BREACHED: Hillsborough Schools (FL) Seventh Largest School District in USA

Posted on September 14, 2023 by Harmonica

On August 31, the country’s seventh largest school district sent correspondence to not all parents about a cybersecurity incident. Very little data is trickling out about what happened. Thirteen days later Hillsborough Schools has still not revealed when the malicious actors breached school systems.

On September 4, I emailed Superintendent Ayres and the Chief Technology Officer seeking comment on twelve questions. I sent a follow up email on September 11 asking for the district to respond to the questions.

Then on September 12, Hillsborough County School District (HCSD) answered TWO of the twelve questions. Their response was essentially a summary of what had already been communicated to not all parents in an update on September 5.

As of September 14, there is NO notice on Hillsborough County Schools Website about this breach. Not all parents are receiving email communications regarding the event.

It now appears the school district is picking and choosing with whom to release information, distinguishing a parent separately from the PTA executive board. Yesterday I discovered that a Facebook Group titled “Hillsborough County Council PTA/PTSA Advocacy Group” reported on September 6, that the Hillsborough County PTA executive board met with Superintendent Ayres and he revealed it was a ransomware event and that HCSD did not pay the ransom—the third question on my list, left unanswered.

Why has this new information not been provided to all parents and staff publicly?

This matters to parents and teachers, because very sensitive data has been collected without informed consent. In 2019, I wrote Teachers, Parents, Countrymen: How Much of Your Personal Data Does the School District Share? to bring attention to just how much sensitive data could be collected.

Here are the two answers they did provide to my questions (pictured below):

(2) “On August 31, the district sent correspondence to staff and families that it was addressing an apparent cybersecurity incident involving a number of technology systems in the district.”

(8) “We continue to be in communication with the FBI, FDLE, and the Hillsborough County Sheriff’s Office regarding this incident.”

(11) “…worked to restore full function to our core operational systems…” This did not really answer my question, as it only references their core operational systems.

The district also wrote: “we have no indication that there was any unauthorized access to data stored in our student information system”.

Translation: there might have been unauthorized access, but we don’t know.

YOU, as the parent, have had YOUR power to protect your children from digital TYRANNY stripped from your soul. That God given natural right you have to protect your children as you see fit has been trampled by your government.

I will tell you how I know this.

Since 2016, I have battled with my heart and soul to protect my children from student data collection. My heart and soul were tested beyond belief by my school district as I spent endless hours, nights, weekends, and vacations researching and advocating to stop the data (and metadata) being stolen from my children and yours. They don’t care.

I have written US and state legislators, multiple FL Governors, FL Commissioners of Education, filed federal complaints, filed state complaints, reported a Hillsborough Schools classroom/student data breach in our school district to the Florida Department of Education Office of Inspector General (OIG) that resulted in a website being taken down, spoken public comment to the National Telecommunications and Information Administration (NTIA), and much more. The results from my emails and letters: intra-government fingerpointing and “lack of jurisdiction.” Not one legislator reached out. I even traveled multiple times to Tallahassee to speak out against an “online protection” bill last session that does little to protect but does much to trample Parental Rights. The Parental Rights our Florida legislature claims to protect.

By 2016, our children were being tracked by a “learning management system” that was contracted as a gradebook but did way more than act as a “gradebook.” I wrote about my concerns with this system here and here and finally here—where I explained how my concerns from the first post were vindicated (because these same issues were investigated by another country!). We asked for our children to be removed or provided an alias in that system. We were told by the district that they did not think the vendor could do so at this time. This led to concerns the vendor was not properly qualified as a “school official” under FERPA. Why? Because under FERPA, for a vendor to qualify as a “school official” and thus collect or receive records, the school district must maintain direct control over the use and maintenance of educational records. As I understood the school district’s response, the vendor was in control; not the school district.

In 2018, I wrote to the Florida’s Department of Education to warn about the inadequacy and insecurity of Hillsborough School District’s password systems. Then in 2020, Boca News reported a “hack” in Palm Beach County School District, indicating the vulnerability was the very problem I reported to the state in 2018, nearly two years earlier.

My children were forced onto digital systems that collect behavioral data without my knowledge or consent, accounts were created in their identities with for-profit companies—collecting data. The district repeatedly denied us access to all of our children’s data, including what accounts were created by the school district with companies.

My first grader was sent to the principal’s office and threatened for standing up for his rights and for following our [parental] instructions: not to login to experimental learning platforms that collect his data. We were not called. Our child was forced to log into the system.

Unfortunately the State of Florida is contributing to this problem by instituting laws and policies that encourage this activity. Data Collection ramped up with the Statewide Longitudinal Data System pushed under Governor Jeb Bush (using federal grants) that created a need for student information systems. This activity and more continues through Florida’s actions today. For example, requiring cloud based solutions to be the first choice, and AI surveillance of students online—just two of many examples.

All data collected online is at risk.

Stand up for your parental rights and you will quickly learn you are actually living under tyranny—you just don’t know it yet. I encourage you to stand up because without every one of you, our rights will be continually eroded.

Just this week we were informed that our child’s best interests were to be held hostage again by another public school pay to play scheme. Let’s hope it will have a happy ending.

I will not be deterred from sharing what I know and believe about this industry.

Join me in standing up for your parental rights and protecting the innocence and privacy of our children.

This entry was posted in Data Privacy, EdTech Tyranny, Hillsborough Schools, PII, Public Schools, Uncategorized. Bookmark the permalink.