More than 6,000 people have been notified by the Davenport School District that their personal information may have been stolen in an early September cyber attack.

The district sent letters to 6,409 people on Wednesday, notifying them of the possibility some district-stored data may have been compromised, including social security numbers, drivers' license numbers and/or medical information, according to a breach notification filed Wednesday with the Iowa Attorney General's Office.

District officials previously said they thought they had "thwarted" the attack.

A data-extortion group is claiming online to have stolen "a giant, massive array" of students' personal information. The group, "Karakurt," also is threatening to release the data if an Oct. 31 deadline is not met.

Neither the district nor Karakurt has indicated the terms of the deadline and whether ransom demands have been made.

The district was required to disclose the threat to the state.

"Anyone who encounters a security breach that affects at least 500 Iowa residents must provide written notice to the Attorney General’s Consumer Protection Division Director within five business days after notifying affected people," the AG's website explains.

In complying with the rule, the Davenport Community School District, DCSD, supplied the Attorney General's Office with a timeline of events surrounding the attack, which shows it was aware of the threat for about a month-and-a-half before notifying those whose personal data may have been compromised.

"On September 7, 2022, DCSD discovered suspicious activity associated with certain systems within its network," the notification begins. "In response, DCSD took immediate steps to secure its network, which included disconnecting its systems from the internet, and promptly launched an investigation.

"In so doing, DCSD engaged independent digital forensics and incident-response experts to determine what happened and to identify any information that may have been accessed or acquired without authorization as a result.

"On September 30, 2022, DCSD learned that some DCSD data had potentially been accessed or acquired without authorization. DCSD then immediately undertook efforts to review the potentially impacted data.

"On October 10, 2022, DCSD learned that certain personal information was contained within the potentially impacted data and therefore may have been impacted in connection with this incident. DCSD then worked to promptly notify potentially impacted individuals of this incident.

"The potentially impacted information that may have been accessible by the malicious actor(s) responsible for this incident included individuals’ names, Social Security numbers, driver’s license numbers, and / or medical information."

Brett Callow, a threat analyst for global cybersecurity software firm Emsisoft, said Davenport is not alone in either choosing to keep the attack under wraps or having been advised to do so.

“I have a long list of organizations that initially started by saying they had no evidence for data being compromised, then backtracked when criminals released that the data had indeed been compromised," Callow said Thursday. "In my opinion, organizations should play it safe and tell people that they don’t yet know whether data was compromised. And until that’s been clarified, they should monitor their financial transactions and take other steps to protect themselves.”

He likened a cyber attack to a residential burglary, saying, “You could [initially] say there’s no evidence of something being burglarized, but you haven’t had the chance to properly go through your belongings to see what’s missing.

"Working out what’s happened in these incidents can be extremely difficult, and it can be a multi-week exercise to try and work out what’s been taken."

This is not to say that school districts, municipalities and other government bodies that are attacked should keep it to themselves, Callow said.

"The forensic work takes time and it’s complicated but it isn’t right, in my opinion, for organizations during that investigatory period to say they have no evidence, because it just might mean they haven’t yet found it."