News

PAUSD student data exposed in breach

'White hat' security researcher accesses school records

The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district, the school district announced in a message to parents Thursday afternoon.

Earlier this month, the security researcher, Chris Vickery, accessed the student records on vendor Schoolzilla's cloud storage, which had been mistakenly configured for public access, and was able to download data impacting 1.3 million students, he wrote in a blog post describing the breach.

The data included Social Security numbers for other students, but not in Palo Alto Unified, according to the district. Some Palo Alto parent names were accessed but no additional parent information, the district said Thursday.

Nearly 14,000 unique students were affected — both current and past students, given scores on state assessments going back several years were accessed, Chris Kolar, the district's director of research and assessment, told the Weekly. Vickery was able to access student test scores from the California Assessment of Student Performance and Progress, the California High School Exit Examination and the California English Language Development Test, according to the district.

The CAHSEE data went back to 2010, Kolar said.

What's local journalism worth to you?

Support Palo Alto Online for as little as $5/month.

Learn more

Schoolzilla CEO Lynzi Ziegenhagen wrote in an email to the district, provided to the Weekly, that the company will not publicly disclose how many or which of it customers were affected by the breach.

The district had contracted with Oakland-based Schoolzilla for a year, from May 2015 through May 2016, to provide data reporting services. Schoolzilla notified the district last week that "there had been unauthorized access to its network and data," the district said.

After learning of the breach, Schoolzilla "immediately fixed the error, verified via log files that nobody other than the one security researcher accessed those exposed files, and ensured that the security researcher who discovered and alerted us to this vulnerability permanently and securely deleted the data," the district said.

Vickery provided a sworn affidavit to Schoolzilla stating that all data from the incident has been deleted, the district said. He is described online as a "white hat security researcher" — a person who identifies weaknesses in systems and alerts their owners so they can secure them.

"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion," Vickery wrote in his blog post.

Stay informed

Get daily headlines sent straight to your inbox.

Sign up

The district has received assurances that the data-reporting platform put in place this fall to replace Schoolzilla, the Santa Clara County Office of Education's DataZone, is secure and cannot be accessed in the same way, Kolar said.

The district is now talking with other vendors about "safeguards to protect your personal information," the district wrote to parents. The district has also contacted the U.S. Department of Education's Privacy Technical Assistance Center for further guidance.

"While this situation is undesirable and unfortunate, it is an opportunity to remind ourselves about important steps we can take to protect our personal data everyday," the district said. "Consider a family plan for digital privacy and protection and talk to your children about these important issues."

The data breach will be reported to the California Attorney General for further investigation, the district said.

As required by state law, the district will also be sending notifications via mail to all students who were affected by the breach, Kolar said.

The district encouraged parents to contact either the district or Schoolzilla with any questions. Kolar can be emailed at ckolar@pausd.org or Chief Technology Officer Derek Moore at dmoore@pausd.org. Schoolzilla can be reached at security@schoolzilla.com.

Craving a new voice in Peninsula dining?

Sign up for the Peninsula Foodist newsletter.

Sign up now

Follow Palo Alto Online and the Palo Alto Weekly on Twitter @paloaltoweekly, Facebook and on Instagram @paloaltoonline for breaking news, local events, photos, videos and more.

PAUSD student data exposed in breach

'White hat' security researcher accesses school records

by / Palo Alto Weekly

Uploaded: Thu, Apr 20, 2017, 3:41 pm

The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district, the school district announced in a message to parents Thursday afternoon.

Earlier this month, the security researcher, Chris Vickery, accessed the student records on vendor Schoolzilla's cloud storage, which had been mistakenly configured for public access, and was able to download data impacting 1.3 million students, he wrote in a blog post describing the breach.

The data included Social Security numbers for other students, but not in Palo Alto Unified, according to the district. Some Palo Alto parent names were accessed but no additional parent information, the district said Thursday.

Nearly 14,000 unique students were affected — both current and past students, given scores on state assessments going back several years were accessed, Chris Kolar, the district's director of research and assessment, told the Weekly. Vickery was able to access student test scores from the California Assessment of Student Performance and Progress, the California High School Exit Examination and the California English Language Development Test, according to the district.

The CAHSEE data went back to 2010, Kolar said.

Schoolzilla CEO Lynzi Ziegenhagen wrote in an email to the district, provided to the Weekly, that the company will not publicly disclose how many or which of it customers were affected by the breach.

The district had contracted with Oakland-based Schoolzilla for a year, from May 2015 through May 2016, to provide data reporting services. Schoolzilla notified the district last week that "there had been unauthorized access to its network and data," the district said.

After learning of the breach, Schoolzilla "immediately fixed the error, verified via log files that nobody other than the one security researcher accessed those exposed files, and ensured that the security researcher who discovered and alerted us to this vulnerability permanently and securely deleted the data," the district said.

Vickery provided a sworn affidavit to Schoolzilla stating that all data from the incident has been deleted, the district said. He is described online as a "white hat security researcher" — a person who identifies weaknesses in systems and alerts their owners so they can secure them.

"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion," Vickery wrote in his blog post.

The district has received assurances that the data-reporting platform put in place this fall to replace Schoolzilla, the Santa Clara County Office of Education's DataZone, is secure and cannot be accessed in the same way, Kolar said.

The district is now talking with other vendors about "safeguards to protect your personal information," the district wrote to parents. The district has also contacted the U.S. Department of Education's Privacy Technical Assistance Center for further guidance.

