Nationwide data breach hits the Valley, affecting thousands of students in Fargo, West Fargo

FARGO, N.D. (Valley News Live) - Damage control is underway surrounding a nationwide data breach affecting thousands of students here in the Valley.

The breach affects approximately 13,000 school and university accounts across the country.

Fargo Public Schools sent a letter out to parents on Thursday—after finding nearly 10,000 students and former students affected.

The schools’ IT director, Bill Westrick, says officials were notified by the North Dakota Council of Educational Leaders on August 12—NDCEL was informed by two affected schools out in Bismarck and Mandan. Fargo Public Schools went to work confirming and gathering the thousands of addresses they needed to reach out to.

"This is information that could go all the way back to 2006," Westrick said.

Meanwhile West Fargo Public Schools officials say they’re still compiling a list of the more than 12,000 students affected on their end.

"We're just going to take everyone that was on that spreadsheet," Ed Mitchell, the schools’ director of technology, said.

The data breach was on AIMSweb 1.0: a type of software that schools use for standardized assessment tests. It’s owned by the learning company, Pearson. A Pearson official tells Valley News Live AIMSweb 1.0 was retired this past July—but not in time for the November 2018 data breach.

Fargo Public Schools officials tell us they've been on the new system, aimswebPLUS for three years now—and they want to know why their old information on AIMSweb 1.0 is still out there.

Meanwhile West Fargo switched from Pearson altogether a year ago.

"There were just other products out there that fit a little bit better than this new version of the product," Mitchell said.

Aimee Copas, executive director for the North Dakota Council of Educational Leaders, sent us a list of North Dakota schools affected by the breach: The list includes: Bismarck Public Schools, Mandan Public Schools, Solen Public School District, Dakota Prairie School, Wahpeton Public Schools and Fargo Public Schools.

We also know the breach affects West Fargo Public Schools, though it didn’t make the list yet.

"58 of our districts in North Dakota utilize Pearson's aimsweb product," Copas said.

Valley News Live also reached out to the Minnesota Department of Education to find out if any schools were affected on the other side of the Red River. But we haven’t heard back yet.

"This is contemporary times, right? Everyone has to deal with these situations," Mitchell said.

The good news? At least in West Fargo and Fargo, the breach only included first names, last names and dates of birth.

Fargo Public Schools tells us student ID numbers were also breached.

“Which is only an internal number for Fargo public schools,” Westrick said, “which wouldn't be useful anywhere."

The tech directors say no socials, emails or test scores came out between the two school districts.

So how did this happen?

"Pearson is probably one of the most reputable companies out there with regard to educational software," Copas with NDCEL said.

A Pearson official tells us the company was not the intended target of the breach. And the breach is part of a separate, ongoing investigation by the FBI.

But Westrick with Fargo Public Schools says Pearson should have stress tested its systems before—and not after—the breach.

"It's something that we do here on all of our systems internally," he said.

Meanwhile, Mitchell at West Fargo says the information stays online to "normalize data."

"All that data has to be collected, kind of analyzed to create that benchmark in which to compare," he said.

Though he agrees, students’ names and dates of birth are not necessary information to keep around to normalize test score data.

Pearson sent Valley News Live a statement, saying:

Pearson Clinical Assessments notified affected customers of unauthorized access to approximately 13,000 school and university AIMSweb 1.0 accounts. The exposed data was isolated to first name, last name, and in some instances may include date of birth and/or email address. Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability.

"While we have no evidence that this information has been misused, we have notified the affected customers as a precaution. We apologize to those affected and are offering complimentary credit monitoring services as a precautionary measure."

Pearson is offering free credit monitoring services to those affected.

"I'm one of the parents impacted,” Westrick said, “and my daughter's first name, last name and birthdate really in my opinion isn't enough of a value to be worried. So we're not going to sign up for the credit monitoring. We don't think it's necessary."

But both tech directors say if parents want it, it's free—and will give some peace of mind.

Aimee Copas, executive director for NDCEL, asks if any North Dakota schools can confirm whether they’ve been hit by the data breach to please reach out to ND Edutech IT: help@k12.nd.us or 701 451-7400