Data storage flaws exposed
Computer security expert downloaded files from Schoolzilla
PALO ALTO — Partial records for about 14,000 students of the Palo Alto Unified School District were accessed in a data breach by a computer security researcher who discovered vulnerabilities of a data storage vendor that Palo Alto schools previously used.
The researcher said he was able to download files from Schoolzilla with data on about 1.3 million students on April 4, including those from Palo Alto. He informed the company with a data breach notification ticket.
Students’ names, addresses, birth dates, state test scores and their parents’ names were part of the information in those files, Palo Alto school officials said in a community alert Thursday. Current and former students affected by the breach will be notified by mail.
Chris Vickery, the computer security researcher, wrote about what he did in a blog post, describing how Schoolzilla made the “alltoo-common mistake of configuring their cloud storage (an Amazon S3 bucket) for public access.”
Vickery is what some would call a “white hat” hacker who searches for vulnerabilities and flaws in computer security systems so they can be fixed.
Schoolzilla CEO Lynzi Ziegenhagen wrote that Schoolzilla is grateful to be informed of the file configuration error.
“As soon as we learned of it, we immediately fixed the error and confirmed no one accessed any information, other than the researcher,” Ziegenhagen wrote. “We are grateful that the researcher informed us quickly, so we were able to fix it quickly.”
Palo Alto school officials say that the researcher provided a sworn affidavit to Schoolzilla stating that all data from the incident has been deleted and that he does not know which school districts’ data he had obtained. The incident, which involved a vulnerability that perhaps could have been reported to Schoolzilla without actual download of the data, will be reported to California’s attorney general for further investigation. Palo Alto had a contract with Schoolzilla for data reporting services from May 2015 to May 2016.
“While they purged all the data from the live system, they overlooked that Palo Alto was still in the off-site backup,” said Chris Kolar, the district’s director of research and assessment.