Aside from the Healthcare Industry that focuses its funding towards its hospital services to the patients, public schools also do the same – the focus is their interest in educating young people. The idea of having a cyber attack-ready computing infrastructure is not even on the radar, as it is not part of the funding public schools receive from their host, the government. Hence, public schools are one of the most vulnerable sectors to data breaches, malware infection, cyber espionage, phishing and other forms of cyber attacks. Compared to the more well-funded sectors like the banking industry or the Tech sector, who will bother to fund public schools in order to become a little more “hack-resistant”?
That is the exact problem that Paterson Public Schools is facing since October 2018, as the Educational firm became a victim of a massive data breach from last year, but only revealed recently, costing the school to lose 23,103 user credentials of both students and faculty. The user information that is associated with the user credentials are the following:
- Email usernames and passwords
- Windows Domain login accounts
- Local laptop usernames and passwords
The still unknown attacker was able to collect all the mentioned data in a 116,000-line text file. The authorities are still investigating if the lost data went to the Dark Web or a remote private server elsewhere. It was only till Monday, May 13 when the school president and other school officials were made aware of the incident. Some stolen account credentials have elevated privileges, like those used by the teachers, school administrators and the school superintendent herself.
“What! How does that even happen? This is the first time I’m hearing about this. It leads you back to all of our personnel and confidential information,” remarked Oshin Castillo, the School Board President. It is not yet clear from the initial disclosure if the school’s financial records were also exposed, but definitely the elevated privilege of some accounts that were stolen have enough permission to open highly confidential school files stored in the Paterson Public School’s network.
“We’re on it. We need to dive into this and see what we can come up with,” commented the School Superintendent, Eileen Shafer. The Paterson school’s spokesperson, Paul Brubaker revealed that the passwords of users were only encrypted using a weak cipher, it may be no-brainer for a persistent hacker to crack the encryption, revealing the actual text-version of the entire user credentials they have stolen.
“It means someone got into the system. That’s a lot of information. If it’s that many, it must include student accounts. Unfortunately, people use the same passwords. It sounds like they are in the network and they are on the servers. Or they are on the network and they are capturing the information,” emphasized Kenneth Simmons, Chairman of Paterson’s Technology Committee.
Apparently, a person with elevated privilege in the network was phished by an outsider, and through the use of the stolen account were able to extract account credentials which reached 23,103 in total. It is very clear from the initial reaction of the School Board President of being unaware of the cybersecurity risks that the school’s network was having. Aside from untrained employees, the leadership’s cybersecurity knowledge gap proves something is wrong with the IT policy implemented in the mentioned educational institution.