Wednesday, May 16, 2018

Computer hacking, massive data breach revealed to Springfield Board, Attorney General reportedly investigating

Springfield Board of Education members were told Tuesday night of a massive data breach that may have exposed school records, as well as Cox South Hospital medical records, bank records and other personal information.

They also learned of a case of identity theft that is currently under investigation by the Springfield Police Department.

Dr. Norman Ely, who practices at Cox South, revealed the breach during the public portion of the board meeting. It was unclear whether this was new information to board members or school officials since they followed their regular practice of not responding to anything said during the comment period.



The only feedback Ely received was when he was asked if he was about finished with his presentation. It was noted that he had already gone over the time allotted to public comments.

Ely said he had become aware of the problem after the district computer belonging to his daughter, a Springfield Public Schools administrator, was hacked.

Ely related a harrowing tale of identity theft and apparent flaws in the district's cybersecurity system that allows access to passwords and other information from other non-district devices if that information is stored in the cloud.

Though Ely did not mention anything about it during his presentation to the board, sources told the Turner Report Monday that the information he related to the board has been turned over to the Missouri Attorney General's office, which is looking into the matter.

If Ely's information was new to the board members, it was already to known to district administrators. In his presentation, he noted that there have been numerous cybersecurity complaints dating back several months, in addition to the one involving his daughter.

Coincidentally (or not), the board had a first reading of a new cybersecurity policy for the district earlier this month, several months after State Auditor Nicole Galloway recommended that districts adopt such policies and follow them.

Dr. Ely's presentation is printed below:



School Board Meeting May 15, 2018

Esteemed members of the Springfield R-12 School Board.

Background Information

In December, our daughter, an administrator at SPS, raised concerns about possible wrongdoings within the district.


Since then she has consistently been under attack. Beginning on December 3, 2017, our daughter’s cell phone and computers were hacked, allegedly from someone within the district and police reports confirm this allegation. 

 The report from the Springfield Police Department stated that, at least on one or more occasions, the hacking was traced to the Bentley Building. The cell phone was her personal cell phone, the computers were her district iPad, her district teacher device and her district lap-top. This hacking has now impacted three of her personal cell phones, all of her social media accounts, her personal email, her personal Google drives, her work email and work Google drives. Her personal bank account and credit cards were also hacked. She had to set up new bank accounts and passwords multiple times. As of May 7, 2018 she was still being hacked.

The first point of access to her information as identified by JAG Investigations out of Arizona and contracted with Homeland Security to speak and teach on Cybersecurity was the Microsoft Network Exchange. 

After purchasing a new phone and starting from scratch it was quickly discovered through a Springfield Police Investigation, Diligent and thorough assistance the NEA and the SPS HR Director that a second point of access to her accounts was via SPS Google Drive.

Upon further investigation and research it was discovered that when an employee or student logs on to their SPS Google Drive, either from their school device, personal cell phone, home computer, home iPad, etc that EVEN when logged OUT the Google Drive continues running in the background collecting all personal data of any person that uses the device after someone logs in and out of the SPS Google Drive. 

In addition, any devices that are used to log into the SPS Google Drive can be automatically, “synched” to the SPS Google Drive providing the district with all identifying information of that device, such as IP addresses, serial numbers and other information (collectively known as IMEI-the computer equivalent a person’s SSN) needed to allow a hacker to bypass any passwords set and have complete control of that device. This is how it is suspected that our daughter’s devices continue to be hacked and remotely controlled. This has been suggested by the Springfield Police Department and confirmed to be 100% probable by Best Buy, Verizon, and Jag Investigations. 

Initially, SPS IT said this could not happen due to their security; however, the police report and evidence supported the allegation. SPS has now confirmed that this was possible and that the district was aware of passwords being stored and stated, “that they need to do a better job of communicating this to parents next year.”

During this process our daughter used my Mac computer and my wife’s Mac computer to log in to her SPS Google drive, while trying to protect herself from the continuous hacking, and unknowingly “synched” both of our computers to the SPS Google Drive. After consulting with several experts in the field, including JAG Investigations, it was determined that SPS most probably holds all of our data contained in our personal computers and linked devices. All consulted experts agree, “to ensure no potential cyber threat,” the only resolution is to replace ALL of our personal computers, phones, iPads and even Apple watches.

Because of the way data is stored, in the form of meta data and in the Cloud, it is not even possible to back up our information to the Cloud and simply restore it to a new computer. It literally all has to be manually transferred unless it is a photo or video that can simply be copied without the data to a USB device. And again, even if you use your home computer, phone, iPad or a family member’s computer and you log into the SPS Google Drive and log out your personal information is still being stored to the SPS Google Drive and their Educational Google Vault.

