Santa Clara Unified School District (SCUSD) parents are concerned after learning personal information like email addresses and passwords were accessed in a data breach. An email sent out by the District on June 17 outlines what happened, but some parents think it was too vague and left more questions than answers.
“The way that the email is written, it doesn’t seem so honest… They should have told us, a long time ago because it’s saying that they had had an incident in November… We’re now in June,” said one concerned parent.
The parent says she noticed the issue in December 2019 when someone entered her Netflix account while she was watching. She says she’s seen changes in multiple accounts since then and she wonders if it’s tied to the data breach.
“How much information did they get now that they’ve had my password for that long? I want to know everything. I want to know the truth. I want to know why,” said the parent.
The breach happened in November 2019. It involved software supplied by Aeries Student Information Systems, a company that operates out of Orange, California. Aeries has told the District that none of the information accessed was misused.
According to the email from SCUSD, the compromised information included student ID numbers, student email addresses, parent email addresses and parent password hashes. A password hash is when a password is transformed into a scrambled version of itself as a form of security. The District said in the email that student passwords were also accessed, but it has now determined that student passwords were not compromised.
“The safety and security of our students is our highest priority,” said SCUSD Superintendent Dr. Stella M. Kemp. “Our contracts require our vendors to meet strict state and federal data security requirements and we apply every security patch and update we receive. We have communicated with our students’ families what we can, as soon as we can. We have a longstanding relationship with Aeries, as do hundreds of school districts across California, and the lack of communication we received from Aeries is disappointing and unacceptable.”
According to SCUSD, Aeries did not inform the District that the November 2019 data breach had occurred until March 2020. At that time, Aeries told the District that only one district was affected, not SCUSD.
Aeries issued a security patch to all clients on December 20, 2019. SCUSD says it applied the patch immediately, as it does all security updates.
On April 27, 2020, Aeries sent a notice to all school districts that read in part, “…there is evidence to suggest that your database in our Hosted environment may have been one of 166 databases subject to unauthorized access on or about November 4th, 2019.”
SCUSD says it does not use the Aeries Hosted product and so it did not believe it was a victim of the data breach. After communicating with other districts in May, SCUSD contacted Aeries directly and discovered that the District’s data was accessed.
In its April 27, 2020 notice, Aeries said “…we understand the perpetrators have been taken into custody and the unauthorized access has been terminated.”
This publication contacted Aeries multiple times to request a comment, but received no reply as of press time.
Aeries provides software for hundreds of public school districts in California. It has not said how many districts were impacted by the data breach. A number of districts have also recently sent messages to parents. Local districts include the Mt. Diablo Unified School District and the San Leandro Unified School District, but others may be added to the list soon.
SCUSD says it uses the Aeries software to manage student information including grades, attendance and scheduling. The reports generated by the Aeries system are accepted by the California Department of Education.
SCUSD has reset all of the parent passwords. The District is also looking into further security steps it can take to prevent future data breaches.
“We are working with Aeries to learn what actions they have put in place to ensure this never happens again and if we are not satisfied with their response, we will begin the process of looking for another vendor,” said Dr. Kemp.
Current COVID-19 restrictions may make any system change tougher. If the District were to switch systems, it would have to train all District personnel on the new system.
The District has used the Aeries system since 2008 and has never experienced a data breach until now. The District purchases an annual contract with Aeries.