JPS Provides Update on Possible Data Breach from 2020 Cyber Attack
We have posted this page to inform the public about a data security incident that may have exposed scholars, staff, and other constituents’ personal information. We take the protection and proper use of this information very seriously.
We have mailed notification letters to those individuals for whom we have complete contact information. However, we do not have full contact information for all affected persons, and therefore some individuals may have been affected but will not receive a notification in the mail.
For these reasons, we are posting this page to explain the circumstances of the incident.
On February 6, 2020, we first discovered the District was the target and victim of a ransomware attack perpetrated by criminals. The criminals sought to encrypt the District’s files and have the District pay a ransom for the return of those files. However, the criminals were unsuccessful, and the District was able to recover most systems and avoid paying any ransom.
The District immediately engaged cybersecurity experts to assist in triage, recovery, and the investigation. As that initial response to the incident unfolded, we also engaged outside counsel to assist in the response to the incident. The initial investigation did not find any evidence of any access to personally identifiable information stored on District systems.
After the initial investigation, the District’s outside counsel engaged an additional, specialized forensic vendor to perform a more thorough forensic investigation. This expert vendor conducted a very thorough review of the District’s systems, logs, and all available information. Over a period of several months, data was gathered from thousands of District computers and systems, compiled, and analyzed by forensic experts.
The forensic experts found no evidence of acquisition or exfiltration of any sensitive data on systems on the District’s network. However, the forensic experts also analyzed approximately 1.9 million user activity logs for thousands of District email accounts, hosted on Microsoft-owned Office 365 servers utilized by the District. Through this portion of the investigation, the forensic vendor determined that seventeen (17) accounts had evidence of unauthorized access.
The District then retained outside counsel to review and analyze the approximately 2.5 million emails, attachments, and files contained in these seventeen (17) email accounts, to determine what, if any, personally identifiable information could have potentially been accessed in those accounts. Given the volume of data involved and the need for a careful review, this work took thousands of hours and several months to complete.
Now, after over a year of virtually continuous investigation, a very substantial expenditure of funds, and a detailed and thorough analysis, we believe that certain individuals’ information was potentially affected by the unauthorized access to the seventeen (17) District email accounts.
At this time, there is no evidence that any information has been misused. We are providing this notification out of an abundance of caution.
What Information Was Involved
As a result of this incident, an unauthorized person may have accessed and/or acquired some personal information, including:
- Phone number;
- Email address;
- Date of birth; and
- Social security number.
What We Are Doing
As discussed above, we engaged in a thorough, lengthy, and expensive investigation to determine to the extent possible what information was accessed in relation to this incident. Since the incident, we have also undertaken a number of steps to improve the security of our systems, which efforts are continuous and ongoing. Some of the specific measures we can share publicly include: (1) implementation of a cyber-education program for all employees; (2) implementation of multi-factor authentication for key employees; (3) implementation of a new anti-virus and malware protection program for all district devices; (4) increased protection for Office 365 applications; and (5) improvements to network infrastructure and network security.
In addition, we are offering identity theft protection services through IDX, the data breach and recovery services expert. IDX identity protection services include 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services. With this protection, IDX will help resolve issues if your identity is compromised.
What You Can Do
We encourage anyone who believes they may have been affected to contact IDX with any questions and to enroll in the free identity protection services by calling [TFN]. IDX representatives are available Monday through Friday from 9 am - 9 pm Eastern Time. Please note the deadline to enroll is [Enrollment Deadline].
Again, at this time, there is no evidence that any information has been misused. However, we encourage anyone affected to take full advantage of this service offering. IDX representatives have been fully versed on the incident and can answer questions or concerns you may have regarding the protection of your personal information.
For More Information
Please call (833) 820-0891 or go to https://app.idx.us/account-creation/protect for assistance or for any additional questions you may have.