Pearson Clinical Assessments notified District 203 and District 204 in July, along with roughly 13,000 other schools and universities with AIMSweb 1.0 accounts, of an unauthorized access by a third party that occurred in November 2018.
The company said the exposed data was isolated to first and last names, and in some instances date of birth and/or email address.
“Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability,” the company said in a statement issued July 31. “While we have no evidence that this information has been misused, we have notified the affected customers as a precaution. We apologize to those affected and are offering complimentary credit monitoring services as a precautionary measure.”
Both school districts notified parents of the breach Tuesday morning and provided families information on how to acquire the free credit monitoring.
Naperville 203 and Indian Prairie 204 used AIMSweb 1.0 to track student academic progress of students in kindergarten through eighth grade. The company indicated no test scores, performance data or any other personally identifying student information was part of the data incident.
The hacked data included the first and last names and in rare cases date of birth of 3,700 Naperville 203 students and 49,000 District 204 students who were enrolled from the school years 2001-2016. The data also included the first and last names and school email addresses of about 800 District 203 and 2,300 Indian Prairie staff members.
Although Pearson provided no evidence any data was misused, the company is providing free Experian credit monitoring to any student who was enrolled between 2001-2016, the districts said.
Cyber security expert Mike Khattab, CEO of CMIT Solutions of Naperville and Orland Park, said breach likely occurred without anyone’s knowledge because most intrusions occur when a worker inadvertently opens a curious email with a funny video or link attached. What the worker doesn’t know, he said, is the attachment contains a hidden virus that exposes the whole network.
Khattab said other than preventing future attacks, little can be done because the data already has been downloaded and put up for sale on the dark web. “The damage already has been done. That data has been exposed,” he said.
Even if only a child’s name and birth date was acquired, he suggests families take up the Pearson’s offer for free credit monitoring. “It very well is used for applying for credit,” he said.
Hackers can do far more harm if they have Social Security or other financial information, and that does not appear to be the case here, Khattab said. “A name and birthday is information that’s not as critical. With financial information, they can do a lot more damage,” he said.
In their messages to families, both districts said they take the security of all student, family and staff data very services and that only the most limited data is provided to vendors for any required services. They also said contracts with outside vendors are closely vetted to ensure measures are in place at all times to safeguard that data.
©2019 the Naperville Sun (Naperville, Ill.). Distributed by Tribune Content Agency, LLC.