DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Aeries Student Information System discloses breach (with updates)

Posted on May 12, 2020 by Dissent

Aeries Software recently announced a data breach.  I didn’t see it, but a reader kindly stuck it under my cybernose today so that I could share it with you.  The software firm’s notice of April 27 applies to hosted customers of their Aeries Student Information System. From their notice:

What Happened?

In late November 2019, Aeries Software became aware of unauthorized attempts to access data through the Aeries SIS. In response, we immediately began an investigation into whether these attempts had been successful and, if so, how they had been accomplished, what impact, if any, they may have had on data, and what steps we could take to thwart future unauthorFized access to data through the Aeries SIS using the same or similar means. At the time, internal investigation did not reveal any compromise of the Aeries SIS or data.

Nevertheless, Aeries Software deployed a series of security patches in the December 20, 2019 version of the Aeries SIS which addressed the results of our internal investigation.

Then, in late January 2020, we were informed by a locally hosted District that their database may have been previously subject to unauthorized access, they had informed local authorities, and a criminal investigation was underway. We now understand that the investigation by the authorities is ongoing and we are working closely with lFocal law enforcement and federal authorities as well as the District to determine what transpired, by whom it was perpetrated, and what impact, if any, it may have had on data.

In working with the District and law enforcement officials, in March 2020 we were able to expand our earlier investigation with the new information as to the methods used by the individuals who had accessed data without authorization. Specifically, we determined that the unauthorized access had included Parent and Student Login information, physical residence addresses, emails, and “password hashes.” With access to a password hash, weak, common or simple passwords, can be deconstructed to gain unauthorized access to Parent and Student Accounts. According to the results of our investigation, there is evidence to suggest that your database in our Hosted environment may have been one of 166 databases subject to unauthorized access on or about November 4th, 2019. However, we understand the perpetrators have been taken into custody and the unauthorized access has been terminated.

I cannot find any news coverage of any arrest and emailed Aeries to inquire whether they had any additional info on the perpetrators or arrest, but there was no immediate response to inquiries. This post will be updated if a response is received. (See Update of May 28 below this post)

What Information Was Involved?

At the moment, our investigation has revealed Student Permanent IDs, Parent and Student Login information, physical addresses, emails, and passwords hashes may have been subject to unauthorized access.

For more information from Aeries including recommended steps to protect information, see their full notice.

Update:

The following entities have posted notices concerning the incident:

Monrovia School District
Kingsburg Elementary Charter School District
Santa Barbara School District
Los Alamitos Unified School District

Note of May 28: There has apparently been an arrest in the case, but no details have been provided about the perpetrator yet.

June 2 Update:  More districts have sent notifications:

Laguna Beach Unified School District
Central School District
Inglewood Unified School District
Lassen Union High School District
Rocklin Unified School District
Yucaipa-Calimesa Joint Unified School District
San Bernardino City Unified School District
Fairfield-Suisun Unified School District
ABC Unified School District
Mount Diablo Unified School District 
Brea-Olinda Unified School District
Corning Union High School District
Apple Valley Unified School District
Yuba City Unified School District
San Leandro Unified School District
Chino Valley Unified School District
El Dorado County Office of Education
Saddleback Valley Unified School District
Adelanto Elementary School District
Red Bluff Joint Union High School District
Beverly Hills Unified School District 

Leemore Union High School

San Dieguito Union High School District

Category: Business SectorEducation SectorSubcontractorU.S.

Post navigation

← Washington, D.C. Adds Security Requirements in New Data Breach Notification Law
Paying the Ransom Doubles Cost of Recovering from a Ransomware Attack, According to Sophos →

2 thoughts on “Aeries Student Information System discloses breach (with updates)”

  1. Nancy Lorntson says:
    May 13, 2020 at 9:33 am

    95% of Aeries customers are in California so this will be a good test of the CCPA

    1. Dissent says:
      May 13, 2020 at 10:50 am

      Good point.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Department of Justice says Berkeley Research Group data breach may have exposed information on diocesan sex abuse survivors
  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.