Getty Images

SAN ANTONIO (KTSA News) — A cybersecurity breach in Dallas ISD that compromised the information of 800,000 students, staff and parents last year was apparently done at the hands of a couple of students.

The two students responsible were not trying to act maliciously when they collected the sensitive data going back two decades in August, WFAA reported, but the breach highlighted a huge security flaw in the district that prompted IT professionals to resign.

The district was not particularly forthcoming with the news of the security breakthrough and reportedly waited nearly a month to announce the to the public — omitting the fact that students were responsible.

The district said “an unauthorized third party accessed the district’s network.”

Dallas ISD’s chief information security officer resigned following the incident in October and detailed his complaints in a scathing email.

“I am afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility,” Dr. Rajin Koonjbearry said in the email. “I am now convinced that Dallas ISD IT cannot keep our data safe….”

According to WFAA, the district received a report in January 2020 detailing the results of a simulated cybersecurity attack giving Dallas ISD poor grades, noting consultants were able to infiltrate the network of the district’s police department, access the district’s door locks, security cameras and the records of more than 150,000 students.

Superintendent Michael Hinojosa told WFAA he had not seen the results of the January 2020 simulated attack.

Koonjbearry reportedly attached the results of the test to his October resignation email that consultants estimated the district would spend upwards of $30 million in the aftermath of a potential cyberattack.

“No serious actions were taken to remedy the situation,” Koonjbearry wrote in October.

COVID-19 hit a few months after the report was released, which WFAA says upended the district’s IT department as they made the move to remote learning.

The two students responsible for the breach were also the ones who notified the district they had been hacked, sending an email with the results of their attack.

“We are not professionals, nor do we have any experience in offensive cybersecurity,” the email breaking the news of the breach to district officials reportedly said. “We are just two students who were curious… If you want to hire me, I have no resume, but would be very interested, thanks.”

Dallas ISD referred the hacking to the FBI and the case was reportedly declined by federal prosecutors.

The district has implemented new security policies, including the implementation of two-factor authentication last month.

“We put in a lot of security measures that is very inconvenient for our staff, but it’s very important because we need to protect the security of this information,” Hinojosa told WFAA.

Hinojosa announced he would be resigning on Jan. 13.

More about: