VA: Fairfax County Public Schools breach exposed sensitve student information

Fairfax County Public Schools (FCPS) has had numerous breaches in the past 15 years, including one ransomware incident that affected more than 170,000 former and current employees and students. Here’s a recent incident that just showed up on a state attorney general’s website. FCPS’s notification for this latest incident states that on or about December 19, 2022, an unauthorized user reportedly accessed two FCPS business email accounts. The attack was detected “shortly thereafter,” but their investigation was unable to determine if the attacker had accessed or viewed any of the personal information in those two accounts. The information involved in the breach was “information that FCPS teachers use to provide certain educational services to students,” which includes their name, address, and/or certain mental or physical health history, condition, treatment, or diagnosis information…. Examples of this medical information include information about a child’s allergies or medically restricted diets, EpiPen ownership, disability or health condition (if applicable), and whether a student has a history of seizures.” On April 17, external counsel for the district notified Maryland’s Attorney General that 8 Maryland residents were affected. Letters had previously gone out to those affected on or about February 10, but the notification does not reveal the total number of students affected by the incident.