Florida Virtual School was hacked 2 years ago

“Florida Virtual School (FLVS) recently learned of a potential data security incident involving certain information provided to us by students and parents. We are providing this notice as a precaution to inform potentially affected individuals about the incident and to call your attention to some steps you can take to help protect yourself. We sincerely regret any concern this may cause you.” Florida Virtual School was hacked two years, but they only “learned” about the hack this week.

FLVS would’ve discovered instead of “learned” about the unauthorized access far sooner if they had taken security seriously. Following best practices can be tricky, and sometimes expensive, but you can prevent many types of breaches and limit damage when an attacker does get in. It’s unfortunate that the only sincere concern they’ve had is after a lot of damage has been done. They estimate the dates of unauthorized access to be between May 2, 2016, and February 12, 2018.

The attackers gained access to information systems that contained personally identifiable information of students and teachers that includes student names, dates of birth, school credentials, physical school identification, and parent names and emails. So far there isn’t any evidence of Social Security number and financial account information disclosure.

Leon County school’s have it a little worse. The teachers had their Social Security numbers, date of birth, address, phone number, emergency contact, spouse’s name, personal email address, work email address, and some demographic information disclosed. FLVS is offering identity protection for free for affected individuals for one year. This information can be abused for years, and they are giving only one year of monitoring.

“FLVS takes its obligation to protect the privacy of personal information very seriously and deeply regrets this incident. After FLVS learned of this incident, we immediately initiated a comprehensive IT security investigation and hired an independent forensic cybersecurity investigation firm to assist in our investigation and response. FLVS also contacted Leon County Public Schools and notified the Florida Department of Law Enforcement (FDLE) and the Federal Bureau of Investigation (FBI), and we will continue to cooperate with the law enforcement investigations.”

In summary, it took two years for FLVS to “learn” about the breach, meaning, they were notified by a law enforcement agency or a company, and they’re offering only one year of identity monitoring. It seems like they didn’t care about security until something went wrong and are trying to save face.

Will any meaningful changes come as a result of their irresponsibility?

Only time will tell, but I’m not holding my breath.