The Breach
In August 2021, the Dallas Independent School District suffered a severe data breach that involved the district’s electronic records of current and former students, alumni, parents, and district employees. At the time the DISD reported that a ‘third party’ had accessed the data but were unsure if the data had been shared or sold.
The Reality
It was not a ‘third party’ that had accessed the data but two students, which would be a ‘first party’ actor. Additionally, the district waited nearly 30 days, reporting on Sept 3rd, before reporting the breach to the public. The students who perpetrated the breach had sent an email to the district on August 8th saying they had the data, sent links to the data, and offered their ‘help’ to district officials.
Over 800,000 records were compromised in the breach and included names, addresses, phone numbers, Social Security numbers, dates of employment, salary information and the reason for the end to employment for current and former employees and contractors.
Some students even had their custody statuses and medical conditions exposed.
Rajin Koonjbearry, CISO for the Dallas Independent School District (ISD), resigned saying that “he was "afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility.”
What’s Next?
Schools are often targets of both malicious actors and students and are often reluctant to report breaches for fear of admitting to and exposing weaknesses in their security posture. These vulnerabilities are often related to the funding school districts receive from their local governments. Weak tax bases leave school districts underfunded and struggling to meet basic needs like building maintenance and text book purchases for students.
It comes as no surprise that district InfoSec postures suffer from lack of funding as well. With the number and detail of records stored by districts and individual schools, and their reluctance to report breaches, they are often targeted by hackers, malicious actors, and even their own students.
Questions for You!
What are your thoughts on this topic?
Do you have any specific industry insights in education you'd like to share with the community?
Should a CISO feel obligated, or worried enough to leave an organization after a hack?
If you have thoughts on any of these questions or other relevant and related ones, please leave a comment in the comment section below. Please note to keep our environment clean and free of advertisments of any kind, comments may not include external links, citing company names to promote them, or the like.