Home › Student Hacker Sentenced for Computer Security Breach

Student Hacker Sentenced for Computer Security Breach

No sign that hacked student information was used or shared 

 
Update Nov. 15, 2012: The high school student who breached a 4J computer system in June 2012, accessing identity information for thousands of current and former students, has pled guilty and been sentenced for felony computer crime. 

Police found no indication that the student identity information, including some students' Social Security numbers, was ever used for any purpose or posted publicly. The student shared the hacked data with district administrators via a secure site that was not accessible to the public. 

The district has tightened password protocols and other network security measures, and has taken additional steps specifically to secure students' Social Security numbers. While 4J stopped collecting students' Social Security numbers years ago, some SSNs remained in some student records. The district has now purged SSNs from computerized student records and sequestered the data.

 

 

 

Update July 11, 2012: Eugene Police issued the following news release on July 11:

"A 16-year-old former 4J student has been charged in connection with last month’s computer breach of a 4J system.

"Earlier today the Eugene Police Department served a search warrant in the North Eugene area and charged the 16-year-old male resident with one count of Computer Crime. Investigators collected evidence from his home and are continuing to look into the case.

"Based upon initial indications the overall risk to students’ information accessed in the breach appears low. As investigators process the equipment gathered in the search warrant additional charges may be applicable.

"The 16-year-old male was cited in lieu of custody and released to his parents."

 

 
How to
guard against
identity theft:
see below 

What Happened and When?

In early June 2012 someone accessed confidential files that contained students' and some former students' personal identity information, including names, addresses and some Social Security numbers. The data did not include any academic or financial information, such as grades, test scores or credit card numbers. The investigation of how the breach occurred is ongoing, but initial indications were that the person may have used a district computer workstation to access the data without authorization. 

What Was Exposed?

The confidential files that were accessed are used to transfer data between our student information and student meal programs. They included identity information for all or most current 4J students including names, student ID numbers, addresses, dates of birth, and in some cases phone numbers, Social Security numbers, and/or students’ free or reduced-price school lunch status. A file containing similar information from 2007 also was accessed.

What Was Not Exposed?

The data did not include any academic or financial information, such as grades, test scores or credit card numbers.

What Is 4J Doing?

The district promptly notified police, initiated a thorough investigation of the security breach, and took measures to further safeguard your student’s personal information.

In our first steps, we have:

  • Changed passwords and increased password security
  • Limited the student personal data shared in the school meal system
  • Sequestered the Social Security numbers we are required to retain in our data systems

We are continuing to assess our information security systems to make certain that we have all appropriate measures in place to ensure students' personal information is secure.

We sincerely regret the inconvenience this may have caused to our students and their families. We directly contacted families of current and former students who may have been affected, as well as notifying local media and sharing the information on our website. The email and postal mail sent to families informed them of the data breach and of steps the Federal Trade Commission recommends to protect financial accounts when a person's Social Security number has been breached.

If you have questions please send email to databreach@4j.lane.edu or call 541-790-7737. 

 

What Can You Do?

When an individual's Social Security number has been exposed, as was the case with some students whose information was breached, there are ways to help protect against the possibility of identity theft or other misuse of personal information. The Federal Trade Commission suggests specific steps you can take to protect financial accounts, protect against fraud, monitor for fraudulent activity, and report suspected fraud — please see below.

However, when Eugene Police made an arrest in July they stated that "based upon initial indications the overall risk to students’ information accessed in the breach appears low."

 

 

What To Do If Your Personal Information Has Been Compromised

If your student’s Social Security number and other personal identity information may have been exposed, we encourage you to take steps to monitor and protect your student’s financial accounts.

The Federal Trade Commission (FTC) has provided specific steps people can take to protect themselves from the possibility of identity theft or other misuse of their personal information when there is a possibility that an unauthorized person has obtained their information.

Protect Against Fraud: If your student’s Social Security number has been exposed, the FTC recommends that you contact one of the three nationwide consumer reporting companies to request a fraud alert on your student’s credit reports. This alert can help stop someone from opening new credit accounts in your student’s name. You only need to contact one of the consumer reporting companies, which will alert the other two companies.

If your student is under the age of 18, you must submit your request by mail. Equifax’s process is as follows:

Mail to:

Equifax Information Services LLC – Minor Child
P.O. Box 105139
Atlanta, GA 30348-5139

Include:

  • A letter of explanation
  • A copy of the child's birth certificate
  • A copy of the child's Social Security card or a document from the Social Security Administration that shows the child's Social Security number
  • A copy of your driver's license or state issued identification (must show proof of current address)
  • If you are not the child’s parent, a copy of the document giving you legal authority to act on behalf of the minor child
  • If you wish to increase the fraud alert coverage to 7 years, make a note of it with the paperwork. 

Please enlarge photocopies of any items that contain small print (e.g. driver's license, W2 forms, etc.). Please ensure that your photocopies are legible and do not contain highlighting, or the company may ask you to resubmit your request with more legible documents.

This is the process for Equifax. You may alternatively contact Experian or TransUnion to learn about their process for minor children. You only need to make the request to one of the three companies. 

If your student is over the age of 18, you can place a free 90-day fraud alert on your student’s credit reports by calling one of the companies, which will alert the other two companies.

Equifax: 1-800-525-6285
Experian: 1-888-EXPERIAN (397-3742)
TransUnion: 1-800-680-7289

If you wish to increase the fraud alert coverage to 7 years, you can submit a request in writing with documentation similar to the process for minor children listed above, but with the additional requirement of a copy of the police report.

Monitor For Fraudulent Activity: When you place this alert on your student’s credit report with one nationwide consumer reporting company, you’ll get information about ordering a free credit report from each of the companies. The FTC says it is prudent to wait about a month after your information may have been stolen before you order your report, since suspicious activity may not show up right away. Once you get your reports, review them for suspicious activity, such as inquiries from companies your student did not contact, accounts he or she did not open and account debits that you cannot explain. Check that the information—including your student’s Social Security number, address, name or initials, and employers—is correct.

Report Suspected Fraud: Finally, if you find any suspicious activity related to your student’s financial accounts or on his or her credit reports, call your local law enforcement agency immediately.

Learn More: For more information about how to prevent identity theft, please see http://www.ftc.gov/idtheft.