DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Probable security breach may have compromised thousands of Lewis Palmer students’ data

Posted on May 25, 2016 by Dissent

Sherrie Pief reports:

Lewis-Palmer School District 38 officials are mum about the probability that a security breach related to its Infinite Campus platform may have compromised more than 2,000 students’ personal information.

Infinite Campus is a software program that stores personal and academic information about students in the district.

But wait… the district has known about a problem since September?

At a school board meeting on May 19th, a concerned parent asked the school board to fix the security breach immediately. The woman said district officials have known about the issue since the beginning of the school year.

And it gets worse:

After walking through the process with several students and parents using their accounts, Complete Colorado discovered that anyone could easily access the personal information of any student in the district, including names, addresses, and phone numbers for students, parents, siblings, and emergency contacts; schedules; attendance records; grades; locker numbers and combinations; transportation details, including where and when bus pickups take place; and health records.

Read more on The Complete Colorado.

I wonder if any parents have filed complaints with the U.S. Education Department under FERPA. There’s no way all that information is directory info and it certainly should be protected.

And for the district to claim they won’t confirm or deny the vulnerability but anyone who exploits it is a criminal, well…. wow.  Maybe if someone sued them they would have gotten off the dime faster and gotten this addressed?

Update: The district posted this message on its web site:

Data Privacy

  • 05.25.16

    Protecting your student and family personal data is of utmost importance to LPSD.

    Yesterday, we discovered a possible security breach through normal monitoring of IP addresses accessing our systems. It appears one individual with legitimate access to our system, using the student portal, may have accessed a few middle and high student IC accounts.  The IP address for this individual was immediately blocked. The individual was unable to modify data or transfer data electronically. We will be contacting the parents of the students impacted.  If you do not receive a call by the end of the day, you can assume your child’s account was not impacted.

    We shut down student portal access to IC this morning.  We apologize for the inconvenience this will cause.  We had hoped to keep IC access for students up through June 1 so that they could view final grades.  Unfortunately, due to this possible breach, grades must be accessed through the parent portal.

    Additionally, Google accounts, where student user names could potentially be viewed, were shut down earlier this week.  Accounts will be upgraded and security will be enhanced over the summer.

    If you need assistance with your parent portal access please contact technology services at (719) 488-4700.

Category: Commentaries and AnalysesEducation SectorOf Note

Post navigation

← In: Raids by Agra drug enforcement dept fail due to leak of information
UK man charged over attack on Mumsnet →

5 thoughts on “Probable security breach may have compromised thousands of Lewis Palmer students’ data”

  1. Nancy Lorntson says:
    May 25, 2016 at 4:41 pm

    A point of clarification here. The article says “Google Apps for Education (GAFE), which is needed to connect to Infinite Campus”. IT also says “Zark did not want her children using GAFE because of the possible breach, which she believed compromised their privacy.” The issue is with GAFE not Infinite Campus.

    IC is a stand alone Student Information System that the district has chosen to configure GAFE to interface with. They are using the data securely stored in IC to populate GAFE and it is the GAFE data that is exposed.

    I suspect the problem is that the connection between GAFE and IC is using a non-encrypted URL containing a studentID that is visible in the URL and can be easily changed to another studentsID and submitted to GAFE.

    More info here: http://www.npr.org/sections/ed/2015/12/08/458460509/google-hit-with-a-student-privacy-complaint

    1. Dissent says:
      May 25, 2016 at 8:37 pm

      You may well be right. Either way, they have left a vulnerability unpatched or unremediated since the beginning of the school year, if the parent’s report is accurate. That’s not acceptable.

    2. Bill Fitzgerald says:
      May 28, 2016 at 2:32 am

      This actually doesn’t sound like a GAFE or Infinite Campus issue – it sounds like sub-par username/pw selection assignment on the part of the district.

      This snapshot from the Wayback machine captures the IC login page on November 28, 2015: https://web.archive.org/web/20151128034002/https://campus.lewispalmer.org/campus/portal/lewispalmer.jsp

      To quote what is on that page:

      2013-08-09
      Students:
      Due to a security enhancement within Infinite Campus, your network and IC passwords have been changed! You must now enter the prefix, Lp@ before your regular birthday password (i.e. Lp@032794). Additionally, you may change this password by entering Ctrl+Alt+Delete and then picking Change a Password. Changing your password this way ONLY works if you are logged into the school network, NOT from home.

      So, assuming that the message on that page actually was posted on 2013-08-09, that means that this security issue would have been in the wild for the 2013-2014 school year, the 2014-2015 school year, and the 2015-2016 school year.

      1. Dissent says:
        May 28, 2016 at 7:12 am

        Interesting. Can any parent comment on whether that’s still the password structure and system?

        1. Concerned Parent afraid of Retribution says:
          May 30, 2016 at 8:36 pm

          Yes that is correct. That was the password structure from the beginning and NOT until Sherrie Pfeif`s article in Complete Colorado was being done ( http://completecolorado.com/pagetwo/2016/05/24/probable-security-breach-may-have-compromised-thousands-of-lewis-palmer-students-data/ ) did the School district decide to have both Infinite Campus and Gmail accounts shut down to protect the kids. Right up until the article Parents concerns were ignored.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.