"While this situation is undesirable and unfortunate, it is an opportunity to remind ourselves about important steps we can take to protect our personal data everyday," the district said. "Consider a family plan for digital privacy and protection and talk to your children about these important issues."

The data breach will be reported to the California Attorney General for further investigation, the district said.

As required by state law, the district will also be sending notifications via mail to all students who were affected by the breach, Kolar said.

The district encouraged parents to contact either the district or Schoolzilla with any questions. Kolar can be emailed at ckolar@pausd.org or Chief Technology Officer Derek Moore at dmoore@pausd.org. Schoolzilla can be reached at security@schoolzilla.com.

Comments

JA3+
Crescent Park
on Apr 20, 2017 at 4:07 pm
JA3+, Crescent Park
on Apr 20, 2017 at 4:07 pm
10 people like this

"The sheer volume of private student data, including scores and social security numbers for children, convinced me that it should be purged from my storage in an expedited fashion ..."

Does Schoolzilla's failure to securely configure its database software violate the FERPA (Family Educational Rights and Privacy Act)[ Web Link ]? Does Vickery's download into local storage -- confirmed via his statement, quoted in the article above -- violate same?


Resident
Another Palo Alto neighborhood
on Apr 20, 2017 at 5:38 pm
Resident, Another Palo Alto neighborhood
on Apr 20, 2017 at 5:38 pm
28 people like this

Students and former students, parents were notified. As a parent of a former PAUSD student, I have not been informed.

How far back do these former students have to be concerned? How will they send information to parents of former students who have moved away?


another former PAUSD parent
College Terrace
on Apr 20, 2017 at 11:02 pm
another former PAUSD parent, College Terrace
on Apr 20, 2017 at 11:02 pm
19 people like this

My child also attended PAUSD (Jordan and Paly) until 2015, and I have not received any notification that his info was accessed in the data breach.


Former PAUSD parent
Charleston Meadows
on Apr 21, 2017 at 10:20 am
Former PAUSD parent, Charleston Meadows
on Apr 21, 2017 at 10:20 am
21 people like this

Both of my children attended PAUSD; one until 2012. We have not been notified of the data breach. This is unacceptable.


JA3+
Crescent Park
on Apr 21, 2017 at 10:32 am
JA3+, Crescent Park
on Apr 21, 2017 at 10:32 am
9 people like this

"The data breach will be reported to the California Attorney General for further investigation, the district said."

I'd be very interested in seeing Ms. Kadvany follow up, at some reasonable future date, with the State AG on this matter. To me, both this data breach -- caused, it appears, solely by Schoolzilla's failure to secure its Amazon S3 database -- and the related download by Mr. Vickery are not matters to be taken lightly. I sincerely hope the State AG inquires further, if for no other reason than to greatly diminish the likelihood of a future breach or download of any student data in the future in the State.


Somebody ...
Old Palo Alto
on Apr 21, 2017 at 10:43 am
Somebody ..., Old Palo Alto
on Apr 21, 2017 at 10:43 am
8 people like this

Hard times for Palo Alto School District, is like all problems and mistakes are making line for take a turn ! I remember when they use to be one of the "Best" ! They should hire a "Witch" with a very good witchcraft for to clean the bad vibes!


Mayfield Child
Green Acres
on Apr 22, 2017 at 8:23 am
Mayfield Child, Green Acres
on Apr 22, 2017 at 8:23 am
7 people like this


Cream of the crop for hackers...years worth of better than slim pickings here. Sad for our children, wonder how long before the damage will be in force against the lucky ones chosen.......................:( :(


and another
Midtown
on Apr 22, 2017 at 11:18 pm
and another, Midtown
on Apr 22, 2017 at 11:18 pm
6 people like this

Two kids in the district until 2016. No notifications. Not surprised.


Silver lining
Another Palo Alto neighborhood
on Apr 23, 2017 at 12:45 am
Silver lining, Another Palo Alto neighborhood
on Apr 23, 2017 at 12:45 am
4 people like this

Dear Researcher,
Please contact me, I would like our records, since the district does not answer data requests it doesn't want to.


Growling
Palo Alto High School
on Apr 23, 2017 at 11:27 am
Growling, Palo Alto High School
on Apr 23, 2017 at 11:27 am
8 people like this

Sounds just like the Storm Drain Tax ballot for homeowners only that about one-fourth of homeowners did not receive!!!


Former Family
Duveneck/St. Francis
on Apr 23, 2017 at 11:41 am
Former Family, Duveneck/St. Francis
on Apr 23, 2017 at 11:41 am
8 people like this

When were they going to inform past students about the breach? With three children who went a;; the way through PAUSD, no one has contacted us. We had to learn about here. VERY DISAPPOINTED!!!


insecure security tests
Fairmeadow
on Apr 24, 2017 at 10:35 am
insecure security tests, Fairmeadow
on Apr 24, 2017 at 10:35 am
1 person likes this

They report that access logs for the cloud data show it was only accessed by the security researcher. But, what assurance do we have that the security researcher's computer wasn't, itself, breached -- and therefore a path 'out' for the data?


Curmudgeon
Downtown North
on Apr 24, 2017 at 8:23 pm
Curmudgeon, Downtown North
on Apr 24, 2017 at 8:23 pm
Like this comment

"what assurance do we have that the security researcher's computer wasn't, itself, breached -- and therefore a path 'out' for the data?"

Ask the Whitehat.

It's likely far greater than any assurance you have for the computer you sent that message from.


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Sorry, but further commenting on this topic has been closed.