Breaches expose 50,000 student and teacher records at Leon County Schools; more districts likely affected
Breaches expose 50,000 student and teacher records at Leon County Schools; more districts likely affected

The records of roughly 50,000 students, parents, teachers and staff members from the Leon County Schools (LCS) District in Tallahassee, Fla. were compromised in two related breach incidents involving a third-party education services provider.

But district superintendent Rocky Hanna warns that this is likely just the tip of the iceberg, stating in a press conference that more than 368,000 records were actually found exposed -- meaning several other schools across Florida are presumably also affected. "I think this is just the beginnings of what is gonna be a major incident, a cybersecurity incident, here in the state of Florida..." said Hanna in a press conference, the video of which has been posted on a web page disclosing the breaches.

The school district and its vendor partner waited a full month before publicly acknowledging the breach, after learning of the incident on Feb 12, 2018. Compounding matters, certain faculty members' Social Security numbers were among the data lifted in the incident.

In the first of the two breaches, an unauthorized party intruded into an allegedly misconfigured online server and posted much of his findings on an online forum. The server belongs to Florida Virtual School (FLVS), which provides virtual K-12 education solutions to students throughout Florida and elsewhere. The server contains information on Leon County students (presumably former ones), staff members, teachers as a result of FLVS' 2017 acquisition of Ucompass, a technology company with whom the school district shared records back in 2013 for a joint project. 

Separately, FLVS has informed LCS that it exposed additional student and teacher records exposed to public access from May 2016 through February 2018, during which time it was providing the district with various online education services.

FLVS will provide free identity protection services to any student (current or former) whose information was stored in the FLVS database from May 2, 2016 through February 12, 2018, at which time the data was openly exposed. Accessed students records include names, birth dates, school account usernames and passwords, physical school identification, parents' names and emails, demographic information (including ethnicity), medical information (including vaccinations), Exceptional Student Education status (provided to gifted and disabled students), and academic program participation.

Meanwhile, compromised teacher information includes SSNs, names, birth dates, addresses, phone numbers, emergency contacts, spouse names, email addresses and demographic information.

According to all parties involved, there is no evidence that financial information or student Social Security numbers were impacted.

The initial breach was reportedly disclosed to Leon County Schools by the operator of the DataBreaches.net website, who in a Mar. 9 blog post characterized the incident as more of a leak than outright information theft. The author reportedly learned of the exposed data on Feb. 11, after seeing the records published on an online forum by an individual with the handle $2a$45.

The author claims that the individual did not appear to be seeking money and even offered to help the school secure its data after being contacted about his post -- although it is not entirely clear then why this individual lifted the information from the open database and pasted it into a forum. (The author also reports that a second individual had previously informed Databreaches.net of the open FLVS database in June 2017, but the tip was not followed up on.)

Superintendent Hanna, characterized the leaker's actions as malicious, claiming that he was "bragging" about stealing the data. Hanna also lambasted FLVS for its alleged negligence in handling the data, as well as for allegedly opting not to individual notify each affected individual. (The district says it is doing this instead, via a mass postcard mailing.)

"At the end of the day, Florida Virtual School left their server side open for intruders to access they are 100 percent responsible for this theft," said Hanna, who also criticized the district's previous administration, adding: "In my opinion, the personal teacher and student information that Leon County schools sent to Ucompass in 2013 never should have been shared with anyone. Period."

"FLVS takes its obligation to protect the privacy of personal information very seriously and deeply regrets this incident," reads a company statement from the vendor. "After FLVS learned of this incident, we immediately initiated a comprehensive IT security investigation and hired an independent forensic cybersecurity investigation firm to assist in our investigation and response," adding that the Florida Department of Law Enforcement (FDLE) and  Federal Bureau of Investigation (FBI) were both notified of the situation.

Families seeking additional information are encouraged to call Florida Virtual School's dedicated call center at (888) 829-6553 or visit the FLVS website.