ALLEN, Texas — Editors note: The video above is from a report on Sept. 29, 2021.
Allen Independent School District released new details Thursday regarding a cyberattack from last fall that caused the district to investigate the incident.
In September 2021, Allen ISD officials said hackers tried to extort the district for millions of dollars. The district announced the following month it was not going to pay the ransom money, based on guidance from cybersecurity experts and law enforcement.
District leaders also said they would be providing credit monitoring for adults and identity monitoring for students at no cost.
On Thursday, Allen ISD said an investigation of the cyberattack from an independent cybersecurity expert was complete. Here is what was discovered.
What happened?
Allen ISD experienced a network outage on Sept. 20, 2021 that impacted several systems including WiFi, printer, and phone operations.
The Allen ISD technology department discovered the outage was due to a cybersecurity threat. Allen ISD said it immediately contracted with cybersecurity experts to conduct the recently completed investigation to determine the extent and scope of the incident.
District leaders said they also notified the FBI and are continuing to work with them in the department's own investigation.
Was any personally identifiable information involved?
According to the investigation, there is no evidence that any unauthorized user got into Allen ISD’s databases, including the Student Information and Financial databases.
District officials said they determined that some information held in locally stored documents was accessed by the unauthorized user and the information of the following groups was accessed:
- 3 students
- 550 current and former Allen ISD employees
- 7 vendors that do business with Allen ISD
The unauthorized user also accessed a list of email addresses from current and former employees and parents, according to the investigation. Texas Business & Commercial Code Section 521.002 does not consider email addresses as Personally Identifiable Information.
District officials said they have adjusted the frequency of security reviews that they say will better address data protection measures.
How will parents know if their information was involved?
In the coming days, Allen ISD said it will send letters through the U.S. Postal Service to inform parents if their personal information was possibly accessed during the cyberattack.
If a parent does not receive a letter, then the district has no indication that his or her family's information was exposed.
Parents may also call 1-800-939-4170 to verify if their Personally Identifiable Information was involved. The phone number is managed by IDX, a credit-monitoring and identity-monitoring company partnered with Allen ISD.
What will the letter look like?
The letter will come in a white envelope with the Allen ISD logo visible through the envelope window.
The body of the letter will include the Allen ISD logo along with information about IDX.
Is there credit monitoring for those affected?
On Oct. 12, 2021, Allen ISD sent an email to parents and staff with a link to enroll in credit monitoring protection for adults and identity protection for minors.
District officials said this protection was provided out of an abundance of caution. Parents who receive a letter in the mail will find information on how to enroll in monitoring services and identity theft recovery services from IDX. Those who already enrolled for this service in October do not have to re-enroll.
Allen ISD officials said they knows this type of protection will not eliminate all concerns regarding cyberattacks, they hope it will provide some level of comfort. They said they have no evidence anyone’s information has been misused.
What is Allen ISD doing to prevent a similar event in the future?
Allen ISD is one of the many school districts and corporate organizations impacted by cybersecurity threats. Allen ISD said its technology department has taken several steps to make its cyber security stronger and continues to work with independent cybersecurity experts.
Allen ISD will offer professional development and learning opportunities for staff and students to promote safe technology habits including required cybersecurity training.
District officials said they are encouraging staff, parents, and students to increase their digital safety, such as keeping passwords private and safe, avoiding clicking on suspicious emails or links, verifying the identity of anyone asking for personal information, and deleting sensitive information when it is no longer needed.