*The Accolade strives to follow professional journalism practices in identifying all sources in the stories it posts or publishes. However, in rare cases in which sources’ identities could risk harm, The Accolade can choose to protect them by not revealing their names.
The Accolade has obtained on Wednesday, Jan. 10, a document indicating its source as the Fullerton Joint Union High School District [FJUHSD] and citing the cause of last November’s network outage as “a sophisticated ransomware attack.”
“On November 14, 2023, FJUHSD experienced a network disruption and immediately began an investigation with the assistance of third-party specialists,” according to the letter, dated Friday, Jan. 5, with the FJUHSD logo on the top right hand corner. “The investigation determined that FJUHSD was the victim of a sophisticated ransomware attack. … we understand a limited amount of data on our network was potentially accessed without authorization.”
The Accolade received a PDF of the letter the same day that the teacher who provided it received it in the mail – five days after the date listed on the document. The name on the letter had already been removed when the student editors received the digital file, and The Accolade has agreed not to reveal the source’s identity for confidentiality.
“Through our investigation, we have determined that the potentially impacted information included your name in combination with Social Security number. … Although we have no reason to believe any information has been or will be misused because of this incident, we are offering you access to twelve months of complimentary credit monitoring and identity protection services in an abundance of caution,” according to the document.
*The teacher who provided the document to The Accolade gave this statement:
“I’m very frustrated that it took this long for me to be notified that someone has my personal information,” the faculty member wrote. “Since Nov. 14, who knows what has happened to my Social Security number, and after a year of that free credit monitoring, who knows if the hacker will use my data two years or more from now knowing that this is a common response from companies and districts that have been victimized this way. I don’t trust in the district’s reassurances that ‘we have no reason to believe any information has been or will be misused.’
“My letter was dated Jan. 5, and I didn’t receive it in the mail until Jan. 10; couldn’t the district have emailed me a digital version of the letter on the 5th?” the teacher wrote. “Any district employee who’s been victimized this way should have been offered a lifetime of credit protection for the years of service we’ve offered in this district.”
The teacher concluded the statement with the following:
“What’s worse is that the letter ends without anyone’s name — not even the superintendent’s name. It just shows at the bottom, ‘Fullerton Joint Union High School District.’ How impersonal.”
FJUHSD superintendent Steven McLaughlin responded Friday, Jan. 12, to the two emails that co-Spotlight editor junior Seowon Han sent requesting for an interview about the network outage — the first one dated Friday, Dec. 8, and the second one dated Wednesday, Jan. 10.
However, he only replied by mentioning the community statement that was set to be sent to staff, parents and students that same day at 4:19 p.m.: “This afternoon around 4:30 p.m., we are sending out an update to all of our community regarding the network outage.”
FJUHSD trustee Joanne Fawley, who represents the Sunny Hills area, responded to Han’s first email dated Friday, Dec. 8, with following information: “Sorry for the delay. I accidentally overlooked the email when it was first sent. By now, you have received information about the outage. I recognize that you were probably on a deadline and apologize for not responding sooner.”
But when contacted again with a Wednesday, Jan. 10, email to follow up on Fawley’s response, the board member responded 3:48 p.m., Friday, Jan. 12, with the response similar to that of the superintendent: “The District is putting together a community statement for this evening. It won’t answer all of these questions, but it will be an overview of the situation.”
The letter does not mention whether any student or parent information was compromised during the attack, though the subsequent email today from the superintendent mentions “there is evidence that some student non-sensitive information such as IDs, name, addresses was accessed.”
Last November’s network outage left many teachers and students scrambling to adapt to a wireless campus for most of the week before Thanksgiving break. Parents and students could not check teachers’ gradebooks in Aeries to see student grades until Monday, Nov. 27, the first day back from Thanksgiving break. Because of the hack, teachers were given an extended time – until Friday, Dec. 1 – to submit their progress report grades, delaying the time that students and parents can see those marks.
Although school officials referred all questions from The Accolade about the network outage and its cause to the superintendent’s office, students and parents remained in the dark about what happened, though many students had speculated that it had to be a ransomware attack.
“[At first], I heard people joking about it being a hack,” senior Camille Timbol said. “And my English teacher [Tom Wiegman] mentioned [the situation] in class.”
Since crucial data was at risk, senior Cara Lukkes said the district should have acted sooner to inform stakeholders, especially since students didn’t know at the time whether their information was taken in the data breach.
“We should have probably also received the information about what happened because it had all of our personal information on Aeries, too,” Lukkes said.
Ransomware attacks targeting school districts is not new.
In July 2022, the Los Angeles Unified School District faced a similar problem; however, much more threatening to those in the district as 500 gigabytes of school data — including at least 2,000 student records — were taken and released to the dark web after the district refused to pay the ransom fee. An announcement of the Long Beach Unified School District’s data breach was made around the same time; at least 130,000 student names and their email addresses and student ID numbers were accessed.
The FJUHSD’s data attack occurred more than two weeks before that of the Glendale Unified School District, which was confirmed on Nov. 30.
At the top left hand corner of the teacher’s letter provided to The Accolade, it states: “Fullerton Joint Union High School District ℅ Cyberscout.”
According to PR Newswire, Cyberscout is a company that offers comprehensive identity management and data security services. However, the document does not indicate whether that firm was among the “third-party specialists” that the letter mentions the district had started the hack investigation with assistance from.
In a section titled “What We Are Doing,” it informs the teacher that “we implemented additional security measures to further protect our network and reduce the risk of a similar incident occurring in the future. We also promptly notified law enforcement.”