NOTICE OF DATA BREACH: SANTA BARBARA UNIFIED SCHOOL DISTRICT

Dear Santa Barbara Unified School District Families.

We are bringing to your attention a notice of a data breach that may have impacted the district.

What happened?
In late November 2019, Aeries Software became aware of unauthorized attempts to access the Aeries Student Information System, and began investigating. Aeries is used by districts across California, and is the largest student information system vendor in the state. At that time, Aeries did not identify that any data was compromised. In December 2019, Aeries released a series of security patches as a precautionary measure, since there was no evidence that any data was compromised, to address the potential vulnerabilities.

While investigating the unauthorized access attempt further, Aeries discovered some data was in fact accessed. On April 27, 2020, Aeries notified districts of the security breach but indicated that only districts using Aeries hosted services were compromised. SBUnified does not use Aeries hosted services and therefore was not determined to be impacted.

On May 6, 2020, Aeries notified all districts who store their Aeries data on their own servers that they might also have been impacted, and offered assistance in helping to determine whether those districts were compromised. That day, we requested Aeries’ assistance in determining whether we were impacted.

At the end of business on May 18, 2020, Aeries completed its investigation of our database, and notified us that we may have been impacted by the same breach. Beginning the morning of May 19, 2020, SBUnified conducted an internal review of Aeries’ findings in preparation to release this notification.

Based on subsequent research, SBUnified is one of hundreds of Aeries districts that were potentially compromised. Aeries received notice that the perpetrators have been taken into custody and that the unauthorized access has been terminated.

What information was involved?
Aeries’ investigation determined that student ID numbers, parent and student emails, physical addresses, and hashed passwords may have been subject to unauthorized access.

A “hashed password” is encrypted, meaning that the actual password cannot be viewed.

What we are doing.

While there is no evidence to suggest that your data was misused, state law requires that we notify our families whose data may have been subject to unauthorized access.

Out of an abundance of caution, we are requiring that all parents/guardians with Aeries accounts reset their Aeries passwords.

Students use their District Google accounts to access Aeries, and their Google passwords would not have been at risk as part of this breach. Additionally, we have protections in place to ensure that people outside of our District cannot email our students directly.
Aeries fixed the vulnerability that permitted the unauthorized access in December 2019.

What you can do.
Parents/guardians should go to https://aeries.sbunified.org/parent and log in, and the system will walk you through resetting your password.
If you have used the same password that you use for Aeries on any other websites, we recommend that you change your password on those other websites. We also recommend that you avoid using the same password on multiple websites in the future.

For more information.
Call our technology helpline at (805) 696-2700 or email us at support@sbunified.org.