Hopkins County School suffered data breach compromising students’ personal information

• An attacker compromised an employee’s password-protected Infinite Campus account and gained access to a database that contained students’ personal information.
• The database contained almost 7000 students’ personal information including names, dates of birth, and Social Security numbers.

What happened?

Hopkins County School suffered a data breach after an attacker compromised an employee’s password-protected Infinite Campus account and gained access to a database that contained students’ personal information.

What information was compromised?

The database contained almost 7000 students’ personal information including names, dates of birth, and Social Security numbers.

What was the immediate action taken?

• Upon learning the incident, the school responded quickly by taking down the database, however, the unauthorized third-party had access to the database for almost 20 hours.
• The school notified the Kentucky Department of Education, Kentucky State Police and the state's attorney general about the incident.
• The education institution also filled out an appropriate form as per the state-standard protocol.
• Hopkins County School is recommending parents to remain vigilant and monitor the credit scores in the parent portal.
• It is further planning to provide proper training for its staff on password-protection.

“At this point, it's more of training and using this as a positive opportunity to train and help people learn the severity and consequences. It's a lesson in keeping passwords private and secure, which is something we've always done. It's just now we have a case to refer to and say, 'Hey, this can happen. Please be aware,” Drew Taylor, CIO at Hopkins County School said.

Not a malicious attack

Taylor noted that the attackers’ motive is not to get the list of Social Security numbers and confirmed that there is no evidence of any misuse of students’ personal information. However, an extensive investigation is still ongoing.

“We do not believe that this was a malicious attack. We do not believe it's like something you hear on the news about a Russian hacker getting a list of Social Security numbers. We believe it was something local. It could have been a joke. It could have been something very minor,” Taylor said.