School District CISO Quits Over Handling of Data BreachNews Report Reveals Two Students Responsible for Massive Breach in Dallas
The chief information security officer for a Dallas-based school district quit his job over the district's handling of a severe data breach that occurred in August 2021.
Rajin Koonjbearry was the CISO for the Dallas Independent School District, which is the second-largest public school district in Texas, with 230 schools and 145,000 students. Koonjbearry submitted his resignation by email on Oct. 28, writing that he was "afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility," according to a scoop by Tanya Eiserer of local broadcaster WFAA.
WFAA also reveals why: The district failed to tell the public that the source for the breach was two of its own students. The news station uncovered the fact through a public records request.
The district had been oblique about the cause of the breach, and it's unclear why. In its public data breach notification, the district said that "an unauthorized third party accessed the district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site."
The district's explanation isn't on the mark. If students were involved, they would be a first party, not a third party. The district also waited nearly a month before informing the public of the breach and then claimed in a tweet on Sept. 3, 2021, that it believed in "transparency" around it.
Dallas ISD recently received notice of a data security incident involving the district's electronic records that may affect former and current students, alumni, parents and district employees.— Dallas ISD (@dallasschools) September 2, 2021
We believe in transparency and will share updates at https://t.co/7WseOaQmvT. pic.twitter.com/eEkWojjAZI
WFAA reports that the students sent an anonymous email to the district on Aug. 8, 2021, informing it that they had accessed student grade information and sensitive personal information for employees, students and parents. They sent links to the data and also offered their help.
WFAA reports the email read: "We are not professionals, nor do we have any experience in offensive cybersecurity. We are just two students who were curious…If you want to hire me, I have no resume, but would be very interested, thanks."
Federal prosecutors have opted not to press charges against the students, the broadcaster reports. Dallas ISD says in its notification that it doesn't believe the data was sold or misused, but it couldn't be certain until the investigation was complete. It offered those affected free credit monitoring.
Schools: Insider Threats
WFAA reports that state records show 800,000 records were compromised. The exposure period started with records created in 2010. The data included names, addresses, phone numbers, Social Security numbers, dates of employment, salary information and the reason for the end to employment for current and former employees and contractors.
For current and former students, it included names, addresses, phone numbers, Social Security numbers, birthdates, parent or guardian contact information and grades. Custody statuses or medical conditions were also exposed for some students.
Communications officials from the district contacted by ISMG did not return messages seeking comment. Koonjbearry could not be reached for comment.
Schools' electronic systems have always been targets of their own students, says Doug Levin, national director of K12 Security Information Exchange, a Washington, D.C.-based organization that helps schools improve their cybersecurity practices and distributes actionable threat intelligence. Student hacking has been sensationalized over the decades in movies such as "War Games" and "Ferris Bueller's Day Off," Levin says.
Levin says schools are facing an ever-increasing number of cyber incidents, including ransomware attacks and distributed denial-of-service attacks. The Dallas incident means schools also need to be aware of insider threats, he says.
"I think this story helps illustrate that the threats that schools are facing are not just external. They're also facing threat from insiders," Levin says. "I would hazard that every school that serves middle and high school students has one or more tech-savvy students who may be bored, who are turning their attentions to their school districts' software and tools."
Levin adds: "Some [students] are going to do things that they will probably regret later but could be quite embarrassing to school districts."
Some school districts have been reluctant to share details about cybersecurity incidents for fear of being targeted again or revealing weaknesses in their systems. K12 Security Information Exchange encourages sharing since it helps other schools defend themselves, and it's possible to share generalized information in a way that doesn't increase risk.
But Levin says: "The notion of misleading people [about] who's behind the incident? Not ideal."