After targeting Schoolzilla, a former data warehouse platform of the Palo Alto Unified School District (PAUSD), a computer security researcher found the personal information of about 14,000 current and previous PAUSD students was exposed, as announced by the District last Thursday.
The information included students’ names, school ID numbers, addresses, dates of birth, genders, test scores and information about 504 plans. Additionally, the data included the names of some parents in the District, according to the District.
Along with a notification of the leak to all PAUSD families via email, families with information in the leak will receive a letter in the mail informing them of their situation. California Law requires the District send the notice in the mail, according to Derek Moore, the District’s Chief Technology Officer.
The District decided to enact the regular data breach protocol because the security researcher who accessed the unsecured data, Chris Vickery, was not commissioned to access the data by either the District or Schoolzilla, according to Moore.
Vickery said in a blog post that 1.3 million students had information that was exposed during his targeting of Schoolzilla. Schoolzilla secured the information soon after Vickery reported it, the company said.
Vickery said in his blog post that the “sheer volume” of student information he accessed convinced him to purge it from his storage in an “expedited fashion.” MacKeeper Security describes Vickery’s role as assisting companies in “plugging serious data exposure vulnerabilities.”
Schoolzilla confirmed to the District that the only external user in their past data logs was Vickery, according to Moore.
The District also said in a letter to parents that Vickery provided a sworn affidavit to Schoolzilla declaring he had deleted all of the data he accessed in the incident.
Social Security Numbers, California ID numbers and driver’s license numbers were not exposed in the breach as PAUSD does not collect the any of the said information from families, according to the District.
According to Moore, Schoolzilla informed the District about the breach later than other users of the platform because PAUSD no longer uses the company’s services and Schoolzilla did not intend to still have the District’s student data.
“It wasn’t until [Schoolzilla] did further research that they figured out our data was still exposed there,” Moore said.
Schoolzilla was supposed to delete the District’s student data after PAUSD terminated its contract with the company in May 2016.
“This is a very unfortunate and serious mistake that [Schoolzilla] made. But they have been very forthcoming — even telling us the mistake was made.”
Derek Moore, PAUSD Chief Technology Officer
In an email sent to parents the District said, “We are continuing to dialog with our vendors regarding the implementation of safeguards to protect your personal information.”
The email also said the District has reported the incident to the California Attorney General and has contacted the US Department of Education’s Privacy Technical Assistance Center for “further guidance.”
“We have been taking those steps,” Moore said. “However, because of this incident we’re also … going above and beyond.”