Attacker promises ‘data was not disseminated or sold to anyone’

Dallas Independent School District reports data breach impacting current and former students, staff

The Dallas Independent School District (Dallas ISD) has disclosed a data breach exposing sensitive personal data belonging to students and employees enrolled or employed since 2010.

“An unauthorized third party accessed our network, downloaded data, and temporarily stored it on an encrypted cloud storage site,” Dallas ISD said in a data breach notice published yesterday (September 2).

Upon learning of the incident on August 8, Dallas ISD said it launched an investigation, implemented “additional security measures” and “addressed specific vulnerabilities that were exploited during this event”.

Read more of the latest education cybersecurity news

It added: “We confirmed that the unauthorized third party removed the data from the encrypted cloud storage site and has informed us the data was not disseminated or sold to anyone.”

The public school district said that although no evidence of data misuse or fraud had surfaced so far, it could not be “100 percent certain until additional forensic analysis is completed”.

Stolen data

Dallas ISD operates 230 schools in North Central Texas that collectively teach 153,861 students.

Impacted parties include students, along with their parents or guardians, and employees and contractors who have been enrolled or employed by the organization since 2010.

Stolen data belonging to employees or contractors included first and last names, addresses, phone numbers, Social Security numbers, dates of birth, dates of employment, salary information, and reasons for ending employment.

Data pertaining to students comprised first and last names, Social Security numbers, dates of birth, parent or guardian contact information, and grades.

Custody status and/or medical condition data were also involved for some students.

‘Comprehensive review’

The district said it is notifying affected individuals, giving them access to 12 months of credit monitoring and ID theft recovery services, and posting a hotline number today (September 3) that will field questions from potentially affected individuals.

Federal law enforcement authorities have also been notified, it said.

“We take this matter very seriously and have invested significant resources to protect sensitive data,” reads the breach alert. “Despite our efforts, the district is now one of a growing number of public and private organizations experiencing cyberattacks.”

It added: “The district is conducting a comprehensive review of its systems and implementing additional security measures. We are confident these changes will decrease the possibility of a future incident.”

RELATED Ransomware attack at Singapore eye clinic potentially breaches 73,000 patients’ data