The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district, the school district announced in a message to parents Thursday afternoon.
Earlier this month, the security researcher, Chris Vickery, accessed the student records on vendor Schoolzilla's cloud storage, which had been mistakenly configured for public access, and was able to download data impacting 1.3 million students, he wrote in a blog post describing the breach.
The data included Social Security numbers for other students, but not in Palo Alto Unified, according to the district. Some Palo Alto parent names were accessed but no additional parent information, the district said Thursday.
Nearly 14,000 unique students were affected — both current and past students, given scores on state assessments going back several years were accessed, Chris Kolar, the district's director of research and assessment, told the Weekly. Vickery was able to access student test scores from the California Assessment of Student Performance and Progress, the California High School Exit Examination and the California English Language Development Test, according to the district.
The CAHSEE data went back to 2010, Kolar said.
Schoolzilla CEO Lynzi Ziegenhagen wrote in an email to the district, provided to the Weekly, that the company will not publicly disclose how many or which of it customers were affected by the breach.
The district had contracted with Oakland-based Schoolzilla for a year, from May 2015 through May 2016, to provide data reporting services. Schoolzilla notified the district last week that "there had been unauthorized access to its network and data," the district said.
After learning of the breach, Schoolzilla "immediately fixed the error, verified via log files that nobody other than the one security researcher accessed those exposed files, and ensured that the security researcher who discovered and alerted us to this vulnerability permanently and securely deleted the data," the district said.
Vickery provided a sworn affidavit to Schoolzilla stating that all data from the incident has been deleted, the district said. He is described online as a "white hat security researcher" — a person who identifies weaknesses in systems and alerts their owners so they can secure them.
"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion," Vickery wrote in his blog post.
The district has received assurances that the data-reporting platform put in place this fall to replace Schoolzilla, the Santa Clara County Office of Education's DataZone, is secure and cannot be accessed in the same way, Kolar said.
The district is now talking with other vendors about "safeguards to protect your personal information," the district wrote to parents. The district has also contacted the U.S. Department of Education's Privacy Technical Assistance Center for further guidance.
"While this situation is undesirable and unfortunate, it is an opportunity to remind ourselves about important steps we can take to protect our personal data everyday," the district said. "Consider a family plan for digital privacy and protection and talk to your children about these important issues."
The data breach will be reported to the California Attorney General for further investigation, the district said.
As required by state law, the district will also be sending notifications via mail to all students who were affected by the breach, Kolar said.
The district encouraged parents to contact either the district or Schoolzilla with any questions. Kolar can be emailed at firstname.lastname@example.org or Chief Technology Officer Derek Moore at email@example.com. Schoolzilla can be reached at firstname.lastname@example.org.