3 Connecticut School Districts Were Hacked: What You Need To Know
In late July, three Connecticut school districts experienced or became aware of data breaches or cyberattacks. The school districts of New Haven, Wallingford, and Pomfret were affected. NBC Connecticut interviewed Kelser’s George W. Kudelchuk III for a story that covers each of the three school districts.
Kelser President Jim Parise was interviewed for a WFSB Channel 3 story covering the New Haven and Wallingford incidents.
With three school districts affected, tracking the details of each can be difficult. Here’s a breakdown.
New Haven Public School Ransomware Attack
In this case, it is believed that no private information was stolen. The data was simply locked in a ransomware attack designed to extort money from the school district. The attack was successful in getting into the system, but it sounds like there was a backup in place that allowed data to be restored relatively quickly.
As George mentioned in his NBC Connecticut interview, ransomware attacks on schools is “an epidemic.” The Governor of Louisiana recently declared a state of emergency over the issue. Ransomware usually gets into the system through a phishing attack in which an employee unwittingly clicks a malicious link or downloads an attachment sent by a hacker. Once ransomware is in the system, having a reliable backup system—as NHPS appears to have had in this case—is often the difference between losing the data and recovering it.
Wallingford Public Schools Data Breach
Wallingford Public Schools announced their data breach with the following statement:
On July 23, 2019, we received preliminary notice from Pearson Clinical Assessment of a security incident that impacted a limited number of students' directory information, including names and, in some cases, dates of birth and email addresses. The incident did not involve the Social Security number or assessment information of any Wallingford Public Schools student. Pearson has not yet provided to the Wallingford Public Schools a list of impacted students. If your child has been affected by this incident, we will contact you directly via email with additional information.
Wallingford was part of a massive data breach affecting schools across the country through publishing giant Pearson. This is what’s referred to in the industry as a “third-party breach.”
Pomfret Community School Data Breach
Pomfret also experienced a third-party data breach through an unnamed partner organization the school was no longer engaged with. The breach occurred in mid-march and affected data that was more than 5 years old.
What should students and parents do?
Since none of these breaches appear to have compromised Social Security Numbers, financial data, medical data, or other information that could directly be used for identity theft or fraud, students and parents don’t need to worry too much about fallout from these breaches.
The main threat here is that information that was stolen, such as addresses, names and birthdates, can be used in social engineering attacks via email, mail, phone or social media to try to trick people into giving up more valuable data. For instance, a hacker could use knowledge of a student’s data to impersonate a school official and obtain more information. However, this seems unlikely to occur in this case. The best advice for parents and students at these schools is simply to be wary of and verify requests for information coming in any format from any source. This is good advice these days for anyone, really.
How could this have been prevented?
In New Haven’s case, there are tools that use AI to block ransomware when an employee clicks an infected link or attachment. There’s a chance that cybersecurity awareness training could have prevented the employee from clicking a malicious link in the first place.
The best prevention for the third-party breaches in Wallingford and Pomfret likely would have been a closer accounting of which vendors have school data. Since Pomfret hadn’t used the vendor who was compromised in over five years, it might have been prudent to delete the data stored with that vendor.
For Wallingford, whose breach occurred via a very well-known and respected education vendor, there may have been little they could have done to prevent the breach. The blame likely rests solely with Pearson. It comes at a bad time for them as the company is about to phase out print publishing and shift to a purely digital model. Obviously, trust will be important for that next stage, and this incident could put that into question.
As Jim pointed out in his interview with WFSB Channel 3, we could see a time where parents get involved in monitoring how a school is protecting their student data the same way parents engage in other aspects of school policies. With limited public school budgets, implementing air-tight security could be difficult for school districts. Here is a list of relatively low-cost measures they may want to consider in the short term.
- Routine cybersecurity training for all employees
- Regular audit of third-party vendors who have access to data
- Deletion of unnecessary or outdated data, both stored on campus and by vendors
- Tools such as Cisco Umbrella to block ransomware attacks
- Policies mandating strong password best practices