Pearson breach affects ND schools, officials trying to figure out how many

By  | 

A software breach could affect more schools in our area than initially thought. Bismarck Public Schools posted a letter Monday letting people know a vendor, Pearson Clinical Assessment, experienced a nationwide breach and some data of BPS students and faculty is at risk.

The state's IT department says in a worst case scenario, as many as 58 school districts, with 71,000 students, could have had data stolen. We don't know the true number yet. IT says it hopes to have more information this week, but it will be an ongoing process. Some of the information obtained was already publicly available, like faculty emails.

Here's what we know about the breach:

- The actual breach happened in November 2018 and the F-B-I notified the company in March of this year.

- Hackers stole first and last names, email addresses and date of births. That doesn't mean each one of those was taken. According to Aimee Copas with the ND Counsel of Educational Leaders, Mandan Public school students had first and last names, as well as date of births taken, but no emails. The DOBs were not public information. Faculty had names and emails taken- both are already public info.

- IT says there's no school or agency at fault for the breach and they're investigating how many districts were affected.

- This is the second breach of North Dakota schools in the last year, with North Korea state actors infected a third of North Dakota schools with malware in September 2018.

“We deal with these kind of attacks on a day to day basis. We have outside actors, we have nation-state actors that're coming at North Dakota on a constant basis,” said Shawn Riley, North Dakota’s Chief Information Officer.

IT says of the 58 districts at risk, six received a letter about the breach, while one is reaching out to the company. The hack doesn’t include Social Security numbers or financial data. Riley says hackers could spoof the emails and get that data from people.

Pearson says in a letter dated July 19, there’s no evidence the information was misused and it is offering free credit monitoring services.