St. Landry Parish School Board in Opelousas, Louisiana, serves approximately 12,000 students across more than 30 schools in a largely rural parish. In July 2023, the district became the target of a devastating ransomware attack by the Medusa ransomware gang, a case that illustrates critical cybersecurity lessons for school districts nationwide. The attack exposed sensitive data belonging to thousands of students, employees, and community members, and the district's delayed notification response drew scrutiny from the Louisiana Attorney General's office. This case study examines what happened, what went wrong in the response, and what every school district can learn from it.
The Medusa Ransomware Attack
In July 2023, attackers affiliated with the Medusa ransomware group infiltrated St. Landry Parish School Board's network systems. Medusa is a ransomware-as-a-service (RaaS) operation that emerged in 2021 and became increasingly active through 2023 and 2024, targeting school districts, hospitals, and government agencies worldwide. The group is known for its "double extortion" tactic: encrypting victim systems to demand a ransom payment while simultaneously stealing sensitive data and threatening to publish it if the ransom is not paid.
The attackers demanded approximately $1 million in ransom from the school board. District leadership made the decision not to pay the ransom, which aligned with FBI recommendations and Louisiana state policy discouraging ransom payments to cybercriminals. However, because the ransom was not paid, the Medusa group followed through on its threat and published the stolen data on its dark web leak site, making it accessible to other criminals.
This was not the first time St. Landry Parish faced a significant cyber incident. In 2020, the district experienced a separate cyberattack that took its computer systems offline for approximately two weeks, disrupting operations across the school system. That earlier incident, while disruptive, did not result in the same scale of data exposure as the 2023 Medusa attack.
Data Exposed in the Breach
The scope of data compromised in the 2023 attack was extensive and alarming. The stolen information included:
- Social Security numbers of more than 13,500 individuals, including current and former employees and potentially students
- Student records containing names, home addresses, dates of birth, and in some cases special education status and disciplinary records
- Approximately 100,000 sales tax records from the parish, which included financial and personally identifiable information
- Employee personnel files including payroll information, tax documents, and employment records
- Internal administrative documents including financial records, contracts, and operational communications
The exposure of special education records is particularly concerning from both a privacy and legal standpoint. Under the Family Educational Rights and Privacy Act (FERPA) and the Individuals with Disabilities Education Act (IDEA), student disability information is afforded heightened protections. When such data is exposed in a breach, it can lead to stigmatization, discrimination, and targeted scams directed at vulnerable families.
The Five-Month Notification Delay
Perhaps the most troubling aspect of the St. Landry Parish incident was the extended delay between the breach and notification of affected individuals. The attack occurred in July 2023, but formal notification letters were not sent to affected individuals until approximately January 10, 2024, nearly five months later. The timeline of events reveals significant gaps in communication:
- July 2023: Medusa ransomware group breaches the school board's systems and demands approximately $1 million ransom
- July-August 2023: The school board refuses to pay the ransom; Medusa publishes stolen data on the dark web
- August-December 2023: Months pass without formal public notification to affected individuals about the data exposure
- Late 2023: A local newspaper investigation reveals the full scope of the breach and the lack of notification
- Late 2023: The Louisiana Attorney General's office initiates an inquiry into the district's notification practices
- January 10, 2024: The school board sends formal breach notification letters to approximately 13,500 individuals whose Social Security numbers were compromised
The delayed notification is a critical failure in incident response for several reasons. First, individuals whose Social Security numbers were exposed were unable to take protective action such as placing credit freezes, enrolling in identity monitoring, or watching for signs of fraud during those five months. Second, the delay potentially violated Louisiana's Database Security Breach Notification Law (La. R.S. 51:3074), which requires that notification be made to affected individuals "in the most expedient time possible and without unreasonable delay." While the law allows reasonable time for law enforcement investigation and determining the scope of a breach, a five-month gap raised serious questions about compliance.
Why School Districts Are Prime Targets
The St. Landry Parish attack reflects a broader national trend of cybercriminals targeting K-12 school districts. According to data from the K-12 Cybersecurity Resource Center, schools experienced over 1,600 publicly disclosed cyber incidents between 2016 and 2023. Several factors make school districts particularly attractive targets:
- Rich data repositories: Schools store extensive personal information including Social Security numbers, health records, special education evaluations, disciplinary records, family financial data for free/reduced lunch programs, and staff payroll information
- Limited IT resources: Many districts, especially rural parishes like St. Landry, operate with small IT departments that lack dedicated cybersecurity staff. A single IT director may be responsible for hundreds or thousands of devices across dozens of school buildings
- Aging infrastructure: Budget constraints often mean schools run outdated operating systems, unpatched software, and legacy hardware that contains known vulnerabilities
- Large attack surface: With thousands of students, teachers, and staff accessing systems daily, often on personal devices, the potential entry points for attackers multiply dramatically
- Pressure to maintain operations: Unlike some businesses that can temporarily shut down, schools face enormous pressure to keep operating for the communities they serve, which attackers exploit to pressure ransom payments
- Decentralized governance: Louisiana's 69 parish school systems each manage their own IT infrastructure independently, meaning a vulnerability in one parish's systems does not necessarily prompt action in others
Double Extortion: A Growing Threat
The Medusa group's attack on St. Landry Parish exemplifies the "double extortion" model that has become the dominant ransomware strategy. In traditional ransomware attacks, criminals encrypt a victim's files and demand payment for a decryption key. In double extortion, attackers first exfiltrate (steal) sensitive data before encrypting systems. This creates two separate points of leverage: the victim must pay to regain access to their systems and pay again to prevent the publication of stolen data.
