DIXON – The hacker who compromised the Dixon Public Schools website, email accounts and Twitter account earlier this month was also able to access some student information.
During the regular school board meeting Wednesday night, Superintendent Michael Juenger said the district sent a letter to parents letting them know about the additional compromised information, which included health records, grades, names and addresses.
“Not sure what they can do with that,” Juenger said. “We don’t keep any social security numbers. But [health records were] information that was hacked. To our knowledge, at this point, nothing has really been done with it.”
Several days after the hack, Juenger told Sauk Valley Media he didn’t think any personal information had been compromised, but was waiting to hear back from the company that handles the parent portal, where that information is stored.
That company informed him of the extent of the compromised information this week, Juenger said.
Student grades were also compromised, Juenger said, but they’re backed up every day, so the district went back to a day before the hack to restore them. Teachers then re-entered the grades.
The district doesn’t ask for student social security numbers, Juenger said, and credit card information is kept on another third-party server, which the hacker didn’t access.
The health information that was compromised could have included any allergies a student might have, or any medication a student takes, Juenger added.
The passwords to the compromised servers and accounts weren’t simple, single-word passwords, Juenger said. One of the passwords was 16 characters long and included lowercase letters, uppercase letters, numbers and symbols.
The district has regained control of its email accounts and website, but is still working with Twitter to regain control of its social media account, which has gained followers since it was compromised.
Assistant Superintendent Margo Empen said since the hacker changed the email address and password associated with the Twitter account, the district has additional steps to take with the company to regain control.
The district first became aware of the hack on March 2, when its website was redirected. The issue was resolved by the following day, and district employees were told the issue was only with the GoDaddy account, which houses the website.
In the days following the initial redirect, the website was redirected a second time, and the Twitter account was compromised, as well as the district’s email accounts.
During the time the district’s accounts were compromised, the hacker was posting to a website message board.
From conversation on that message board, it appeared several other hackers accessed the the district’s accounts from information that was posted.
The final comment on that thread was from a poster who told the hacker and the others to stop, because it was affecting teachers and students.
The Dixon Police Department, the Illinois State Police and the Federal Bureau of Investigation were notified of the hack, Juenger said.