Superintendent Eileen Shafer’s administration spent $13,816 in public funds in its investigation of the data breach that claimed tens of thousands of school district passwords, according to public documents reviewed by the Paterson Times.
Investigation was conducted by the Pittsburgh, Penn.-based law firm Eckert Seamans Cherin & Mellott. Public records show the firm began investigating the data breach three weeks after the Paterson Times reported on the incident that claimed 23,103 account passwords and other computer access tokens.
School officials had been unaware of the data breach, which happened in October 2018, until details of it were published on May 13, 2019. In a 42-minute conference call on May 29, both the law firm and the district discussed the scope of the investigation, according to public records.
By Aug. 28, the law firm produced a legal analysis and a report of the “cyber incident.” A final report was produced on Sept. 3, according to records.
School board members were told of the findings in a closed-door meeting in Sept. One or more students at Eastside High School gained access to the district’s system via a teacher’s computer to dump the passwords into a file, according to sources.
Shafer has cited “attorney-client privileged material” to avoid public disclosure of the investigation findings. Her move is unusual. In the past, the district has made public investigation reports written by law firms hired by the district. For example, the findings of the basketball and the racy Fetty Wap music video filming scandals were made public. Both investigations were done by law firms.
School board member Kenneth Simmons, chairman of the technology committee, on Monday morning, said he has yet to see the findings. He renewed his call on Shafer and her administration to make the findings public.
“Just let people know, ease their minds,” said Simmons. He said these breaches are more “prevalent” than ever before. For example, the Livingston Public School district was crippled by a ransomware hack this week, he noted.
Some suggested the district is avoiding public disclosure of the report due to a notice of claim filed by the Paterson Education Association, the teachers’ union. The claim notice accuses the district of “wrongful actions” and “inaction” related to the data breach. It also accuses the district of “negligence” and “invasion of privacy by public disclosure of private facts” and “failure to destroy certain records” and “failure to notify explicitly following breach.”
Days after the data breach was exposed, Shafer’s spokesman in a press release falsely claimed the incident was “unfounded” in face of incontrovertible evidence. A school board policy requires the superintendent, through her public relations office, to provide “honest, continuous, comprehensive flow of information” to the community dealing with “problems” and other matters.
Shafer also threatened to sue the Paterson Times for reporting on the data breach. She later stated she did not intend to sue.
School officials changed all district passwords and instituted a two-factor authentication policy as part of an effort to secure the district’s computer systems.