Notice of Data Breach: Beverly Hills Unified School District Frequently Asked Questions
General Questions Regarding the Incident
-
What happened?
-
The District uses the Aeries Student Information System to provide students and their parents with online access to information regarding school events and schedules. In late November 2019, Aeries learned there were attempts to exploit a vulnerability in the Aeries software that would allow access to student and parent information. Aeries later determined that the exploit was successful. Upon discovery, Aeries began an investigation and law enforcement launched an investigation to identify the person responsible, who Aeries believes is now in police custody. On April 27, Aeries notified the District that the unauthorized individual(s) may have accessed the District’s Aeries System, which may have revealed certain account information. We then contacted Aeries and, on May 5, 2020, we were informed that the individual did access parent and student data within the District’s Aeries System.
-
-
What information was accessed?
-
Aeries cannot confirm whether any individual account holder’s information was viewed by the unauthorized individual. However, the information accessed by the perpetrator potentially included parent and/or student name, home address, phone number, email address and hashed password – a form of rendering the actual password indecipherable to third parties – for the Aeries System.
-
-
What steps did the District take in response?
-
Upon notification by Aeries, we worked closely with Aeries to confirm the impact on the District’s Aeries System and to identify the account holders whose information may be involved. In addition, although this incident was the result of a vulnerability in Aeries’ system, not the District’s, as a precaution, we are requiring account holders to change their passwords the next time they sign into their accounts. Aeries also installed a software patch to remedy the vulnerability in the Aeries System that allowed the unauthorized individual to access our parents’ and students’ information in the Aeries SIS. We are also reviewing our existing policies and procedures to mitigate any risk associated with this incident and to better prevent future incidents.
-
Additionally, we have been informed that local and federal law enforcement officials were notified of the incident, charges were filed, and arrests were made of the unauthorized individual, and the investigation of their misconduct is continuing.
-
-
Is the District offering credit monitoring?
-
We are not offering credit monitoring at this time. Credit monitoring is designed to let you know when someone is opening a new credit account using your information. This incident did not involve the type of information someone needs to open a new credit account, such as a Social Security Number or driver’s license number. Additionally, we have no evidence that any parents’ or students’ information has been or will be misused. Lastly, we believe the risk of misuse of parents’ or students’ information is lowered even further since law enforcement has the alleged perpetrator in custody.
-
-
What is Aeries doing to prevent this from happening in the future?
-
Aeries informed us that they took immediate action to ensure the security of the system, including installing a patch in their software. In addition, Aeries has taken additional technical measures to prevent future incidents and is adopting new security protocols to increase the protection of your data. In addition to allocating significant resources to a rigorous internal security audit, Aeries will also be engaging an independent third party to assist in conducting a complete audit and analysis of their system security.
-
-
Why is the District giving notice now?
-
According to Aeries, while their investigation discovered attempted unauthorized access in November 2019, it was not until several months later when they first learned that unauthorized individual(s) successfully accessed the Aeries System. A state and federal law enforcement investigation into the incident and the perpetrators has also been ongoing. Aeries confirmed that the District’s Aeries System was involved in this incident in early May, 2020. Since that time, the District has been working to thoroughly investigate the scope of what happened and identify those individuals whose information may have been involved and what information may have been involved.
-
-
Who accessed the Aeries System?
-
The District does not have that information and understands that this matter is currently being investigated by law enforcement. We have been informed that at least one arrest has been made in the investigation, but we do not have any further information.
-
-
Whose information was in the District’s Aeries database?
-
The District’s Aeries database contained information relating to parents of all students currently enrolled in schools within the District for the 2019-2020 school year who have a Parent Portal account, as well as their students.
-
-
Were Aeries Parent Portal account passwords involved?
-
The information included in the Aeries Parent Portal database included hashed passwords. Hashing is a technique used to render the actual password indecipherable to third parties. Even though the password itself was not accessible, it is possible that an individual with enough time and skill could eventually decipher the password.
-
-
Does the information accessed concern identity theft?
-
We have no reason to believe that any data was accessed revealing sensitive information such as Social Security numbers, credit card numbers, financial account information, or other information directly impacting your credit rating. That information is not stored in the Aeries database.
-
-
What steps can I take?
-
To guard against the information involved being misused we are asking that all account holders take a number of precautionary steps:
-
You will be required to change your Aeries account password, and your new password must include the following:
-
Lower case letters
-
At least one (1) upper case letter
-
At least 1 special character
-
At least 1 number
-
At least eight (8) characters
-
-
Additionally, if you use the same password for other online accounts, we recommend changing the password for those accounts as well.
-
Use good password management practices, including not using easily guessed passwords and not using the same password across multiple accounts.
-
The District will not ask for your password over the phone or via email. You should be cautious when individuals contact you purporting to be from the District.
-
-
-
Does the District have security in place?
-
Yes, we do. Although, it is important to understand that the vulnerability exploited by the unauthorized party here was in Aeries’ system, not the District’s. Nevertheless, the District has a dedicated information technology team that is responsible for implementing security measures and monitoring the District’s systems.
-