A massive data breach has struck the Paterson Public Schools, claiming 23,103 account passwords and other computer access tokens, according to information reviewed by the Paterson Times over the weekend.
Information stolen in the breach includes desktop logins, email usernames and passwords, and laptop credentials. For example, the email usernames and passwords of all school district employees — including that of the superintendent, administrators, teachers, and other staff members — were dumped, deposited into a file that runs more than 116,000 lines.
It’s not clear whether the hacked information has been published on the dark web, a shadowy part of the internet that is accessed using specialized software, that is inhabited by cyber criminals — black hat hackers, drug dealers, arms smugglers, and other unsavory actors – to trade stolen information.
School district officials were unaware of the breach until Monday morning.
“What! How does that even happen?” remarked a shocked school board president Oshin Castillo. “This is the first time I’m hearing about this.”
Castillo wondered whether the district’s financial information, like bank account credentials, were stolen in the breach. There’s no indication financial data were stolen; however, if bank account details were on computer files the perpetrator may have access to that information.
“It leads you back to all of our personnel and confidential information,” said Castillo. She said she has to speak to superintendent Eileen Shafer and her staff to find out more information about the breach.
“We’re on it,” said Shafer on Monday morning. “We need to dive into this and see what we can come up with.”
“District officials are looking into the situation to verify whether there is a problem,” said Paul Brubaker, spokesman for the Paterson Public Schools.
The stolen account usernames are in plain text while the passwords are encrypted, according to reviewed information. However, the encryption is weak and relatively simple to reverse to obtain the plain passwords. The Paterson Times tested and verified some of the credentials which remain valid.
For example, Brubaker, the district spokesman, who sought evidence of the hack, was provided one confidential secretary’s username and reversed password that allows access to her Microsoft Outlook email inbox and district workstation.
“It means someone got into the system. That’s a lot of information,” said school board member Kenneth Simmons, chairman of the technology committee. “If it’s that many, it must include student accounts.”
Simmons, who has a background in information technology (IT), said the hacker must have gotten access to one or more district servers. He was puzzled about the theft of email account usernames and passwords. He pointed out the district uses Office 365, a cloud email system. However, employees use email credentials to logon to computers in the district.
“Unfortunately, people use the same passwords,” said Simmons. He said the district should have had a policy to require strong passwords and force a 90-day password reset on all users.
It’s not clear how the preparator gained access to the district’s system.
“It sounds like they are in the network and they are on the servers. Or they are on the network and they are capturing the information,” said Simmons.
The perpetrator contacted the Paterson Times on Thursday using a fictitious email account. The email claimed the individual had access to “all information systems” in the district. The First email was ignored.
A follow-up came on Saturday. The perpetrator tried to burnish his or her credibility by offering to provide proof.
The Paterson Times sought evidence. The perpetrator provided screenshots of two district employees’ Outlook email inboxes. The individual also provided other information that demonstrated he or she had credentials of tens of thousands of district accounts, including those of former employees.
The individual sought to sell the stolen data to the Paterson Times, but was rebuffed. The 23,103 passwords were stolen in October 2018, the individual said in an email. However, the person indicated having continued access to district systems.
The perpetrator was spooked when told the information provided will be used for a news story. The last email to the actor returned “undeliverable.” Body of the returned email stated the reason, “Recipient address rejected: this address does not exist.”
The email credentials of Castillo, Shafer, Simmons, and Brubaker were among those stolen in the breach.
“This is kind of scary,” said Simmons.