Aeries Student Information System discloses breach (with updates)
Aeries Software recently announced a data breach. I didn’t see it, but a reader kindly stuck it under my cybernose today so that I could share it with you. The software firm’s notice of April 27 applies to hosted customers of their Aeries Student Information System. From their notice:
In late November 2019, Aeries Software became aware of unauthorized attempts to access data through the Aeries SIS. In response, we immediately began an investigation into whether these attempts had been successful and, if so, how they had been accomplished, what impact, if any, they may have had on data, and what steps we could take to thwart future unauthorized access to data through the Aeries SIS using the same or similar means. At the time, internal investigation did not reveal any compromise of the Aeries SIS or data.
Nevertheless, Aeries Software deployed a series of security patches in the December 20, 2019 version of the Aeries SIS which addressed the results of our internal investigation.
Then, in late January 2020, we were informed by a locally hosted District that their database may have been previously subject to unauthorized access, they had informed local authorities, and a criminal investigation was underway. We now understand that the investigation by the authorities is ongoing and we are working closely with local law enforcement and federal authorities as well as the District to determine what transpired, by whom it was perpetrated, and what impact, if any, it may have had on data.
In working with the District and law enforcement officials, in March 2020 we were able to expand our earlier investigation with the new information as to the methods used by the individuals who had accessed data without authorization. Specifically, we determined that the unauthorized access had included Parent and Student Login information, physical residence addresses, emails, and “password hashes.” With access to a password hash, weak, common or simple passwords, can be deconstructed to gain unauthorized access to Parent and Student Accounts. According to the results of our investigation, there is evidence to suggest that your database in our Hosted environment may have been one of 166 databases subject to unauthorized access on or about November 4th, 2019. However, we understand the perpetrators have been taken into custody and the unauthorized access has been terminated.
I cannot find any news coverage of any arrest and emailed Aeries to inquire whether they had any additional info on the perpetrators or arrest, but there was no immediate response to inquiries. This post will be updated if a response is received. (See Update of May 28 below this post)
What Information Was Involved?
At the moment, our investigation has revealed Student Permanent IDs, Parent and Student Login information, physical addresses, emails, and passwords hashes may have been subject to unauthorized access.
For more information from Aeries including recommended steps to protect information, see their full notice.
The following entities have posted notices concerning the incident:
Note of May 28: There has apparently been an arrest in the case, but no details have been provided about the perpetrator yet.
June 2 Update: More districts have sent notifications:
Laguna Beach Unified School District
Central School District
Inglewood Unified School District
Lassen Union High School District
Rocklin Unified School District
Yucaipa-Calimesa Joint Unified School District
San Bernardino City Unified School District