Over 200 students had their records compromised in a data breach.
What happened
Two Northern Kentucky counties faced data breaches in late December. In Boone County, approximately 200 student records were compromised. In neighboring Kenton County, approximately 38 students had their data accessed and viewed.
Both schools conducted an investigation and shared that the breach was the result of phishing.
Going deeper
In a notice, Kenton County School District (KCSD) said they discovered suspicious activity in their email computer systems on December 4th. Through an investigation, the district determined a user accessed and potentially copied data of 38 students between November 27th and November 29th, 2024. Data involved included names, addresses, dates of birth, phone numbers, student ID numbers, Medicaid-related information for Special Education services, and email addresses. KCSD began sending notices on December 5th.
Boone County also released a notice with limited details. 200 records were accessed, which may have included health data, phone numbers, behavior records, educational records, and other identifying information.
What was said
According to Boone County, the attack was “highly sophisticated” and targeted “a special education staff member’s email account.” The district further stated, “This was not a typical phishing attempt; it was designed to closely mimic a Dropbox login and has impacted multiple districts across the state.”
The team also said they currently have no evidence of the data being misused, but “have reason to believe that the inbox was copied.”
Boone County said they would be working closely with the Kentucky Department of Education, whom KCSD also said they contacted.
“We are also strengthening our computer systems with enhanced cyber focused structures and systems,” read KCSD’s notice.
The big picture
In this situation, it seems that multiple school counties fell victim to a sophisticated, targeted cyberattack. While many attacks are crimes of opportunity, they can also be exceptionally planned out through elaborate schemes.
Teachers regularly deal with sensitive student records, which must be protected under the Family Educational Rights and Privacy Act (FERPA). While schools do not fall under HIPAA requirements, they have their own set of regulations that focus on protecting student data.
Every organization should prioritize data security even if they are not a covered entity, because both education and health-related data can be valuable on the black market. Furthermore, when this data is leaked, it can harm family trust in the school system. Attacks from phishing are almost always preventable with the right tools; any organization that handles potentially sensitive data should use the proper software to ensure security.