Lodi Unified School District in California has submitted a notification template to the California Attorney General’s Office. The template letter, dated, October 31, 2022, begins:
Dear [first name] [last name]:
Lodi Unified School District writes to notify you of a recent incident that may impact the privacy of certain information provided to us. We take this incident very seriously and are providing you information about the incident, our response, and steps you can take to help protect your information.
What Happened? On or about September 21, 2022, an account within our third-party student record management application, Aeries, experienced unauthorized access. As a result of this, we immediately began an investigation to determine the full nature and scope of the activity. Our investigation is ongoing; however, it was able to determine that certain information within the Aeries application was subject to unauthorized access. Therefore, in an abundance of caution, we conducted a review of the contents of the application in order to ascertain the type of information contained therein and to whom the information related.
What Information Was Involved? The investigation revealed that the information potentially impacted included your first and last name as well as your medical information.
The full letter can be found on the state’s breach notifications site.
But whose breach was this? Did the district’s Aeries’ account get compromised by phishing an employee’s credentials? Had credentials been re-used or stolen by an infostealer? Or was this Aeries’ responsibility somehow?
DataBreaches submitted inquiries to both the district and Aeries yesterday, as neither appeared to have any notices on their respective sites. No replies have been received by time of this publication.