On the RPS Data Breach

The following statement was read by REA President Neri Suarez on Monday, August 21, 2023 at the Richmond City School Board meeting during public comment.

On June 16, 2023 the School Board and Superintendent Kamras received an email from an RPS employee and REA member informing them of having access on their Talent Ed portal to social security numbers, dates of birth, medical history, addresses, criminal background, salaries, college transcripts  and other private information of both RPS employees and individuals that had applied to RPS. It appeared as though they had administrative or HR access to Talent Ed. This member also confirmed other employees shared with them they had previously had similar access, but didn’t report it out of fear of retaliation.

 After a few emails back and forth, this initial employee’s access was removed by RPS. The REA leadership met with Superintendent Kamras about this data breach in July, and were told that no report of the breach would be given to employees until after their insurance company finished its investigation, which was part of the directive given by the insurance company VACorp. We requested a timeline as to when the investigation would be completed and haven’t received that info yet. In the time since, we have learned from another REA member that in late June of this year, they also had an unusual and unsettling experience of receiving private employee data. This member received an email from what appeared to be a student account that linked a spreadsheet with pages and pages of private employee information. 

While these two members’ experiences are unsettling, internet and data security issues with RPS have been common for a while. RPS employees have regularly seen phishing schemes where an email appears to be from an RPS employee, but isn’t really. Our own REA vice president recently experienced their work email account being hacked or compromised to some degree where emails they were sent weren’t received and emails they themself sent appeared to be from another RPS contractor account.

Given the knowledge that there is a breach of security or hack occurring that seems to be targeting not just employees, but also potential employees and students, the REA Board voted last week for our union to make this issue known publicly. In doing so, we are requesting the following actions be taken:

  • RPS should immediately inform every RPS employee that their sensitive and confidential data may have been compromised and privacy violated.
  • Provide every RPS employee and any person who has submitted an application through the Talent Ed Hire portal with identity theft protection for a minimum of 2 years.
  • Have all systems that house sensitive and confidential information reviewed by a third-party auditor.
  • Establish a plan and a timeline for updating these systems that is thorough and expeditious.
  • Share with all employees and the people impacted how this problem occurred, how it will be corrected, a time frame of corrective measures, and guarantee that every effort will be made in order to not further compromise any current or  potential employee’s sensitive and confidential information.
  • A guarantee that current authorized personnel are bound to a nondisclosure or confidentiality agreement.
  •  Reduce the amount of people who have access to sensitive information and make transparent who the people are that have access, e.g. when submitting docs, indicate that info will only be available to TalentEd director and benefits….
  • Issue a formal statement and explanation so as to inform the public.

We also want to caution both the administration and School Board not to play the blame game. This appears to be a widespread issue that isn’t the fault of any one person or even department. And even if it were, was that person or department adequately trained? We already know from conversations with our colleagues and members in our tech department that they’re incredibly understaffed and that RPS is using programs and software that are dated and need to be upgraded.

 On top of that, many new teachers still haven’t received laptops for the start of the year, our buildings have regular issues with their wifi, and the new printers still haven’t been connected to RPS laptops. Our union would like to stress the importance of prioritizing the quality of our staff and students’ time in schools rather than the quantity of time. We spend millions of dollars each year on online third party learning programs, yet our most basic technology and internet don’t consistently work or work well. We hope the School Board will consider this next time they are funding contracts for online curricula, applications and other ed tech, and instead ask the RPS community what it actually needs and wants in terms of technology access to make the most out of their time in schools.