The Accolade Editorial Board unanimously agrees that the district-wide network outage that occurred last semester from Nov. 14-Nov. 15 warranted more transparency and immediate information from the superintendent.
Cyber attack?
Data breach?
Hacking?
While the complete internet shutdown that impacted teachers and students on campuses throughout the Fullerton Joint Union High School District [FJUHSD] last November seems like a distant memory, questions about what caused it still lingered. With students’ private information at stake, the delay in informing the community left students and families confused.
Even though it’s clear that district and school officials were aware two months ago what had happened and that only an unspecified number of teachers’ data was compromised (according to an FJUHSD, Friday, Jan. 5, letter addressed to a teacher and given to The Accolade earlier this week), it doesn’t mean the superintendent – the official whom Sunny Hills principal Craig Weinreich referred The Accolade to for all matters related to the network outage – can wait until we came back from winter break to issue a statement to students and parents in the community.
And not until the Friday, Jan. 12, of the first week back, especially since the statement mentions “there is evidence that some student non-sensitive information such as IDs, name, addresses was accessed.”
We needed that correspondence at least before winter break. Perhaps district officials – superintendent Steve McLaughlin – may feel that the matter remains under investigation, and so it could hinder law enforcement’s work on the ransomware attack if all stakeholders were informed of what happened a week or two after the breach.
But McLaughlin needs to know that the lack of explanation not only leads to a circulation of rumors among his employees, students and parents, but it also prevents people from taking necessary precautions. If the superintendent’s children attended any of the schools in the district – like with his predecessor – we believe he would also want to know as soon as possible that someone out there has his children’s names and home addresses. Calling that “non-sensitive information” in his notice to all stakeholders is actually an insensitive thing to do.
Parents and students should be aware of the immediate steps they need to take to keep their private information safe. Why aren’t they being offered the one-year of identity protection that FJUHSD employees are getting for their personal information being stolen by these hackers?
The absence of any updates gives a false assurance, which convinces those affected from being particularly vigilant about keeping their private information safe. For example, an online Dec. 7 Orange County Register article suggests “after a cyberattack, do not use any laptops or electronics connected to the school’s IT system as the malware can infect home or personal networks too.”
Informing the community three months after the incident becomes too large of a window for people to lose further private information. In the case of a future ransomware attack, students and families should not only be informed about the cause of the shutdown immediately, but they should also receive tips on what can be done on private devices as officials continue to resolve or investigate the matter.
For those who forgot about what happened, here’s a recap:
The district-wide WiFi outage occurred from Tuesday, Nov. 14-Wednesday, Nov. 15. Though WiFi was restored on Thursday, Nov. 16, the Aeries portal in which students and parents regularly access teachers’ gradebooks was still non-functional. This was something that the superintendent left out in his letter that was sent at 4:22 p.m. on Friday, Jan. 12 – nearly an hour after school ended.
Throughout this disruption, parents, students and staff members received one email on Nov. 14 from the FJUHSD superintendent, who acknowledged a network outage had occurred but never gave the cause for it.
When an Accolade editor reached out via email to McLauglin and FJUHSD board member Joanne Fawley, who represents the Sunny Hills community, to request an update on Friday, Dec. 8, no immediate reply was given.
It was only 12 days later on Wednesday, Dec. 20, when Fawley responded: “Sorry for the delay. I accidentally overlooked this email when it was first sent. By now, you have received information about the outage.”
Then McLaughlin finally sent an email reply on Friday, Jan. 12, telling the editor: “My apologies for the delay in response as we attempt to navigate this situation. This afternoon around 4:30 p.m. we are sending out an update to all of our community regarding the network outage.” The editor’s 5:20 p.m. follow-up email asking for responses to some more questions about the ransomware attack did not get a reply; the superintendent was informed of our deadline, which was at 6 p.m. today.
Since no official confirmation as to what happened was provided until today, Friday, Jan. 12, The Accolade was unable to inform its readers about the cause. It wasn’t until Wednesday, Jan. 10, that we were able to proceed with posting not only this online staff editorial today, but our other series of Spotlight stories after we had obtained a copy of one of the letters sent to district employees.
The letter from a teacher whom The Accolade has opted not to identify for confidentiality confirms that the faculty member’s “name in combination with Social Security number” was “potentially accessed without authorization” and that an “investigation determined that FJUHSD was the victim of a sophisticated ransomware attack.”
By then, The Accolade had already conducted several interviews among the Sunny Hills student body to be prepared for the day when we can post something to our readers, and they all reflected what Cyber Patriots president senior Abhijit Sipahimalani told us:
“The response was very slow. I feel like [the district] could have been a lot faster if it was better prepared.”
Were we “better prepared”? We doubt any official will ever confess that we weren’t, even though ransomware attacks have been happening particularly to other school districts nationwide well before ours occurred.
Finally, the issue of money is also involved. According to the same Orange County Register article, to completely recover from a data breach sometimes takes months to process with “schools facing significant monetary losses with having to replace computers and other hardware.” This makes transparency on how the district intends to carry forward with the unauthorized breach more essential.
Where are the funds coming from to pay for these “third-party experts” that the superintendent mentioned about in his letter today? How much does it cost? Who are these “experts”? We believe this information should be available to all stakeholders. We doubt that such vague phrases will offer the reassurance necessary, especially for those victimized by this ransomware attack.
In an era of increasing cyber-attacks directed at school sites, such as the one that occurred in the Glendale Unified School District last December, clear communication between the school and its members is necessary to ensure safeguards for the future. Neither the superintendent nor anyone else in his cabinet should worry about what the media will do upon notifying the public immediately. They should worry about offering reassurance to the victims – in a sensitive manner.
The Accolade Editorial Board is made up of the top editors and section editors on the new 2023-2024 staff with the guidance of adviser Tommy Li. If you have a question about the board’s decision or an issue for the board to discuss and write about, please send an email to [email protected].