Parents of Hopkins County schoolchildren were greeted with a message from the school board Thursday morning alerting them of a data security breach. Because of a school board staff member's password-protected account being compromised, a currently unidentified user had access to a countywide database, which contains the names, dates of birth and Social Security numbers of about 7,000 students, according to school officials.
While there is no current evidence the user obtained students' personal information, school board officials cannot say for certain the information was not accessed.
The incident occurred Tuesday, and the user had access to the database for less than 20 hours before it was brought to school officials' attention on Wednesday. According to Chief Information Officer for Hopkins County Schools Drew Taylor, the breach occurred because an employee's password to their Infinite Campus account had been compromised.
"Because of the nature of the staff member, they had access to personal information of all students," Taylor said.
While the school board knows the identity of the employee, officials would not release that information.
Taylor said that as per state-standard protocol, the school board has
See BreaCh/Page A3
filled out an appropriate form and contacted several agencies including Kentucky Department of Education, Kentucky State Police and the state's attorney general.
"It's mostly handled at the state level for this," Taylor said. "If they feel like there is anything to be done further, they will take action at this point."
While Taylor is certain this user's purpose was not to get a list of Social Security numbers, he could not release his reasoning.
"We do not believe that this was a malicious attack. We do not believe it's like something you hear on the news about a Russian hacker getting a list of Social Security numbers," Taylor said. "We believe it was something local. It could have been a joke. It could have been something very minor."
According to Taylor, officials do not know of any changes or misuse of students' personal information at this moment, but it is still under investigation.
Moving forward, Taylor said that better training of staff in password-protection will be implemented to ensure this type of security incident will not happen again.
"At this point, it's more of training and using this as a positive opportunity to train and help people learn the severity and consequences," Taylor said. "It's a lesson in keeping passwords private and secure, which is something we've always done. It's just now we have a case to refer to and say, 'Hey, this can happen. Please be aware.' "
As precautions, Taylor advises parents to check their parent portal to make sure their information is current and accurate as well as monitor their credit scores. Parents can also contact the Federal Communications Commission and file a complaint if they feel there is an issue, he said.
District Communications and Community Engagement Specialist Lori Harrison also recommended parents should contact the school board if they would like more information.
"I think they would feel better talking to people, and they can understand it better," Harrison said. "We can talk further about what exactly a data breach is and what this means for them."
For more information, parents can call 270-825-6000 and ask for the technology department.