to parents by Coastal Preparatory Academy and a lawsuit filed in Superior Court, a former employee obtained extremely sensitive personal information about parents, students, and staff — including social security numbers, health and financial information, and employment records.
The charter school has filed several civil actions to recover passwords, personal data, and control of its computer systems. The school has also contacted the Attorney General’s office, as it believes the employee responsible for the data breach has broken state and federal law.
According to court records, CPA alleges that former School Operations Manager Shandra Gilles “improperly obtained sensitive information” from the charter school’s computer systems. In June, Gilles allegedly locked CPA leadership members from accessing those systems by refusing to provide passwords.
In its legal complaint, filed in New Hanover County Superior Court, CPA states that on June 22 Gilles locked Board Chair Chris Millis from the computer system. Gilles then refused to respond to requests from Millis to reactivate his account and explain her actions, which had effectively led to her being the sole system administrator and ‘paralyzing’ CPA’s ability to manage the school’s data.
On June 25, CPA filed for an injunction ordering Gilles to provide passwords to allow access and prohibiting her from using CPA’s computer systems. Gilles complied — at least in part — and CPA voluntarily dismissed the injunction.
Five days later, Gilles was fired by CPA.
Using the passwords provided by Gilles, CPA conducted an internal investigation, which led to what the school called “two alarming revelations.”
First, CPA stated that Gilles had accessed “Social Security numbers, student health and residency information, school personal employment records, and CPA’s financial records.”
Second, CPA stated that Gilles had violated the original court agreement and, after being fired, continued to access and “unlawfully possess” this sensitive data.
The school then filed for an emergency injunction which would compel Gilles to return all control of the computer systems to CPA and allow an independent forensic data team to ensure Gilles was no longer in possession of sensitive information.
The injunction request, which claims Gilles violated state and federal law, also calls for Gilles to be held in contempt for refusing to fully comply with the original, now-dismissed injunction.
Last week, CPA notified parents of the data breach in a letter (you can find an image of the letter below).
“We have reason to believe that certain sensitive information in the possession of the school, including information about its students and/or its students’ parents was accessed with authorization, and you may have been affected. Specifically, your Social Security number may have been accessed and/or misappropriated,” the letter began.
The letter notes that CPA believes the data breach to be an “isolated incident” involving only Gilles.
Millis offered a statement on behalf of the CPA Board, which echoed much of the letter sent to parents.
The School has taken swift and meaningful action to prevent a future exposure of data that could be considered sensitive to staff, students, and/or student’s parents. In June 2020, the School learned that an employee had been engaged in unauthorized access to some of the school’s sensitive electronically stored records. The School Board immediately engaged legal counsel to assist with an internal investigation. In turn, our legal counsel immediately retained a computer forensic consultant to assist with the investigation.
In the effort to prevent a future exposure of the data that the employee (now a former employee) accessed, the Board has initiated a lawsuit against the former employee responsible for the unauthorized access and may pursue any co-conspirators in the effort to prevent an exposure of the sensitive data beyond the reach of the former employee.
To be clear, the best information we have at this moment is that this was an isolated incident involving the conduct of a now-separated employee. The Board of Directors will continue to act decisively and thoroughly to guard against future harm and to ensure the former employee’s conduct is addressed appropriately through the lawsuit we have already initiated. We take the protection of our students, their families, our teachers, staff, and the entire Coastal Prep community very seriously and we will continue to take the necessary action as needed.