"Staff was notified this morning about a website that exposed information about Palo Alto High School students' weighted GPAs and class ranks. As soon as we received notice, we immediately invoked the data breach response protocol and began investigating the report. The incident is still under investigation; however, staff has verified at least some of the information generated by the rogue website is legitimate."Officials have determined that the breach exposed the names, grade point averages (GPAs), and student numbers of those in grades 10-12 at the high school. According to The Mercury News, that information originated from a leak involving Infinite Campus, an educational portal which enables schools to set up learning management systems for all classes. Infinite Campus also stores student's private data like their medical records and family information. Palo Alto United High School clarified in an update on 6 October that the incident didn't expose any of those additional pieces of information. Staff first learned about the rogue website, called "paly rankcheck," on Thursday. Students could "check your weighted GPA and rank relative to your class" by submitting their respective Infinite Campus IDs. They could not look up other students' information unless they knew their credentials.
"It’s fantastic if you’re a hacker or marketer — this is golden information.... Classrooms throughout the K-12 system can have all sorts of unsecured laptops and mobile devices,” she said, “and lots and lots of skilled little hackers."At this time, Palto Alto United is working with law enforcement and the Privacy Technical Assistance Center of the U.S. Department of Education. While their joint investigation of the incident continues, the high school is requiring teachers and staff to reset their passwords. It's also reviewing its Infinite Campus access logs for suspicious activity. For information on how Tripwire's products can manage your organization's log collection, click here.