DALLAS — The email arrived just after midnight on a Sunday last August.
Addressed to Dallas Independent School District trustees and other top officials, the anonymous authors said the district had been the victim of a massive cyberbreach.
They claimed to have access and downloaded huge amounts of student grade information, as well as confidential sensitive information of employees, students and parents going back two decades. They also claimed to have accessed computer vulnerability reports the district stored on its servers.
As proof of the massive breach, the hackers included encrypted links to the “compromised data.”
“It sounds like they pretty much had access to everything and anything on that network,” said Phillip Wylie, a North Texas cybersecurity expert.
Nearly a month would go by before school officials would tell the public about the incident. When they did, officials said an “unauthorized third party accessed the district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site.”
What the district didn’t tell the public was that masterminds able to breach the computer systems of one of the country’s largest school districts was actually … two students.
In their email, they identified themselves as “interested in the cybersecurity of Dallas ISD.”
Even six months after the incident, Dallas ISD Superintendent Michael Hinojosa wouldn’t acknowledge to WFAA that it was students behind the cyberbreach, but said he’s not aware of any harm that resulted from the incident.
“Nobody has told us that their credit has been breached. Nobody has told us the student records are anywhere,” Hinojosa said in a recent interview. “So, apparently someone did something right, because nothing has gotten out since we had this issue in August.”
But, the incident was concerning enough to Hinojosa’s chief information security officer that he quit, and blasted the district’s handling of the breach in his resignation email.
“I am afraid the details of the breach will become public at some point, and Dallas ISD will lose credibility,” wrote Dr. Rajin Koonjbearry on Oct. 28. “I am now convinced that Dallas ISD IT cannot keep our data safe....”
“While he has his right to his opinion, I've learned in this business, in 27 years as a superintendent, there's at least two sides to every story, sometimes three or four,” Hinojosa told WFAA when he was asked about Koonjbearry’s email. “He makes some very legitimate points that we need to look into.”
Koonjbearry declined a WFAA interview request.
Dr. Hinojosa said an outside law firm is looking into the allegations raised by Koonjbearry.
Warning signs
A year and a half before the breach, Dallas ISD’s cybersecurity department was on notice that its systems were vulnerable.
In a January 2020 report, an outside consultant warned DISD that it had a “severe inability to identify, defend, contain and remove a real-world threat” if detected on the network.
In a simulated cyberattack, the consultants were able to, among other things, infiltrate the network of the district’s police department, as well as the district’s door locks, security cameras and 157,000 “unprotected student records.”
Hinojosa told WFAA that he has not seen the consultant “penetration test” report, and does not know what fixes, if any, his information technology staff made as a result of it.
“I have people who are responsible for that. I don't know. I cannot comment because I have not seen the report,” he said.
In the report, a version of which Dr. Koonjbearry apparently attached to his October 2021 resignation emailed sent to trustees, the consultants estimate the potential cost to clean up damage from a cyber breach could be upwards of $30 million.
Two months after the consultant’s issued their report to the district, COVID-19 hit, throwing the school district’s IT department into chaos trying to organize distance learning. It remains unclear what fixes were made as a result of the report.
“No serious actions were taken to remedy the situation,” Dr. Koonjbearry wrote in his resignation email. He criticized the district’s head of IT, Jack Kelanic, for poor leadership.
Hinojosa told WFAA that he supports Kelanic.
“Jack Kelanic is the best chief technology officer I've ever had,” Hinojosa said. “.... And this is the best IT department I've ever had.”
Kelanic did not respond to an email seeking comment for this story.
‘They got lucky’
“They got lucky because these kids didn't want to do anything malicious,” said Wylie, a cybersecurity expert, referring to the student incident in August 2021. “And they shared that with them. Would (Dallas ISD) have really known that they'd been breached if (the students) hadn't sent the email?”
State records show the Dallas ISD student cyberbreach involved the personal information of 800,000 individuals.
“It's really a cat-and-mouse game every day between students and their IT departments,” said Doug Levin, who heads the K-12 Cybersecurity Resource Center, which analyzes publicly-disclosed security incidents at schools throughout the U.S.
“By and large, students are curious, and for the most part, they are not looking to significantly cause harm or mayhem in a school district by accessing systems inappropriately," Levin said.
No charges
Dallas ISD referred the case involving the two students to the FBI, and sources say federal prosecutors have declined to pursue charges.
Since the August 2021 incident, Dallas ISD’s IT staff has beefed up the district’s computer network security, said Hinojosa, who, on Jan. 13, announced he was stepping down as superintendent at the end of 2022.
“We put in a lot of security measures that is very inconvenient for our staff, but it's very important because we need to protect the security of this information,” Hinojosa said.
The two students ended their Aug. 8 email this way:
“We are not professionals, nor do we have any experience in offensive cybersecurity,” the email said. “We are just two students who were curious… If you want to hire me, I have no resume, but would be very interested, thanks.”
Got a news tip? Email investigates@wfaa.com.