In addition on February 25, 2018 our personal credit card, although in our daughter’s name, was fraudulently used to subscribe to Truth Finder.com, a company that does background checks. Two background checks were run that day, 1 on our son-in-law and 1 on our-son-in-law’s former fiancée from more than 20 years ago because they purchased a house together and her name was listed as someone associated with him. We can 100% attest to the fact that none of our family members did this as our daughter was extremely sick and in the hospital that day and would not be running background checks on anyone even if she weren’t in the hospital. Both Truth finder and our credit card company determined the subscription to be fraudulent. The information used to set up this account was information of which only someone in the district would have knowledge of and access too. A police report was submitted and SPS was notified. This incident is still open and under investigation with the Springfield Police Department.

Provided below are specific examples of what is being stored without the community’s knowledge:

We have another daughter that teaches in the SPS R-12 district. When she logged on to her SPS Google Drive Account from her home computer to finish up some lesson plans and logged out, she checked on finding a hotel for an upcoming trip. She logged into our personal timeshare account from her HOME computer and even though she signed out of her SPS Google Drive it stored ALL of our timeshare information to the SPS Google Drive including the Web Address, login/username, and password. It also has a smart link so you can just click the link and it will automatically sign you in to that site. When looking more closely our daughter had 139 sites, logins and passwords stored, including her bank account, her iCloud, her personal email, her Amazon account, etc

The husband of one of our daughters works for Stryker, a national medical device and equipment manufacturing company. Our daughter does NOT have her husband’s Stryker account information and has never logged in to his account. He has never used her school devices to log into his account, but she did use their home computer to access her SPS Google Drive AND because SPS’s Google Drive stored every bit of account information from any accounts logged in after that point (even though she signed out) her husband’s Stryker website, username and password were stored to the her SPS Google Drive. At glance, the password looks encrypted but you just have to click on the eye to see it. Our son-in-law was obligated to notify his supervisors of this security breach. Cox Health was also notified.

In addition, because my personal home Mac computer was unknowingly “synched” to the SPS Google Drive and server, we’ve been told by cybersecurity experts, that this most likely means they have all of my computer information. That would allow someone to bypass all security passwords and remote in, giving them access to everything I do, including signing medical reports. This potentially puts the district at risk for violating HIPPA laws. Not knowing how long my computer has been synched it makes removing data difficult because the district is constantly running back-up servers, again necessitating the need for completely new and secure computers. I have notified the Cox Health legal and IT departments of this security breach. 

This also means that every employee at Cox with a student, a spouse, or relative at SPS has the potential of having confidential information on the Springfield Public School Google Drive and Server, because you DON’T have to use a district issued device. You simply have to have someone in your family login to the SPS Google Drive and everything after that is captured.

Again, this problem is district wide and leaves kids, teachers, employees and even individuals unassociated with SPS, such as ourselves, vulnerable to cyber attacks and confidential information being released. According to one cybersecurity firm, this may impact HIPPA privacy laws, as I am a physician and will often use my computer to complete reports on patients. If someone from the district were to hack my computer in the same manner in which they have hacked our daughter, 100s of patients’ confidential information is at risk. This is a risk that is unacceptable and must be immediately remedied. I have notified Cox Health of a possible compromise of their system.

Students:

SPS has a 1-1 technology initiative; which provides every student in grades 3-12 a chrome book that allows them to access curriculum, work on projects and presentations and have access to a computer and internet at home. Kids grade k-2 are also given a device but those remain in the classroom and are not sent home, with the exception of a few schools. All devices and school educational platforms run off Google Chrome, a platform that does not consistently ask permission to store their passwords, it just automatically does.

To our knowledge no information was sent home to parents discussing the potential for personal information being stored to the Springfield School’s Google Drive and in their SPS Google Vault. In fact, teachers and employees were told that their devices could be treated as their own until the day they left the district. They were told that there was unlimited storage, all information is secure and that you can save your documents, photos, books, movies, etc. on their Google Drive as long as it met district appropriate guidelines.

Also, all students’ individual chrome books have their name, the school they attend, the year of graduation, student ID number and their Google user name on a label on the bottom of their chrome book. This could give access to anyone who has that device in their possession or used by someone who records this information. This could give access to lunch accounts, student records etc. This may also put the district at risk for violating FERPA and HIPPA.

Student Examples:

Our 2nd grade grandson is not in the age group that is issued a personal device to take home but does use the Google Drive from home to complete projects and homework. 

When his parents checked his SPS Google drive account while at our house, to see what had been stored, every single YouTube video that he had watched on his personal iPad at his own home and NOT during school time was stored to the SPS Google Drive. Although he watched what any 8 year-old boy watches he was upset that someone outside of his family could see what he did on his own time. We explained that his parents absolutely have the right to view what he is doing but it is not the business of the school to track what kids are doing on their own personal privately purchased device on their own personal time.

Our 4th grade granddaughter downloaded a book and our son-in-law’s complete Amazon account was stored to her SPS Google Drive although she had signed out of the Google Drive before purchasing the book.

Our 6th grade granddaughter, who is very involved with Springfield Little Theatre and does numerous acting jobs around the city will often keep her resume and video resume of roles that she has placed in her personal email account so that if a role she is interested in and her parents agree she can apply. All of her personal emails and apps are stored to her SPS Google Drive, again website, login/username and password. When asked she had no idea that this was happening and was very concerned.

