WASHINGTON — After announcing Dec. 13 that a data breach had affected 1,000 former students, Frederick County Public Schools officials on Sunday shared more about what the investigation into the breach had revealed.
The investigation, which was completed in December, found that the students’ information, including names, social security numbers and dates of birth, may have been obtained from the Maryland State Department of Education’s database, FCPS said in a news release Sunday.
The data breach occurred before 2010 but was only discovered in September 2016, the news release said.
“It appears that [ …] personal information was being sold on foreign websites and that someone noticed that, saw that data for sale on a foreign website and alerted us,” FCPS spokesman Michael Doerrer told WTOP Sunday.
Shortly after, the school system began working with government agencies to investigate the incident, Doerrer said. The agencies involved included the FBI, the Maryland State Attorney General’s Office, the Maryland State Technology Department, the Maryland State Department of Education, and the Multistate Information Sharing and Analysis Center, according to the news release.
FCPS said it will continue to assist those affected, which includes students who attended county public schools between November 2005 and November 2006, in several ways.
For one, they have been working to remove the data from any websites where it may be posted. Further, they are providing those affected with free identity protection services through Kroll for 12 months, including credit monitoring and identity consultation and restoration.
FCPS said it is sending those affected information about how to enroll and about other ways to minimize the breach’s impact.
Because the breach occurred so long ago, it is not possible to say with 100 percent certainty where the breach occurred, Doerrer said.
“It does not appear that the breach occurred from FCPS’s system,” he said. “However, we are required by law to share data with the state department of education, and the format of the data matches the Maryland State Department of Education’s format, and the investigation also found that their systems were attacked.”
But Doerrer said the main point for FCPS is not to point fingers but to help those affected by the breach.
Since the discovery of the breach, the Maryland State Department of Education has been working to increase the system’s security, the news release said.
Maryland law dictates that the investigation into the breach had to be completed before releasing any information, Doerrer said, which is why they were not able to reach out to those affected with any information until December. They are still in the process of contacting each of the 1,000 former students, he said.
“This is obviously a troubling matter,” he said. “We take it seriously, and we’re trying to help everyone impacted.”
WTOP has reached out to the Maryland State Department of Education for comment. It is not yet clear whether other public school districts may have been affected by a similar data breach.
FCPS update on data breach announced last week. We’re taking aggressive action to help all those affected.
— FCPS-MD (@FCPSMaryland) December 18, 2016
WTOP’s Dick Uliano contributed to this report.