And the countdown begins.
“Your password is set to expire in 3 days. Change it now.”
“Your password is set to expire in 2 days. Change it now.”
“Your password is set to expire in 1 day. Change it now.”
“You are required to change your password. Please choose a new password.”
Students who use the Aeries grading and attendance app have been seeing these messages pop up every couple months to their dismay.
“It’s really annoying,” junior Laila Ahmad said. “On my phone I have Face ID, and I have to keep uninstalling and redownloading the app in order to get the new password to work with my Face ID.”
Ahmad said she changed her password four times since August and realized she was not checking her grades as often as she used to with the Face ID login option.
“There was a point where I wouldn’t check my grades at all because it would take too much time to log in, especially since it’s now mandatory to add special characters [in passwords],” Ahmad said.
It’s also frustrating for many students since the requirement for an acceptable new password must contain the following requirements:
- “Must be at least 8 characters long/”
- “Must contain at least one non alpha-numeric character. Examples – * & % $ # @”
- “Must contain at least one letter and one number.”
- “Must be MixED CAse.”
- New password must be significantly different than old.”
“It is kind of annoying because I don’t remember what I changed my password to sometimes,” sophomore Carson Kim said. “So I have to try a bunch of different passwords that I might have used.”
Students were not notified of the change on Aeries when Aeries changed the system in April.
Before that, Aeries systems officials had alerted the Fullerton Joint Union High School District [FJUHSD] last April 28 of a “possible data breach that may have occurred on November 4, 2019,” affecting 1,022 student and 6,329 parent accounts, according to a letter from FJUHSD superintendent Scott Scambray.
Dated May 1, 2020, the correspondence was addressed and mailed to “the Parent/Guardian of” the student whose Aeries account was hacked, and it mentioned the “vulnerability” as occurring between Nov. 4 and Dec. 20, 2019. No additional information was given as to whether those hacked accounts impacted all FJUHSD campuses or just certain ones.
The letter was provided to The Accolade by a Sunny Hills parent who had received the notice.
“You are receiving this notice of data breach because your contact information in the Fullerton Joint Union High School District’s database (Aeries) has been compromised,” Scambray wrote. “By California Civil Code 179829(a) the District is required to disclose any breach of security of the system which contains the personal information of a student.”
Contents of the correspondence was separated into six sections:
- What Happened?
- What Information was Involved?
- What We Are Doing?
- What You Can Do?
- Other Important Information
- Person to Call
At the end of the “What Happened?” portion, the superintendent wrote, “On April 29, 2020, the log files of all District Aeries servers were searched. One server contained evidence that this security vulnerability was used to illegally access parent and student data.”
The subsequent section described in detail the scale of the breach: “The data included student first and last name, parent/guardian first and last name(s), address (street and city),=]parent/guardian/student portal account emails and parent/guardian/student portal account passwords (passwords were encrypted),” Scambray wrote. “No student discipline, attendance, counseling notes, or Special Education information was accessed. There are absolutely no social security numbers in the Aeries system; therefore, there is no risk that this information was compromised.”
Besides notifying parents through the letter, the superintendent stated that Aeries officials pursued a police investigation that resulted in the arrest of a suspect who was not identified.
“The investigation included seizing the computer equipment used to illegally access the data,” Scambray wrote in the third part of the letter. “The police investigation concluded that the perpetrator did not have malicious intent and that the data accessed was not used, shared, or sold.”
Aeries officials could not be reached for further comment about the investigation and the person who was arrested and whether charges have been filed.
To prevent anyone else from discovering the vulnerability in Aeries, the company that produces the app — Eagle Software — has since provided the FJUHSD technology team with a patch, which was used to update the system on Jan. 13 with no other issues so far, Scambray wrote.
“On April 30, 2020, the District instituted new parent/student portal security measures, including forcing a password reset on all portal accounts, requiring a heightened level of password complexity, and requiring multiple password changes during the school year,” according to the end of that third section.
In the final three sections, the superintendent encouraged those whose accounts were hacked to change their passwords “across other websites” and offered contact names and phone numbers for those who may have more questions or concerns.
“Although the breach was not caused by anything District staff members did or neglected to do, the District expresses apologies for any concerns of students or parents,” Scambray wrote near the end of the letter. “The District … is doing everything possible to continue to keep all student information safe and secured.”
“From what I know, my parents have not received a letter yet,” Ahmad said. “I guess I feel iffy about Aeries having my information, but oh well.”
Unlike Ahmad, Kim does not take this situation as seriously as he has trust that his information will stay secure after the new changes were enforced.
“I don’t have any reason to think that my information will not stay safe in Aeries,” Kim said. “I don’t think it would be necessary for the district to have informed all students about the hacking incident because it would only cause panic.”