A Sacramento school district waited months to disclose a data breach. What info was exposed?
Staff members of Natomas Unified School District were notified July 15 that the network shutdown they had been dealing with for several weeks was due to a potential hacker. Usernames and passwords may have been accessed, Deputy Superintendent William Young wrote in the email to the district’s 1,400 staff members.
Students and parents, however, were not provided with the same information. A few days later, families of the district’s 14,500 students were told via parent portal that they would temporarily lose access to their school accounts due to annual maintenance by the IT department. The message did not mention the suspicious activity on the district’s network.
In late June 2024, the Natomas Unified School District IT department shut down the district’s network system, wifi network, VPN services and phone lines after identifying suspicious activity on the network. The system remained down weeks into the summer as IT staff and a third-party forensic service investigated the issue.
In California, any data breach affecting more than 500 residents must be disclosed to those affected and reported to the Attorney General. The law does not specify a time frame in which this disclosure should occur.
It wasn’t until nearly six months after the shutdown that the state Department of Justice and families were officially notified of the data breach. The district and its cybersecurity firm’s investigation concluded Nov. 15, 2024 and the state Department of Justice and students were notified of the breach on Dec. 13, 2024, following a Nov. 13, 2024 inquiry by the Sacramento Bee.
The notice said that log in credentials were made vulnerable, but that they had “no evidence this data was accessed or taken.” The third-party forensic specialist was unable to confirm whether or not Natomas Unified usernames and passwords were accessed by a hacker, but the district said that they cannot rule this out with certainty.
Natomas Unified spokesperson Deidra Powell said that administrators focused on staff accounts initially because students were out of school for the summer.
“We focused on staff at that time, developing a plan to update all student passwords,” Powell said. “Once it was safe to reactivate those accounts we did require them to update to stronger passwords.”
Powell said that the Thanksgiving holiday delayed the official disclosure.
“It wasn’t that long after our investigation had concluded that we shared the information out of an abundance of caution, so that students and staff and families knew what was going on,” she said.
Natomas Unified has not shared any information about the nature of the attack or how it was determined that no information was stolen. Powell said that multifactor authentication for staff accounts was already and that a plan was in place to transition to MFA for student accounts.
The district denied a California Public Records Act request filed by the Sacramento Bee on Nov. 13, 2024 seeking communications between district staff and board members, Governor’s Office of Emergency Services reports surrounding the breach and contracts with third party cybersecurity firms. Attorneys on behalf of the Bee sent a letter Monday demanding that Natomas Unified disclose records responsive to the November request.
Implications of a data breach
Natomas Unified is one of many school districts across the country to be subjected to a data breach. Just weeks before, El Dorado Union High School District suffered a worse breach in which students’ and staff’s social security numbers were compromised alongside other personal information.
Earlier this month the Sacramento Bee reported that a Folsom-based education technology company suffered a cybersecurity incident that could have exposed the personal information of millions of students and teachers nationwide. Folsom Cordova Unified School District is one such district whose students’ and teachers’ data was exposed in the breach. Staff and families were notified of the breach within a few days of the district becoming aware of the incident.
Co-founder and director of education cybersecurity nonprofit K12 Security Information eXchange Doug Levin said that as K-12 schools have become more reliant on technology for the majority of their operations, both schools and their vendors are increasingly being targeted by professional criminals overseas who seek money through ransomware attacks or by stealing personal data that can be sold on the dark web to be used for identity theft.
Despite California’s law surrounding reporting data breaches, Levin said that trying to piece together the scope of cybersecurity incidents can be difficult from these reports because they are like “an iceberg sitting in the water — we’re describing what we can see above the waterline.”
“Evidence of something not happening is not the same thing as (there being) no evidence,” he said.
Administrator and staff accounts typically need more protections because they can typically access more sensitive information, Levin said, but it is important that students be informed of cybersecurity incidents even if the organization isn’t sure any info was taken.
“If mine or my student’s information was compromised and the school system withheld it from me, I’d be livid,” he said. “Time is of the essence in terms of informing potential victims. And the longer it goes between when the data was breached and when victims were informed, that’s the amount of time that threat actors can take advantage of people.”
Levin noted that young people especially use the same or similar passwords for their school accounts, personal email, social media apps and banking information, and that threat actors may exploit these accounts to find something valuable.
“I do think it is beholden on school systems to be really consistent with their mission to protect the members of the school community and let them know if there’s a reason to believe that their information may have been accessed,” he said. “If I was a member of this community, I would certainly want to know what happened, but most importantly, what steps they’re going to take to make sure that something like that doesn’t happen again.”
This story was originally published January 14, 2025 at 7:00 AM.
CORRECTION: The Folsom Cordova Unified School District learned of the PowerSchool data breach on Jan. 7 and informed staff and families on Jan. 9. The amount of time between when the district learned of the breach and when they informed their community was incorrect in an earlier version of the story.
