“Aeries Software” Breached and Over 150 School Districts Compromised

• A security incident has occurred, affecting a large number of US schools, students, and their parents.
• The problem was a zero-day vulnerability in the Aeries online portal that has been patched now.
• Parents are now urged to reset theirs and their children’s passwords on the Aeries portal.

There’s a sudden wave of notifications of a breach reaching the parents of students of about 150 School Districts in the United States. Examples from the California office of data protection come from the San Bernardino City, the Yucaipa-Calimesa, and Rocklin. The common denominator in all of the cases is the use of the “Aeries” online student information system and online portal. Apparently, Aeries discovered that someone gained unauthorized access to their systems back in November 2019, and accessed student and parent information stored there. Aeries clarified that the infiltrators exploited a bug in their systems that they have fixed now.

Along with the launching of an internal investigation and the informing of the law enforcement agencies, Aeries has circulated notices to the affected School Districts. So the students and their parents are only now being informed about what has happened almost seven months ago. As for what information has been exposed to the hackers, this includes the following:

• Parent full name
• Student full name
• Home address
• Phone number
• Email address
• Hashed password

The announcements claim that the passwords are not retrievable or crackable, so there’s no danger of account takeovers. Still, every member had their password reset and provided a temporary password to access the Aeries platform and set a new password. Only parents can now complete the “Student Information Update” that is required. You should not rely on the low chances of anyone putting the time and effort into deciphering the passwords, so go ahead and reset your credentials now.

As for the full names, home addresses, phone numbers, and email addresses that have been leaked and don’t need decrypting, there’s no resetting these. You should be aware that you may receive phishing or scamming messages either via email or SMS. If you notice anyone attempting to misuse your personal information, you are advised to file an identity theft complaint on the Federal Trade Commission’s site at “IdentityTheft.gov.” From there, the law enforcement services will take on an investigation.

Remember, this was not a mistake of your School District, but one that weighs Aeries. Still, you may contact your School District and ask for more information about what to do next. Finally, make sure to ask them whether they have updated the Aeries software to the latest available version, so as to prevent a similar incident from occurring again in the future.