Thousands of Florida Virtual School Students Hit by Two-Year Data Breach

An almost two-year data breach has hit more than 368,000 students involved in the Florida Virtual School (FLVS) program.

FLVS said in a statement that the data exposure was likely active between 2 May 2016 and 12 February 2018 and that up to 2,000 teachers were impacted along with the students.

The leaked information includes student and parent names, dates of birth, email addresses, school account numbers and corresponding usernames and passwords – all of which could be used for identity theft as well as follow-on phishing and other social engineering attacks.

“For those affected by the data breach, it’s imperative that all accounts are regularly monitored for identity theft,” said Dean Ferrando, EMEA manager at cybersecurity firm Tripwire, via email. “Changing passwords will also help, no matter what information was compromised. Victims are most vulnerable during the initial moments after the attack, and this is why we recommend they act with extreme caution when dealing with incoming emails and telephone calls regarding the breach.”

Fortunately, neither student nor parent Social Security numbers and financial account information were affected. Still, it should be a wake-up call for the school.

“Educational institutions are prime targets for cyber-attackers due to the critical data they hold,” said Ferrando. “Schools, colleges and universities have large collections of personally identifiable information for their faculty, staff and students, and this provides significant motivation for attackers to try and exploit any vulnerability within their systems. Therefore, organizations need to actively observe how their system operates, especially when private information is concerned. In doing so, they can ensure that all systems are configured properly and securely.

The institution, which offers K–12 online education in Florida and globally, said it has contacted Leon County Schools, with which it’s affiliated, and notified the Florida Department of Law Enforcement (FDLE) and the FBI.

“FLVS is continuing its internal investigation and is fully cooperating with law enforcement agencies as they seek to apprehend those responsible for this crime,” the school said in a statement, adding that it’s offering free identity protection services to students, former students and others who were impacted by the incident.

What’s Hot on Infosecurity Magazine?