News

PAUSD student data exposed in breach

'White hat' security researcher accesses school records

The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district, the school district announced in a message to parents Thursday afternoon.

Earlier this month, the security researcher, Chris Vickery, accessed the student records on vendor Schoolzilla's cloud storage, which had been mistakenly configured for public access, and was able to download data impacting 1.3 million students, he wrote in a blog post describing the breach.

The data included Social Security numbers for other students, but not in Palo Alto Unified, according to the district. Some Palo Alto parent names were accessed but no additional parent information, the district said Thursday.

Nearly 14,000 unique students were affected — both current and past students, given scores on state assessments going back several years were accessed, Chris Kolar, the district's director of research and assessment, told the Weekly. Vickery was able to access student test scores from the California Assessment of Student Performance and Progress, the California High School Exit Examination and the California English Language Development Test, according to the district.

The CAHSEE data went back to 2010, Kolar said.

Schoolzilla CEO Lynzi Ziegenhagen wrote in an email to the district, provided to the Weekly, that the company will not publicly disclose how many or which of it customers were affected by the breach.

The district had contracted with Oakland-based Schoolzilla for a year, from May 2015 through May 2016, to provide data reporting services. Schoolzilla notified the district last week that "there had been unauthorized access to its network and data," the district said.

After learning of the breach, Schoolzilla "immediately fixed the error, verified via log files that nobody other than the one security researcher accessed those exposed files, and ensured that the security researcher who discovered and alerted us to this vulnerability permanently and securely deleted the data," the district said.

Vickery provided a sworn affidavit to Schoolzilla stating that all data from the incident has been deleted, the district said. He is described online as a "white hat security researcher" — a person who identifies weaknesses in systems and alerts their owners so they can secure them.

"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion," Vickery wrote in his blog post.

The district has received assurances that the data-reporting platform put in place this fall to replace Schoolzilla, the Santa Clara County Office of Education's DataZone, is secure and cannot be accessed in the same way, Kolar said.

The district is now talking with other vendors about "safeguards to protect your personal information," the district wrote to parents. The district has also contacted the U.S. Department of Education's Privacy Technical Assistance Center for further guidance.

"While this situation is undesirable and unfortunate, it is an opportunity to remind ourselves about important steps we can take to protect our personal data everyday," the district said. "Consider a family plan for digital privacy and protection and talk to your children about these important issues."

The data breach will be reported to the California Attorney General for further investigation, the district said.

As required by state law, the district will also be sending notifications via mail to all students who were affected by the breach, Kolar said.

The district encouraged parents to contact either the district or Schoolzilla with any questions. Kolar can be emailed at ckolar@pausd.org or Chief Technology Officer Derek Moore at dmoore@pausd.org. Schoolzilla can be reached at security@schoolzilla.com.

---

Follow the Palo Alto Weekly/Palo Alto Online on Twitter @PaloAltoWeekly and Facebook for breaking news, local events, photos, videos and more.

Comments

10 people like this
Posted by JA3+
a resident of Crescent Park
on Apr 20, 2017 at 4:07 pm

"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion ..."

Does Schoolzilla's failure to securely configure its database software violate the FERPA (Family Educational Rights and Privacy Act)[ Web Link ]? Does Vickery's download into local storage -- confirmed via his statement, quoted in the article above -- violate same?


28 people like this
Posted by Resident
a resident of Another Palo Alto neighborhood
on Apr 20, 2017 at 5:38 pm

Students and former students, parents were notified. As a parent of a former PAUSD student, I have not been informed.

How far back do these former students have to be concerned? How will they send information to parents of former students who have moved away?


19 people like this
Posted by another former PAUSD parent
a resident of College Terrace
on Apr 20, 2017 at 11:02 pm

My child also attended PAUSD (Jordan and Paly) until 2015, and I have not received any notification that his info was accessed in the data breach.


