[BreachExchange] Paterson school district spent $13,800 on data breach investigation. But won’t make findings public.

Destry Winant destry at riskbasedsecurity.com
Wed Nov 27 08:55:41 EST 2019


http://patersontimes.com/2019/11/26/paterson-school-district-spent-13800-on-data-breach-investigation-but-wont-make-findings-public/

Superintendent Eileen Shafer’s administration spent $13,816 in public
funds in its investigation of the data breach that claimed tens of
thousands of school district passwords, according to public documents
reviewed by the Paterson Times.

Investigation was conducted by the Pittsburgh, Penn.-based law firm
Eckert Seamans Cherin & Mellott. Public records show the firm began
investigating the data breach three weeks after the Paterson Times
reported on the incident that claimed 23,103 account passwords and
other computer access tokens.

School officials had been unaware of the data breach, which happened
in October 2018, until details of it were published on May 13, 2019.
In a 42-minute conference call on May 29, both the law firm and the
district discussed the scope of the investigation, according to public
records.

By Aug. 28, the law firm produced a legal analysis and a report of the
“cyber incident.” A final report was produced on Sept. 3, according to
records.

School board members were told of the findings in a closed-door
meeting in Sept. One or more students at Eastside High School gained
access to the district’s system via a teacher’s computer to dump the
passwords into a file, according to sources.

Shafer has cited “attorney-client privileged material” to avoid public
disclosure of the investigation findings. Her move is unusual. In the
past, the district has made public investigation reports written by
law firms hired by the district. For example, the findings of the
basketball and the racy Fetty Wap music video filming scandals were
made public. Both investigations were done by law firms.

School board member Kenneth Simmons, chairman of the technology
committee, on Monday morning, said he has yet to see the findings. He
renewed his call on Shafer and her administration to make the findings
public.

“Just let people know, ease their minds,” said Simmons. He said these
breaches are more “prevalent” than ever before. For example, the
Livingston Public School district was crippled by a ransomware hack
this week, he noted.

Some suggested the district is avoiding public disclosure of the
report due to a notice of claim filed by the Paterson Education
Association, the teachers’ union. The claim notice accuses the
district of “wrongful actions” and “inaction” related to the data
breach. It also accuses the district of “negligence” and “invasion of
privacy by public disclosure of private facts” and “failure to destroy
certain records” and “failure to notify explicitly following breach.”

Days after the data breach was exposed, Shafer’s spokesman in a press
release falsely claimed the incident was “unfounded” in face of
incontrovertible evidence. A school board policy requires the
superintendent, through her public relations office, to provide
“honest, continuous, comprehensive flow of information” to the
community dealing with “problems” and other matters.

Shafer also threatened to sue the Paterson Times for reporting on the
data breach. She later stated she did not intend to sue.

School officials changed all district passwords and instituted a
two-factor authentication policy as part of an effort to secure the
district’s computer systems.


More information about the BreachExchange mailing list