Clark County School District Appears To Have Been Pwned

Three weeks after the fifth largest school district in the country became aware of a “cybersecurity incident” and a week after they informed parents and employees, hackers have started leaking 200,000 students’ information and numerous other files with personal information.  

 Since Monday, Nevada’s Clark County School District parents have expressed frustrations about the district’s lack of transparency and have become increasingly concerned about the breach after receiving emails supposedly from the hackers with their children’s personal information. One parent described an email received as:

“Warning me that my children’s information was released or hacked into and it had three PDF files. Each one had my children’s picture, all of their contact information, email addresses, student ID numbers, my information, our address.”  

The files that appeared to be from the district were leaked on a file-sharing site earlier this week, but have since been removed. Student personal information observed in the leaks included:

  • Name
  • Student ID
  • DOB
  • Email addresses
  • Picture
  • Household members
  • Cellphone numbers
  • Race
  • Attendance records
  • Incident reports
  • Medical information

The Clark County School District released a statement saying that it is cooperating with the FBI following a recent cyberattack. This is the district’s second breach in 4 years.

Emily Phelps, Director, Cyware had this comment:
   “Securing sensitive data is complex even under the best conditions. With limited resources, expertise, and support, it becomes daunting. School districts often lack the level of resourcing needed to modernize security programs, but as one of our most critical areas, education must not only begin prioritizing strong security practices, they must be transparent in their communities to build and maintain trust.”

Corey Sinclair, Cyber Threat Intelligence Analyst, follows with this:
   “Schools, and subsequently their students, are the perfect target because they house sensitive personally identifiable information (PII) like names, social security numbers, and medical histories, while largely being underfunded and understaffed in terms of IT infrastructure and expertise.
   “What is done with the PII after it is sold on the black market will largely depend on the age of the students targeted and the time horizon of the cyber threat actors and other criminals. The younger the student, the more time criminals have to build a fake persona that may contain numerous bank accounts, credit cards, passports, &c. When it comes time for the student to actually set up their own bank accounts or apply for credit, they may be unable to do so given the number of actions that have already been completed on their behalf.”

The fact that this school board has been pwned twice in four years should send chills down the spines of parents. Yes it is true that other than health care, education is a prime target for threat actors. But one would have thought that given that this is not a new message, more effort would have been put into making sure that education doesn’t remain a prime target. Clearly based on this example, that’s not the case.

Leave a Reply

%d bloggers like this: