DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: Arrest in Sachem schools data breach (update1)

Posted on November 23, 2013 by Dissent

There has been another development in a data breach involving the Sachem Central School District on Long Island (previous coverage here and here). As I commented previously, it sounded to me like they suspected an insider breach but it wasn’t clear if it was an employee or a student hacker they suspected. Well, now we know, as an arrest has been made. Newsday reports that a 17 year old teenager who had been a student at the Sachem High School North allegedly accessed and downloaded Sachem students’ records in 2012 and 2013   and uploaded data to 1Apps.com and Sachemspun.com.

The district contacted the police on November 8 after learning that some information had been uploaded to a web page, although as the district’s FAQ on the breach notes, they first became aware of the breach in July and again in August, when they also reportedly contacted the police.

The information leaked online reportedly included a list of 15,000 student names dating back to the early 2000s and school identification numbers and lunch designations. There was also another list with 12,000 names and school identification numbers posted, but only about 900 of those were different than what had been posted already. Additionally, records for about 360 Sachem High School East graduates from 2008 were also posted, along with a report on about 130 Sachem High School North students in the 2010-2011 year who received “instructional services in an alternative setting,” the district said in a statement on the district’s website.

Matthew Calicchio has been charged with felony computer trespass and is expected to be arraigned today.

So… it seems that the district did not detect when the database was breached in 2012 of 2013, and had the hacker not uploaded the data to a local web site, the breach might never have been detected. What does that say about the state of data security for the school district? Note that while some of the data uploaded does not seem to be too sensitive, free lunch program status does convey information about the families’ economic situation, and information on students educated in alternative settings suggests that those records include what should be protected information about students with disabilities (or in some cases, perhaps, disciplinary problems leading to other settings).

The district says it has complied with NYS data breach notification law:

Notices compliant with the New York State Technology Law and General Business Law are being generated to individuals whom we reasonably believe were affected by this criminal act. We have been in contact with the Office of the New York State Attorney General in this regard as well.

No free credit monitoring services have been offered to anyone and the district says Social Security numbers were not involved. But until the teen’s hard drive is searched, it may be premature to suggest that what was uploaded to web sites was all of what was acquired.

From my reading of the situation, my guess is that the teen was able to get a staff member’s login credentials and used them to access the system.

Of course, nothing ever really happens to districts who experience these kinds of breaches. The U.S. Education Department doesn’t require breaches be reported to them and NYS is unlikely to do anything. Could the FTC do something? Yes, but historically, they have been hands-off in the education sector. Frankly, I wish the FTC would go after a few educational institutions at the k-12 and post-secondary level. With more districts compiling and sharing more student data that includes parental income and other details, the need for data security in the education sector has never been greater.

Update1: The teen has pleaded not guilty. Of note, the prosecutor claims the teen allegedly  also “downloaded and took” student Social Security numbers and medical information.  There was no indication as to whether it was uploaded to any site. Since the district’s public statements about the breach denied SSN were taken and made no mention of medical information, it’s time for local reporters to go back to the district and clarify exactly what types of information really were involved in this breach.

Related posts:

  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
  • NY: Sachem School District has student data leak (update1)
  • k-12 school districts fall prey to Pysa ransomware
  • Audits of New York schools and the State Education Department reveal ongoing significant concerns
Category: Commentaries and AnalysesEducation SectorInsiderOf Note

Post navigation

← Vermont confirms security breach involving health insurance exchange
RacingPost.com hacked; change your passwords →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.