Immediate remedies that need to be taken by the district:

A. SPS must immediately remove all identifiable information from all student devices AND have all students change passwords that only the students, a district School Information Officer (ISO), a school administrator, and a parent have access to.

B. An independent firm must be hired to delete ALL personal data, personal information and surfing data of students and employees from its servers including back-up servers. You cannot simply restore the system to a previous date because that does not guarantee that all personal information has been permanently deleted.

C. A letter MUST be sent to every student’s parent notifying them of what has happened and what steps SPS is taking to correct this situation. They must also be advised how to protect themselves from malicious use of this information. The same letter must also be sent to ALL SPS personnel.

D. SPS must hire an independent firm to change this system whereby this information does not automatically store in the SPS server

E. The district must hire an outside expert on cybersecurity who will be available to anyone in the community who wants more information on how to protect themselves against these cyber threats.

F. The district should reimburse my wife and myself for replacement of all of our personal computers, phones, devices, and any expenses incurred, including time spent as a result of this extremely dangerous and egregious security breach and hacking.

I would like to conclude with:

In 2016, a cybersecurity audit was completed by the Missouri State Auditor. In September of 2017, the Missouri School Board Association sent recommendations on revising cybersecurity policies to districts. This was not on the Springfield School Board District’s agenda for a first read until May 1, 2018 (as documented in school board minutes from May 1, 2018), even though cyber attacks had been reported to leaders in the district by December, 2017 and there was concern among numerous employees before that. It is completely inexcusable for the largest district in the state of Missouri to take such great risks with the community members, employees and most of all children for whom you have pledged to protect.

Thank you for your time and the SPS community looks forward to your prompt attention and resolution to this serious matter.

Steps for checking your/your child’s/your grandchild’s SPS Google Drive Account


Sign- in and security (passwords and devices)

1. Log into the account: For almost all younger school students the login is their lunch/ID number and their PW is their first initial last initial and then their lunch/ID number. Their ID number can be found directly on the bottom of their device on a sticker placed there by the district. So for example if my student was named Ed Sheeran and his ID number was 8675309 his login would be: 8675309 and his PW would be: ED8675309

2. Once into the Google Drive click on the top left the 3 lines, which pops open your Google drive account info. Look all the way t the bottom and click on the round picture of the round circle with your initial in it.

3. Click on my account

4. Click Sign-in & security

5. Scroll all the way to the bottom of the sign in and security page to where it says saved passwords. This is where you can see all of the passwords stored to the SPS Google Drive Account. For the passwords it might look like an eye but you just need to click on it to reveal the password

· from the sign in and security screen you can also see what devices have been used to log into your sps google account and allow you to see what devices have been synched with your account.

· You can also change your account password to set it up as a 2 factor authentication; however, because the SPS Google drive is ‘owned” by SPS it has not been an effective way from keeping people out of my account.

Personal Info and Privacy (account history, surfing tracking)

1. Log into the account: For almost all younger school students the login is their lunch/ID number and their PW is their first initial last initial and then their lunch/ID number. Their ID number can be found directly on the bottom of their device on a sticker placed there by the district. So for example if my student was named Ed Sheeran and his ID number was 8675309 his login would be: 8675309 and his PW would be: ED8675309

2. Once into the Google Drive click on the top left the 3 lines, which pops open your Google drive account info. Look all the way t the bottom and click on the round picture of the round circle with your initial in it.

3. Click on my account

4. Click Personal info & privacy

Scroll down to My Activity, it is here that you can see all activity along with the date and time that you searcher or watched any videos while the SPS Google Drive was running in the background.

(Note: Dr. Ely's portion of the meeting begins at approximately the 19-minute mark of the video.)




-->

7 comments:

Anonymous said...

wow

Anonymous said...

Yikes!!!!

Anonymous said...

This hacking and breach are publicly known because a very literate man and his family have gone to extraordinary time and expense to investigate the intrusion. Thank you.

Anonymous said...

NEVER use personal devices for work and NEVER use work devices for personal business. AND NEVER EVER, EVER sync the two!!!!! Geez, and then to use 2 other people's personal devices and sync them....beyond stupid!!!

Anonymous said...

YIKIIEEESSSS!

Anonymous said...

This report is very over exaggerated and with lots of misinformation. I don't doubt this person was hacked and through a single hack the rest of their accounts passwords saved in their school districts G-Suite (Enterprise google drive) account got found and compromised. This sort of thing happens all the time with all kinds of online accounts. The idea that this is the school districts fault is ridiculous. "SPS Google Drive" info is not saved on their servers its saved on google by google. Looks to me she has unknowingly made a lot of mistakes that created this mess.

Nathaniel Hall said...

I haven't even made it through the entire post and I can say that either JAG Investigations, the parent, the author, or all of the above have ZERO clue what they are talking about.