21 people like this
Posted by Former PAUSD parent
a resident of Charleston Meadows
on Apr 21, 2017 at 10:20 am

Both of my children attended PAUSD; one until 2012. We have not been notified of the data breach. This is unacceptable.


9 people like this
Posted by JA3+
a resident of Crescent Park
on Apr 21, 2017 at 10:32 am

"The data breach will be reported to the California Attorney General for further investigation, the district said."

I'd be very interested in seeing Ms. Kadvany follow up, at some reasonable future date, with the State AG on this matter. To me, both this data breach -- caused, it appears, solely by Schoolzilla's failure to secure its Amazon S3 database -- and the related download by Mr. Vickery are not matters to be taken lightly. I sincerely hope the State AG inquires further, if for no other reason than to greatly diminish the likelihood of a future breach or download of any student data in the future in the State.


8 people like this
Posted by Somebody ...
a resident of Old Palo Alto
on Apr 21, 2017 at 10:43 am

Hard times for Palo Alto School District, is like all problems and mistakes are making line for take a turn ! I remember when they use to be one of the "Best" ! They should hire a "Witch" with a very good witchcraft for to clean the bad vibes!


7 people like this
Posted by Mayfield Child
a resident of Green Acres
on Apr 22, 2017 at 8:23 am


Cream of the crop for hackers...years worth of better than slim pickings here. Sad for our children, wonder how long before the damage will be in force against the lucky ones chosen.......................:( :(


6 people like this
Posted by and another
a resident of Midtown
on Apr 22, 2017 at 11:18 pm

Two kids in the district until 2016. No notifications. Not surprised.


4 people like this
Posted by Silver lining
a resident of Another Palo Alto neighborhood
on Apr 23, 2017 at 12:45 am

Dear Researcher,
Please contact me, I would like our records, since the district does not answer data requests it doesn't want to.


8 people like this
Posted by Growling
a resident of Palo Alto High School
on Apr 23, 2017 at 11:27 am

Sounds just like the Storm Drain Tax ballot for homeowners only that about one-fourth of homeowners did not receive!!!


8 people like this
Posted by Former Family
a resident of Duveneck/St. Francis
on Apr 23, 2017 at 11:41 am

When were they going to inform past students about the breach? With three children who went a;; the way through PAUSD, no one has contacted us. We had to learn about here. VERY DISAPPOINTED!!!


1 person likes this
Posted by insecure security tests
a resident of Fairmeadow
on Apr 24, 2017 at 10:35 am

They report that access logs for the cloud data show it was only accessed by the security researcher. But, what assurance do we have that the security researcher's computer wasn't, itself, breached -- and therefore a path 'out' for the data?


Like this comment
Posted by Curmudgeon
a resident of Downtown North
on Apr 24, 2017 at 8:23 pm

"what assurance do we have that the security researcher's computer wasn't, itself, breached -- and therefore a path 'out' for the data?"

Ask the Whitehat.

It's likely far greater than any assurance you have for the computer you sent that message from.


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Email:


Post a comment

Posting an item on Town Square is simple and requires no registration. Just complete this form and hit "submit" and your topic will appear online. Please be respectful and truthful in your postings so Town Square will continue to be a thoughtful gathering place for sharing community information and opinion. All postings are subject to our TERMS OF USE, and may be deleted if deemed inappropriate by our staff.

We prefer that you use your real name, but you may use any "member" name you wish.

Name: *

Select your neighborhood or school community: * Not sure?

Comment: *

Verification code: *
Enter the verification code exactly as shown, using capital and lowercase letters, in the multi-colored box.

*Required Fields

A Hard Road
By Chandrama Anderson | 4 comments | 1,638 views

Babywearing
By Cheryl Bac | 0 comments | 481 views

 

Registration now open

Sign up for the 33rd annual Palo Alto Weekly Moonlight Run and Walk. This family-friendly event which benefits local nonprofits serving kids and families will take place on Friday, Oct. 6 at the Palo Alto Baylands.

Register Here