Ransomware gang Skira today claimed responsibility for a December 2024 data breach at Carruth Compliance Consulting. The breach led to at least three dozen school districts and colleges across the US–Carruth’s clients–reporting data breaches that compromised the personal data of more than 110,000 school employees.
Carruth administers the retirement savings plans for these school districts. It started notifying victims of the breach on January 13, 2025. The compromised data includes names, Social Security numbers, financial account info, driver’s license numbers, W-2 info, medical billing info, and tax filings.
Skira is a new ransomware group, and Carruth is the first of five organizations that Skira claims it hacked.
Carruth has not verified Skira’s claim. We do not yet know if Carruth paid a ransom, how much Skira demanded, or how attackers breached Skira’s network. Comparitech contacted Skira for comment and will update this article if it replies.
“On December 21, 2024, CCC identified suspicious activity that impacted the operability of certain computer systems within our environment,” Carruth’s notice to victims states. “The investigation determined that certain systems on our network were accessed without authorization between December 19, 2024 and December 26, 2024, and during that time, certain files were copied from our systems”
Carruth is offering eligible victims free credit monitoring via IDX.
Below is the list of affected schools and the number of victims reported by each so far:
- Linn Benton Community College, PA, 15008 victims
- Chemeketa Community College, OR, 7408
- Greater Albany Public School District, IL, 5846
- Gladstone School District, OR, 4318
- Lincoln County School District, CA, 3533
- Klamath County School District, OR, 3494
- Newberg School District, OR, 3481
- Forest Grove School District, OR, 3293
- Linn Benton Lincoln ESD, PA, 3274
- Southern Oregon Educational Services District, CA, 2982
- North Wasco County School District, OR, 2100
- Umatilla School District, OR, 1364
- North Santiam School District, OR, 1089
- Jefferson School District, OR, 981
- Junction City School District, NY, 981
- Perrydale School District, CA, 679
- West Linn-Wilsonville School District, OR, 13123
- Multnomah Education Service District, OR, 11076
- Bend-La Pine School District, OR, 9775
- Canby School District, OR, 5594
- Clackamas Education Service District, OR, 2624
- Centennial School District, OR, 7675
- Scio School District 95-C, OR, 685
- Columbia Gorge Education Service District, OR 1
- Lane ESD, OR, 1
- Vernonia School District, OR, 1
- Springfield Public Schools, OR, 6
- St. Helens School District, OR, 6
- Parkrose School District, OR, 5
- Bethel School District #52, OR, 5
- Oregon City School District, OR, 5
- Corvallis School District, OR, 4
- Fern Ridge School District, OR, 1
- Molalla River School District, OR, 1
- Pleasant Hill School District, OR, 1
We expect these figures will continue to rise as schools continue to report breaches resulting from the attack on Carruth, and as more state attorneys general disclose the figures.
The schools’ notices explicitly name Carruth as the vendor responsible for the data. A proposed class-action lawsuit says Carruth negligently failed to protect the personal information of school employees.
Who is Skira?
Skira is a brand new ransomware gang and Carruth is one of its first five claimed attacks. We don’t know much about this gang yet, but the name resembles that of another big ransomware group: Akira. That could imply that Skira uses a strain of malware similar to Akira, and/or has some of the same members.
Ransomware attacks on US finance
Ransomware attacks on US finance companies can lock down computer systems and steal data. Companies must then either pay a ransom or face extended downtime, data loss, and putting data subjects at increased risk of fraud. Ransomware can disrupt a wide range of operations including communication, financial transactions, access to stored files, and more.
Comparitech researchers logged 58 confirmed ransomware attacks on US finance companies in 2024, compromising 34.6 million records. The average ransom for a finance company is $1 million.
Other recent such attacks include:
- Legacy Professionals notified 190,818 people of a data breach following an attack by LockBit in April 2024
- Estrella Insurance notified 16,379 people of a January 2025 ransomware attack by an unknown group
In addition to confirmed attacks, Comparitech tracked 151 unconfirmed claims against US finance companies in 2024, and 43 so far in 2025. These are claims made by ransomware groups but not acknowledged by the targeted organizations.
About Carruth Compliance Consulting
Based in Tigard, Oregon, Carruth Compliance Consulting administers retirement savings plans for many school districts and colleges across the USA.
