UPDATE: The district said Friday that is continuing its investigation, including following up on some leads, but believes the scope of the breach is limited to the initial data reported.
The school district said it is investigating a data breach at Palo Alto High School after discovering a "rogue website" Thursday that exposed student names, identification numbers and grade point averages.
Staff were notified about the website Thursday morning. A screenshot of the website posted by student news outlet The Paly Voice shows a page titled "paly rankcheck" that invites students to "check your weighted GPA and rank relative to your class" with their student and Infinite Campus IDs.
The district said in a statement that it believes names, student numbers and GPA values have been exposed for current Paly sophomores, juniors and seniors.
After determining that at least some of the information on the website was legitimate, the district immediately took several steps to address the breach. The district worked with its web hosting provider to take the website offline and is reviewing Infinite Campus access logs for any "suspicious activity." The district also temporarily disabled all data integrations with third-party systems.
Staff members with access to the disclosed information are resetting their passwords, the district said.
District staff also contacted local law enforcement and the U.S. Department of Education's Privacy Technical Assistance Center.
The district is asking community members to share any information they may have that can assist the investigation via phone at 650-833-4243, email Chief Technology Officer Derek Moore at firstname.lastname@example.org or anonymously via a website feedback form.
The district said it will release more information regarding the breach as it becomes available. Updates will be posted on the district website at www.pausd.org as well as physically mailed to students' homes, as required by California law.
In April, personal information for nearly 14,000 current and former students in the district were accessed by a well-known computer security researcher targeting a former vendor of the district.