[BreachExchange] Paterson: 23, 000 school district passwords stolen in data breach

[Destry Winant]

http://patersontimes.com/2019/05/13/paterson-23000-school-district-passwords-stolen-in-data-breach/

A massive data breach has struck the Paterson Public Schools, claiming
23,103 account passwords and other computer access tokens, according
to information reviewed by the Paterson Times over the weekend.

Information stolen in the breach includes desktop logins, email
usernames and passwords, and laptop credentials. For example, the
email usernames and passwords of all school district employees —
including that of the superintendent, administrators, teachers, and
other staff members — were dumped, deposited into a file that runs
more than 116,000 lines.

It’s not clear whether the hacked information has been published on
the dark web, a shadowy part of the internet that is accessed using
specialized software, that is inhabited by cyber criminals — black hat
hackers, drug dealers, arms smugglers, and other unsavory actors – to
trade stolen information.

School district officials were unaware of the breach until Monday morning.

“What! How does that even happen?” remarked a shocked school board
president Oshin Castillo. “This is the first time I’m hearing about
this.”

Castillo wondered whether the district’s financial information, like
bank account credentials, were stolen in the breach. There’s no
indication financial data were stolen; however, if bank account
details were on computer files the perpetrator may have access to that
information.

“It leads you back to all of our personnel and confidential
information,” said Castillo. She said she has to speak to
superintendent Eileen Shafer and her staff to find out more
information about the breach.

“We’re on it,” said Shafer on Monday morning. “We need to dive into
this and see what we can come up with.”

“District officials are looking into the situation to verify whether
there is a problem,” said Paul Brubaker, spokesman for the Paterson
Public Schools.

The stolen account usernames are in plain text while the passwords are
encrypted, according to reviewed information. However, the encryption
is weak and relatively simple to reverse to obtain the plain
passwords. The Paterson Times tested and verified some of the
credentials which remain valid.

For example, Brubaker, the district spokesman, who sought evidence of
the hack, was provided one confidential secretary’s username and
reversed password that allows access to her Microsoft Outlook email
inbox and district workstation.

“It means someone got into the system. That’s a lot of information,”
said school board member Kenneth Simmons, chairman of the technology
committee. “If it’s that many, it must include student accounts.”

Simmons, who has a background in information technology (IT), said the
hacker must have gotten access to one or more district servers. He was
puzzled about the theft of email account usernames and passwords. He
pointed out the district uses Office 365, a cloud email system.
However, employees use email credentials to logon to computers in the
district.

“Unfortunately, people use the same passwords,” said Simmons. He said
the district should have had a policy to require strong passwords and
force a 90-day password reset on all users.

It’s not clear how the preparator gained access to the district’s system.

“It sounds like they are in the network and they are on the servers.
Or they are on the network and they are capturing the information,”
said Simmons.

The perpetrator contacted the Paterson Times on Thursday using a
fictitious email account. The email claimed the individual had access
to “all information systems” in the district. The First email was
ignored.

A follow-up came on Saturday. The perpetrator tried to burnish his or
her credibility by offering to provide proof.

The Paterson Times sought evidence. The perpetrator provided
screenshots of two district employees’ Outlook email inboxes. The
individual also provided other information that demonstrated he or she
had credentials of tens of thousands of district accounts, including
those of former employees.

The individual sought to sell the stolen data to the Paterson Times,
but was rebuffed. The 23,103 passwords were stolen in October 2018,
the individual said in an email. However, the person indicated having
continued access to district systems.

The perpetrator was spooked when told the information provided will be
used for a news story. The last email to the actor returned
“undeliverable.” Body of the returned email stated the reason,
“Recipient address rejected: this address does not exist.”

The email credentials of Castillo, Shafer, Simmons, and Brubaker were
among those stolen in the breach.

“This is kind of scary,” said Simmons.