After a massive data breach, the Paterson Public Schools has reset all employee email passwords, officials announced late Thursday afternoon.
School officials said the district’s information technology (IT) department has instituted a two-factor authentication process for employees.
“We are taking every step possible to prevent a hack of the district’s email system,” said Christopher Lewis, director of business applications at the Paterson Public Schools, in a press release. “We take all matters concerning the security of our information systems, including email servers, very seriously.”
The district’s email accounts are not in servers, but in Office 365, a cloud-based email platform hosted in the Microsoft cloud.
Both the password reset and the multi-factor authentication process fall short of addressing the breach that claimed more than 23,000 passwords. For example, the breach included desktop logins, laptop credentials, and network passwords.
The district’s announcement does not state whether desktop, laptop, and network passwords were changed. The bizarre press release, which confirms the breach in one paragraph and claims it didn’t happen in the next, appears to downplay the breach. For example, it contains phrases like “unfounded report of a hack,” “password changes were a precautionary measure,” and “supposed email hack.”
The release also attacks and describes the Paterson Times, which first informed school officials of the breach on Monday morning, in disparaging terms. Superintendent Eileen Shafer has threatened to sue the Paterson Times for exposing the data breach. Multiple media law attorneys have said Shafer has no grounds for a lawsuit.
School board member Kenneth Simmons, chairman of the technology committee, vehemently disagreed with the district’s assessment of the breach being “unfounded.”
“If there is proof that district data has been obtained, in this case a screenshot of a password file. Then there is a breach,” said Simmons, who has a background in information technology. “Whether external or internal. At this point, a root cause analysis must be done to determine how that information was obtained. Doing so, is the only way that I know of, to make sure it doesn’t happen again.”
School officials were provided evidence of the breach on Monday morning. As of Thursday afternoon, many questions remained unanswered. Shafer’s administration has not responded to pointed questions from the Paterson Times about the breach.
What steps has the district taken to address the situation so that the actor is not able to return to snatch the updated passwords? The perpetrator over the weekend indicated he or she had access to “all information systems” in the district.
School officials also have not answered: Why did this breach happen? Whether it was poor security, outdated systems, or something else. When did the actor first gain access to the district’s systems?
Paul Brubaker, spokesman for the Paterson Public Schools, said the matter of who stole the information and how it was taken has been referred to the Passaic County Prosecutor’s Office and the New Jersey State Attorney General’s Office. Shafer has said the hack could be the work of a former district employee.
Shafer has provided reassurance to employees that their personal information was not at risk. However, those reassurances would appear to be hollow if the actor continues to enjoy access to the district’s networks.
The 23,103 passwords were stolen in October 2018. Over the eight months, the actor may have signed into any and all district email accounts.
Email: [email protected]