The Clark County School District is boosting security for its student information system following a cyberattack last month.
The nation’s fifth-largest school district announced Oct. 16 that it was affected by a “cybersecurity incident impacting its email environment.” The district said it became aware of the incident around Oct. 5.
In response, it has implemented some stricter Google Workspace measures and a forced password change for students.
The latest security updates — which took effect Tuesday — are related to Infinite Campus, a system that teachers use for tasks such as logging attendance and grades. There’s also a version of the platform for parents.
The district announced the change in an email to staff Nov. 7 and followed up with additional information Monday.
In the Nov. 7 email, the district said that implementing two-factor authentication for staff Infinite Campus accounts is “part of our ongoing commitment to safeguarding sensitive student data.”
Two-factor authentication means multiple forms of verification are required before logging in.
The change “significantly reduces the risk of unauthorized access to your Infinite Campus account and helps maintain the trust and privacy of our educational records,” the district wrote.
The district said in the Nov. 7 email that it was implementing app-based authentication. But on Monday, the requirement was updated to include email-based authentication.
It’s mandatory to use the app for those who have a district-provided device.
In a statement Monday, the district wrote that it continues to work with the FBI to investigate the cybersecurity incident.
The district said it has contracted with a third party to “review and evaluate the data and determine which individuals may have been affected.”
As of Nov. 7, the district had paid $1,499 for services billed related to responding to the cybersecurity incident, according to a response to a Las Vegas Review-Journal public records request.
The Review-Journal also requested a copy of the district’s contract with any companies investigating the incident.
The district responded, saying: “The contract with the experts investigating the cyber incident is managed by the insurance company and defense counsel, not CCSD. A copy of the work agreement cannot be supplied, as all documents are attorney-client privileged.”
In the Monday statement, the district shared a link to a cybersecurity incident notice on its website.
The notice states the district will notify all “potentially affected individuals” by mail at the conclusion of the investigation. It doesn’t provide an estimate of how long that could take.
The notice said the investigation so far has revealed that the “unauthorized party accessed limited personal information related to a subset of students, parents, and employees.”
The district said it hasn’t received any reports of “actual or attempted misuse of the impacted information” or “related identity theft.”
Some parents said last month that they received a suspicious email with attachments that included personal information about their children and family.
Earlier this month, two parents filed a class action lawsuit against the district alleging it failed to protect personal information and take steps to prevent a cybersecurity attack.
A complaint alleges the incident was a ransomware attack — which the district hasn’t confirmed — and that a hacker group known as SingularityMD stole personal information about more than 200,000 people.
Families can report any suspicious activity or ask questions by contacting the school district’s assistance hotline at 888-566-5512 between 6 a.m.-6 p.m. Monday through Friday, excluding holidays.