(Image source: Denver Public Schools, 2023a)
One-sentence summary:
An attacker breached Denver Public Schools for about a month and accessed PII, including SSNs, of over 15,000 employees.
Who was involved?
Threat actor, Denver Public Schools, and 15,000 Denver Public Schools employees
What was the timeline?
December 13, 2022: Attacker makes initial access into DPS’s information systems
January 4, 2023: DPS discovers the intruder.
January 13, 2023: Attacker’s last known presence at DPS.
March 3, 2023: DPS posts a breach notice on their public website.
March 8, 2023: A Reddit user reports that former employees and dependents are affected.
What occurred?
An attacker breached DPS for about a month and retrieved “names and Social Security numbers of current and former participants in DPS’s employer-sponsored health plan; employee fingerprints, if on file; bank account numbers or pay card numbers; student identification numbers; driver’s license numbers; passport numbers; and limited health plan enrollment information maintained for human resources purposes” (Seaman, 2023; Lynn, 2023; Denver Public Schools, 2023b, para. 2).
Estimated costs:
M-F Call center and data breach notification costs.
Involved laws:
State: Colo. Rev. Stat. § 6-1-716
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Sources:
Denver Public Schools. (2023a, February 3). Logo for Denver Public Schools. Wikpedia. https://en.wikipedia.org/wiki/File:Denver_Public_Schools_logo.svg
Denver Public Schools. (2023b, March 3). Notice of Security Incident | Denver Public Schools. Retrieved March 3, 2023, from https://www.dpsk12.org/notice-of-security-incident/
Lynn, N. (2023, March 3). Hacker steals bank account, Social Security numbers of Colorado school district employees. 9NEWS. Retrieved March 4, 2023, from https://www.9news.com/article/news/crime/denver-public-schools-cybersecurity-incident/73-5a79182e-4b9d-49b0-ab32-5dfe98b269ee
Seaman, J. (2023, March 4). Data breach of DPS computer servers affects all district employees, officials say. The Denver Post. Retrieved March 4, 2023, from https://www.denverpost.com/2023/03/03/denver-public-schools-data-breach-2023/