I don’t mean for this sort of thing to become my beat, but it is very much of interest to me, and should be of interest to you.
Pearland ISD has notified current and former students that their private information may have been stolen during a data security breach last year, which may have affected as many as 55,000 students from as far back as 2014.
Pearland ISD officials have verified that private information, including birth dates, addresses, medical information, and social security numbers, may have been accessed by unauthorized individuals through a breach of its online security.
At this time, the school district has no evidence that the information itself has been misused.
The district began investigating the incident when unusual activity was detected within its computer network on Nov. 8, 2022.
The breach was confirmed April 18, and the district finished reviewing the accessed data and identified the affected parties on May 18. Those individuals were notified via the mail early last week.
In letters sent to impacted individuals, the district offered to provide 12 months of credit and identity protection services as well as indicated it is taking steps to improve its cybersecurity.
Nice. Here’s some more info on what happened.
Pearland ISD is alerting parents and others associated with the district that parties responsible for a recent breach of its computer system may try to contact them.
In a video statement released on the district’s website, Superintendent Larry Berger said that an ongoing investigation shows no evidence so far that any sensitive information had been accessed by anyone outside of the district.
However, he said the district is alerting the community that “unauthorized actors” who caused the problem may try to contact residents regarding the matter.
[…]
The breach was detected Nov. 8 when the district noticed what it described as “unusual activity” within its computer network that were affecting operations including Skyward, a system that provides communication access to families and students.
Through an investigation by an independent cybersecurity firm, the district confirmed that parties had gained access into its system to disrupt daily operations.
OK, not really a whole lot more info. I can infer a couple of things. This was an intrusion, the result of attackers getting access to one or more accounts on the Pearland ISD network, and then likely exploring from there, maybe gaining access to other accounts and systems, and in the end stealing a bunch of data. The point of entry could be the result of someone clicking on a link or attachment in a phishing email, or it could be a credential stuffing attack like what DPS suffered a couple of months ago. The “unusual activity” could have been the attackers running hacker tools like password crackers, or perhaps this was the data exfiltration, in which the large amount of data taken tripped the alarms. It’s almost a 100% bet that the first account that was compromised used one-factor authentication – that is, just a password with no token or smart card or other second logon item.
The fact that the attackers were able to get data going back to 2014 means that data was available on the Pearland ISD network. This may be because the state mandates a data retention policy of at least ten years, or it may be that there aren’t any data retention policies (or that Pearland ISD was bad at following them) and so that was what they had. As with the one-factor authentication, that’s a risk that the Pearland ISD and other government agencies really ought to take into account. There can be valid reasons why they keep data like that around for that long – as noted, it may be required by law – but it still needs to be taken into account.
Everything I’ve written here is my speculation, and I could be off base in a number of ways. What I know I’m right about is that all kinds of state and local government entities are not up to speed on cyber security, and that it’s going to take a lot of resources we’re currently not budgeting for to deal with it. Until then, this will be a recurring story.