[BreachExchange] “Aeries Software” Breached and Over 150 School Districts Compromised

Destry Winant destry at riskbasedsecurity.com
Mon Jun 8 10:15:09 EDT 2020


- A security incident has occurred, affecting a large number of US
schools, students, and their parents.
- The problem was a zero-day vulnerability in the Aeries online portal
that has been patched now.
- Parents are now urged to reset theirs and their children’s passwords
on the Aeries portal.

There’s a sudden wave of notifications of a breach reaching the
parents of students of about 150 School Districts in the United
States. Examples from the California office of data protection come
from the San Bernardino City, the Yucaipa-Calimesa, and Rocklin. The
common denominator in all of the cases is the use of the “Aeries”
online student information system and online portal. Apparently,
Aeries discovered that someone gained unauthorized access to their
systems back in November 2019, and accessed student and parent
information stored there. Aeries clarified that the infiltrators
exploited a bug in their systems that they have fixed now.

Along with the launching of an internal investigation and the
informing of the law enforcement agencies, Aeries has circulated
notices to the affected School Districts. So the students and their
parents are only now being informed about what has happened almost
seven months ago. As for what information has been exposed to the
hackers, this includes the following:

- Parent full name
- Student full name
- Home address
- Phone number
- Email address
- Hashed password

The announcements claim that the passwords are not retrievable or
crackable, so there’s no danger of account takeovers. Still, every
member had their password reset and provided a temporary password to
access the Aeries platform and set a new password. Only parents can
now complete the “Student Information Update” that is required. You
should not rely on the low chances of anyone putting the time and
effort into deciphering the passwords, so go ahead and reset your
credentials now.

As for the full names, home addresses, phone numbers, and email
addresses that have been leaked and don’t need decrypting, there’s no
resetting these. You should be aware that you may receive phishing or
scamming messages either via email or SMS. If you notice anyone
attempting to misuse your personal information, you are advised to
file an identity theft complaint on the Federal Trade Commission’s
site at “IdentityTheft.gov.” From there, the law enforcement services
will take on an investigation.

Remember, this was not a mistake of your School District, but one that
weighs Aeries. Still, you may contact your School District and ask for
more information about what to do next. Finally, make sure to ask them
whether they have updated the Aeries software to the latest available
version, so as to prevent a similar incident from occurring again in
the future.

More information about the BreachExchange mailing list