Cyber Incident Victim: Paterson Public Schools
Date:
Oct 2018
Location:
United States of America
Summary
The Paterson Public Schools experienced a data breach compromising over 23,000 account credentials, including desktop logins, email usernames, and passwords, with weak encryption allowing password recovery. The perpetrator demonstrated unauthorized access to employee email accounts and attempted to sell the stolen data, which included credentials of current and former staff, potentially enabling continued system access. District officials were initially unaware of the incident, which exposed sensitive personnel information but did not confirm financial data theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2018, an unauthorized actor compromised Paterson Public Schools' systems, exfiltrating 23,103 account credentials including desktop logins, email usernames with passwords, and laptop access tokens. The stolen data encompassed credentials for all district employees—from Superintendent Eileen Shafer and school board leadership to teachers and staff—along with former employees' accounts. Attackers compiled this information into a file exceeding 116,000 lines, storing passwords with weak encryption that could be readily reversed to plain text. The breach remained undetected by district officials until May 2019, when the perpetrator contacted the Paterson Times via disposable email, claiming access to "all information systems" and offering proof of compromise. Following initial ignored contact on Thursday, the attacker provided credible evidence on Saturday, including screenshots of two employees' Microsoft Outlook inboxes and a sample of decrypted credentials. The actor attempted to sell the dataset to the newspaper but discontinued communication upon learning the information would be published, with subsequent emails returning as undeliverable.
District administrators first learned of the breach through media inquiries on Monday morning, with school board president Oshin Castillo expressing shock at the disclosure. Officials including spokesman Paul Brubaker confirmed credentials remained active when tested, with one secretary's reversed password granting access to her Outlook account and workstation. The scope raised concerns among technology committee chair Kenneth Simmons that student accounts might be compromised, though this remained unverified. Simmons noted the attacker likely accessed district servers or intercepted network traffic, highlighting systemic vulnerabilities including password reuse and lack of mandatory rotation policies despite the district's Office 365 cloud email implementation. While financial data theft wasn't confirmed, officials acknowledged potential exposure if banking details existed on networked files. Superintendent Shafer initiated an internal investigation, but the intrusion method and duration of attacker access remained undetermined at the time of reporting.