A rogue website exposed several pieces of information pertaining to students who attend a high school in the San Francisco Bay Area. On 5 October, the Palo Alto United High School posted a "Notice of Data Breach" on its website. The message reads as follows:
"Staff was notified this morning about a website that exposed information about Palo Alto High School students' weighted GPAs and class ranks. As soon as we received notice, we immediately invoked the data breach response protocol and began investigating the report. The incident is still under investigation; however, staff has verified at least some of the information generated by the rogue website is legitimate."
Officials have determined that the breach exposed the names, grade point averages (GPAs), and student numbers of those in grades 10-12 at the high school. According to The Mercury News, that information originated from a leak involving Infinite Campus, an educational portal which enables schools to set up learning management systems for all classes. Infinite Campus also stores student's private data like their medical records and family information. Palo Alto United High School clarified in an update on 6 October that the incident didn't expose any of those additional pieces of information. Staff first learned about the rogue website, called "paly rankcheck," on Thursday. Students could "check your weighted GPA and rank relative to your class" by submitting their respective Infinite Campus IDs. They could not look up other students' information unless they knew their credentials.
A screenshot of a "rogue website" that exposed Paly student names and grade point averages. (Source: The Paly Voice) The website went down by noon on 5 October. This incident is a testament to the growing number and severity of digital threats that now confront educational institutions. Ransomware attackers and other bad actors are going after schools like Palo Alto United because their systems store valuable data. Not only that, but many schools lack the security defenses that organizations in the financial services and healthcare sectors have built up over the past two decades. Pam Dixon, executive director of the San Diego-based World Privacy Forum, notes that schools oftentimes serve as too tempting of targets for nefarious individuals online. As she told The Mercury News:
"It’s fantastic if you’re a hacker or marketer — this is golden information.... Classrooms throughout the K-12 system can have all sorts of unsecured laptops and mobile devices,” she said, “and lots and lots of skilled little hackers."
At this time, Palto Alto United is working with law enforcement and the Privacy Technical Assistance Center of the U.S. Department of Education. While their joint investigation of the incident continues, the high school is requiring teachers and staff to reset their passwords. It's also reviewing its Infinite Campus access logs for suspicious activity. For information on how Tripwire's products can manage your organization's log collection, click here.