For school districts, double extortion is especially dangerous because even if a district has good backups and can restore systems without paying a ransom, the stolen data can still be published. This means that traditional backup strategies, while essential, are no longer sufficient protection on their own. Districts must also invest in data loss prevention, network segmentation, and intrusion detection systems that can identify unauthorized data exfiltration before it is complete.
The Medusa group has continued to be active following the St. Landry Parish attack. In early 2025, both the FBI and CISA issued a joint advisory warning that Medusa had compromised over 300 organizations across critical infrastructure sectors, including education. The advisory specifically noted that Medusa affiliates use common techniques including phishing emails, exploiting unpatched vulnerabilities, and leveraging exposed Remote Desktop Protocol (RDP) connections.
Lessons Learned for School Districts
The St. Landry Parish incident provides critical lessons that every school district should internalize:
1. Have an Incident Response Plan Before You Need One
The notification delay suggests the district may not have had a comprehensive, rehearsed incident response plan that included clear notification timelines and communication protocols. Every district should have a written incident response plan that designates specific roles, establishes communication templates, identifies legal notification requirements, and has been tested through tabletop exercises at least annually.
2. Understand Your Legal Notification Obligations
Louisiana law requires notification "without unreasonable delay." Other states have specific timeframes ranging from 30 to 90 days. Districts must understand their state's requirements and build compliance into their incident response procedures. Consulting with legal counsel before a breach occurs ensures faster action when an incident happens.
3. Invest in Data Classification and Minimization
The breadth of data exposed in the St. Landry Parish breach, including sales tax records and special education files, suggests that large volumes of sensitive data were stored in accessible locations. Districts should regularly audit what data they retain, where it is stored, who has access, and whether retention is still necessary. Data that is no longer needed should be securely destroyed.
4. Implement Network Segmentation
Storing student records, employee records, financial data, and operational systems on the same network segments allows attackers who gain access to one area to move laterally and access everything. Proper network segmentation limits the blast radius of a breach by separating sensitive data stores from general-use systems.
5. Build Relationships with Law Enforcement Before an Incident
Districts should establish relationships with their local FBI field office, CISA regional representatives, and the Louisiana Office of Technology Services before a crisis occurs. These agencies can provide no-cost assessments, threat briefings, and rapid response assistance during an incident. Louisiana's multi-agency cyber response coordination through GOHSEP, the Louisiana State Police Cyber Crime Unit, and OTS provides resources that many parishes underutilize.
6. Transparency Builds Trust
When a breach occurs, timely and transparent communication with affected families and staff, even when the full scope is still being determined, builds trust and allows individuals to protect themselves. Delayed or unclear communication erodes community confidence and can lead to regulatory scrutiny, legal liability, and lasting reputational damage.
What Parents and Community Members Should Do
If you are a parent, employee, or community member affected by a school district data breach, or if you want to protect yourself proactively, consider these steps:
- Place credit freezes for your children: Minors' Social Security numbers are especially valuable to identity thieves because fraud may go undetected for years. You can place a free credit freeze with all three major credit bureaus (Equifax, Experian, and TransUnion) for anyone under 16. In Louisiana, you can also freeze a minor's credit through the Louisiana Attorney General's office
- Monitor credit reports: Adults should check their credit reports at AnnualCreditReport.com and consider enrolling in free credit monitoring if offered by the breached organization
- Watch for targeted phishing: After a breach, attackers often use stolen information to craft convincing phishing emails and phone calls. Be suspicious of any communication that references your child's school, requests personal information, or creates urgency
- File a report with the FTC: If you suspect identity theft, file a report at IdentityTheft.gov, which provides a personalized recovery plan
- Engage with your school board: Attend school board meetings and ask about the district's cybersecurity posture, incident response plans, and data protection policies. Community engagement drives accountability and investment in security
Resources for Louisiana School Districts
Louisiana school districts seeking to strengthen their cybersecurity posture can access several state and federal resources:
- CISA K-12 Cybersecurity Resources: Free vulnerability scanning, incident response assistance, tabletop exercise toolkits, and cybersecurity training specifically designed for school districts
- Multi-State Information Sharing and Analysis Center (MS-ISAC): Free membership for public sector entities including school districts, providing threat intelligence, security advisories, and 24/7 incident response support
- Louisiana Governor's Office of Homeland Security and Emergency Preparedness (GOHSEP): Coordinates the state's cyber incident response under ESF-17 and can activate the Crisis Action Team for significant school district incidents
- Cyber.org: Louisiana-headquartered organization providing free cybersecurity curriculum and training resources for K-12 educators
- FCC Schools and Libraries Cybersecurity Pilot Program: A $200 million federal initiative providing funding up to $13.60 per student for eligible cybersecurity services and equipment, with higher reimbursement rates for high-poverty districts