The school district is changing all its email and administrative passwords following a breach that claimed more 23,000 access credentials, said superintendent Eileen Shafer late Monday afternoon.
“The district’s information technology (IT) officials have been investigating the matter throughout the day, using information that had been provided to the district,” said Shafer. “At this point, the district’s IT officials do not believe that the email server has been compromised.”
The school district uses a cloud platform, Office 365, to host its email accounts. Office 365 does not require organizations to run their own email servers instead the email accounts are held in the Microsoft cloud.
Shafer’s spokesman, Paul Brubaker, did not respond to a message seeking clarification to her remarks.
“The obtained information is about eight months old, and could have been obtained by an employee who worked for the district at that time,” said Shafer. She did not identify the name of the former employee.
However, the district’s chief attorney, Robert E. Murray, in a letter to the Paterson Times, asserts there were multiple actors. His letter says, “the person or persons who accessed our system and took certain data may not be working alone.”
Shafer said there is “no reason” to believe the security of the district’s email server was breached, but that “someone clearly hoped to create the impression that it was.” She said the matter is being referred to the New Jersey Attorney General’s Office and the Passaic County Prosecutor’s Office for investigation.
“We want to be clear to employees of the Paterson Public Schools. There is no reason to believe that any employee’s personal information is at risk,” said Shafer. She said all district employee passwords and administrative passwords are being changed. All password changes will be completed by close of business on Tuesday, she said.