PAUSD student data exposed in Schoolzilla data breach
So we’re beginning to learn a bit more about the Schoolzilla data breach that MacKeeper Security Research Center’s Chris Vickery reported yesterday. Chris had reported that 1.3 million students had their data in the misconfigured Amazon bucket, but he couldn’t be more specific as to where these students came from as he deleted the data when he realized he was dealing with minors. Schoolzilla disclosed the incident on April 12, shortly after Vickery first alerted them.
Today, the Palo Alto Weekly reports that 14,000 of their students had data accessed by Vickery:
The names, addresses, birth dates and test scores of 14,000 current and former students in the Palo Alto school district were accessed by a well-known computer security researcher targeting a former vendor of the district, the school district announced in a message to parents Thursday afternoon.
The data included Social Security numbers for other students, but not in Palo Alto Unified, according to the district. Some Palo Alto parent names were accessed but no additional parent information, the district said Thursday.
Nearly 14,000 unique students were affected — both current and past students, given scores on state assessments going back several years were accessed, Chris Kolar, the district’s director of research and assessment, told the Weekly. Vickery was able to access student test scores from the California Assessment of Student Performance and Progress, the California High School Exit Examination and the California English Language Development Test, according to the district.
Read more on Palo Alto Online. It’s nice to see Vickery described as a “white hat” researcher instead of how some entities have responded to those trying to alert them to problems. That said, this is also a useful reminder that school districts contracting with vendors need to consider how they will ensure that the vendor is really keeping the students’ data secure.