[BreachExchange] Downingtown Area School District uncovers data breach

[Destry Winant]

https://www.dailylocal.com/news/local/downingtown-area-school-district-uncovers-data-breach/article_92f154da-f1a6-11e9-bd3c-ff5de7cc2f31.html

DOWNINGTOWN — Downingtown Area School District officials have been
alerted to a potential attack on Naviance accounts used by high school
students. Naviance is a college and career resource website that
assists students in aligning their strengths and interests to their
post-secondary goals.

“We understand that this information is deeply disturbing,"
Superintendent Emilie Lonardi said. "The highest priority is our
students - their safety, their education and supporting their needs.
DASD takes the responsibility to gather and store student and family
information seriously. Modifications have and will continue to be made
to our internal practices and the district plans to conduct internal
training beyond the normal, ongoing training.”

Upon notification, the technology department immediately began an
investigation and since then has been working with administration and
communicating with local law enforcement to clarify details and
determine the extent of this attack.

It has been determined that through illicit means, the perpetrators
obtained teacher-level access to DASD accounts. Using unethical coding
methods, they were able to exploit DASD systems and extract student
profile information for the entirety of DASD’s student population. It
is believed that they collected student IDs, student directory
information, gender, ethnicity, GPA and SAT scores, and household and
non-household relationship information.

No information was altered or manipulated in any way. There are no
social security numbers for students or parents in any DASD systems.
No credit card information is stored in these systems and no credit
card information was compromised. The perpetrators claim the
information was collected to obtain student addresses to gain a
competitive advantage for the senior water games, a game that students
play outside of the school district.

These actions are reprehensible and DASD is taking this attack very
seriously. This is a crime against DASD and, more importantly, a crime
against the DASD student and parent community.

The consequences for these young individuals will likely be severe.
Cyber hacking is a federal crime and DASD is working with the proper
authorities to determine the appropriate discipline and legal
ramifications.

Out of an abundance of caution, all employees will be required to
change their DASD master credentials.

As this in an ongoing investigation, DASD will continue to provide any
pertinent updates as they become available at www.dasd.org.