[BreachExchange] School District CISO Quits Over Handling of Data Breach

Tue Feb 8 10:44:39 EST 2022

https://www.databreachtoday.com/school-district-ciso-quits-over-handling-data-breach-a-18475

The chief information security officer for a Dallas-based school district
quit his job over the district's handling of a severe data breach that
occurred in August 2021.

Rajin Koonjbearry was the CISO for the Dallas Independent School District
(ISD), which is the second-largest public school district in Texas with 230
schools and 145,000 students. Koonjbearry submitted his resignation by
email on Oct. 28, writing that he was "afraid the details of the breach
will become public at some point, and Dallas ISD will lose credibility,"
according to a scoop by Tanya Eiserer of local broadcaster WFAA.

The district had been oblique about the cause of the breach, and it's
unclear why. In its public data breach notification, the district said that
"an unauthorized third party accessed the district’s network, downloaded
data and temporarily stored it on an encrypted cloud storage site."

The district's explanation isn't on the mark. If students were involved,
they would be a first party, not a third party. The district also waited
nearly a month before informing the public of the breach, then claimed in a
tweet on Sept. 3, 2021, that it believed in "transparency" around it.

WFAA reports that the students had sent an anonymous email to the district
on Aug. 8, 2021, informing it that they had accessed student grade
information and sensitive personal information for employees, students and
parents. They sent links to the data and also offered their help.

WFAA reports the email read: "We are not professionals, nor do we have any
experience in offensive cybersecurity. We are just two students who were
curious…If you want to hire me, I have no resume, but would be very
interested, thanks."

Federal prosecutors have opted not to press charges against the students,
the broadcaster reports. Dallas ISD says in its notification that it
doesn't believe the data was sold or misused, but it couldn't be certain
until the investigation was complete. It offered those affected free credit
monitoring.

Schools: Insider Threats
WFAA reports that state records show 800,000 records were compromised. The
exposure period started with records created in 2010. The data include
names, addresses, phone numbers, Social Security numbers, dates of
employment, salary information and the reason for the end to employment for
current and former employees and contractors.

For current and former students, it included names, addresses, phone
numbers, Social Security numbers, birth dates, parent or guardian contact
information and even grades. Some students had their custody statuses or
medical conditions exposed.

Communications officials from the district contacted by ISMG did not return
messages seeking comment. Koonjbearry could not be reached for comment.

Schools' electronic systems have always been targets of their own students,
says Doug Levin, national director of K12 Security Information Exchange, a
Washington, D.C. based organization that helps schools improve their
cybersecurity practices and distributes actionable threat intelligence.
Student hacking has been sensationalized over the decades in movies such as
"War Games" and "Ferris Bueller's Day Off," Levin says.

Levin says schools are facing an ever increasing number of cyber incidents,
including ransomware attacks and distributed denial-of-service. The Dallas
incident means schools also need to be aware of insider threats, he says.

"I think this story helps illustrate that the threats that schools are
facing are not just external, right, they're also facing threat from
insiders," Levin says. "I would hazard that every school that serves middle
and high school students has one or more tech savvy students who may be
bored, who are turning their attentions to their school districts' software
and tools.

Levin adds: "Some [students] are going to do things that they will probably
regret later, but could be quite embarrassing to school districts."

Some school districts have been reluctant to share details about
cybersecurity incidents for fear of being targeted again or revealing
weaknesses in their systems. His organization encourages sharing since it
helps other schools defend themselves, and it's possible to share
generalized information in a way that doesn't increase risk.

But Levin asks: "The notion of misleading people who's behind the incident?
Not ideal."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220208/a6056ea5/attachment.html>