Over the weekend of November 4th, Jeffco Public Schools' online platforms were breached by a threat actor group known as SingularityMD, using a student account. The group claimed to be the same one behind the October Clark County School District breach in Nevada, demanding $15,000 USD in an obscure cryptocurrency by November 7th at 5pm.

The district did not pay.

They. Did. Not. Pay.

Their response was instead to lock everyone out and make them reset their password. Very few people have been able to log in to the site used and reset their password.

Now Jeffco students' and staff's highly private, highly sensitive information is likely going to be leaked to the dark web and other unsafe places. And they have EVERYTHING.
Staff phone numbers & addresses, contact information for both present and past students, student emergency contact info, & extracts from group conversations.  According to an email from the threat actor, the data totaled over 40 GB, and so there could likely be more undisclosed information.

Students are now in danger of physical harm by this information being revealed to others. It's possible nothing will come of it. But the chances of that are slim in today's world.

Jeffco has proven they cannot be trusted to manage students' cybersecurity. As previously mentioned, the threat actor gained access to system admin privileges via date of birth being used as students' passwords, and misconfigured Google Drives.

This can be fixed in several simple ways, available to even a basic Google Workspace administrator, but are not turned on for Jeffco's Google systems.

As Jeffco students, we request the following of Jeffco Public Schools:

1. Enable voluntary two factor authentication and provide instructions as how to enable two factor authentication. This provides a way for elementary students to log in without needing a secondary device such as a phone or iPad, but allows middle school and high school students, who are far more likely to have such devices, have an extra level of security where online prudence may fail.
2. Seperate Google login credentials from Jeffco system(ie, Schoology, Infinite Campus, Papercut or Clever) login credentials.  Remembering two or more different passwords can be difficult, but in the event of another data breach, it eliminates variables and hackers' access to applications.
3. Allow for passwords to expire after a year. Having a consistently rotating password decreases chances of a breach significantly.
4. Increase the maximum password character length from 12 to 50 or even 100. Having a longer password increases security by quite a bit. 
5. Allow students to change their own password. During the breach lockdown, a temporary password was set that was even less secure than the date-of-birth system. This temporary password allowed anyone to log in if they knew a students' ID number, which is listed on our Jeffco email addresses.

This is just the Google side. I'm sure there's much more that can be done when it comes to platforms such as Schoology, InfiniteCampus, Clever, and Papercut.

We are open to meeting with Jeffco officials if they find these pleas aggravating, or working with them in order to bring stronger security to the district. 

Read more about the breach here.
Read Jeffco's response releases here.