In a disturbing echo of past cybersecurity failings in educational institutions, Jefferson County School District R-1 in Colorado (“Jeffco Public Schools”) has become the latest victim of a cyberattack by a hacker group known as SingularityMD.
Just this past October, SingularityMD took credit for a massive data breach of personal student and staff information held by the Clark County School District (CCSD) in Nevada, claiming to have exploited similar basic vulnerabilities in its information security.
In an email sent to many Jeffco Public Schools staff members and published by DataBreaches.net, SingularityMD stated that the district’s “overall approach to cyber security is too relaxed.”
The cyber-attackers claimed that they had illegally accessed Jeffco’s network and downloaded, in part:
- Staff phone, home addresses, title, and other details.
- Parent and Student contact information (past and present) – 90,000 students
- Student school email addresses, emergency contact names, phone and email, student birthdates – 90,000 students
- Full backup of Jeffco’s IT project management directory (including past and present projects, confidential information, and systems configurations)
- Various financial documents and information
- Extracts from Group chat conversations
- Full extracts of students’ IEPs (Individualized Education Program) as of 2020
A Familiar Security Failing: Using Birthdates as Passwords
The recent cybersecurity breach at Jeffco Public Schools has cast a spotlight on the practice of using birthdates as default passwords—a rudimentary security flaw implicated in both the Jeffco and the earlier CCSD cyber-attacks.
SingularityMD reportedly gained entry into both networks by obtaining student birthdays and email addresses from social media and then using those credentials to gain access to student school accounts.
From that access point, SingularityMD has said it escalated from a student’s account to the teacher and systems level using “public groups and shared drives.” Rather than a sophisticated attack, they described their infiltration as “Nothing fancy.”
This approach highlights a significant vulnerability within educational institutions’ cybersecurity protocols. Using student birthdates as passwords to breach and gain access to the highly sensitive data of 90,000 students and lacking two-factor authentication highlights the urgent need for stronger, more complex authentication measures to protect sensitive educational data.
The Price of Privacy
The ransomware group reportedly presented Jeffco Public Schools with a choice: pay $15,000 by November 7th or face the widespread release of the stolen data.
This approach mirrors the tactics used in the CCSD breach, where compliance was sought through the threat of public exposure and legal repercussions. Unfortunately, it appears the data taken from CCSD was ultimately disclosed.
Colorado Data Breach Laws May Offer Recourse for Victims
Under the Colorado Consumer Protection Act, institutions like Jeffco Public Schools are expected to implement and maintain reasonable security procedures to prevent unauthorized access to personal data.
If you or your student’s personal data was put at risk in this ransomware attack on Jeffco Public Schools, you may be entitled to injunctive relief and damages. Colorado has laws designed to shield personal information from cyber threats.
In addition to seeking damages, data breach victims can seek injunctive relief to compel a school district to enhance its data security practices and better protect student personal information in the future.
Student Personal Data is a Target for Ransomware Groups
In October 2022, the U.S. Government Accountability Office released a report that 647,000 American students were victimized by ransomware attacks in 2021.
Similarly, cybersecurity firm Sophos reported a startling reality — in 2023, 80 percent of schools surveyed in the U.S. and 13 other countries had experienced a ransomware attack in 2022.
Stolen personal data of minors can be exploited for years, often without being noticed. This troubling fact, along with lagging cybersecurity defenses, makes schools and school districts prime targets for future cyber-attacks.
Seeking Legal Help
The sensitive nature of student information maintained by school districts like Jeffco demands careful handling and robust safeguards, a sentiment echoed by authorities across the country.
For those seeking to understand their legal rights in the wake of the Jeffco Public Schools data breach, it is advisable to consult with legal experts who can navigate the complexities of Colorado’s consumer protection laws.
