A report earlier this week from Paterson Times informed that the systems of Paterson Public Schools in New Jersey had been breached and the intruder stole thousands of usernames and weakly protected passwords. In reply, the school district issued a letter informing that "a civil court action must be pursued."

Last weekend, Paterson Times received evidence from an unknown party that login information for 23,103 accounts for the Paterson School District network had been stolen. On Monday, newspaper's Jayed Rahman published details about the breach, which apparently had occurred in October 2016.

Stolen logins for sale

According to the Rahman, the alleged perpetrator claimed that they had access to "all information systems" of the school district and provided screenshots Outlook inboxes belonging to two district employees.

The individual sought to sell the newspaper the login database, but the offer was rejected and Paterson Times notified the school district, which was unaware of a breach incident. It is unclear if the credentials were offered for sale underground forums.

The logins from the alleged hacker were valid and even if passwords were not stored in plain text, reversing them was easy. This allowed the newspaper to provide evidence that the data was valid.

"For example, Brubaker, the district spokesman, who sought evidence of the hack, was provided one confidential secretary’s username and reversed password that allows access to her Microsoft Outlook email inbox and district workstation."

It looks like district employees were using the email account credentials to also log into their computers.

Confronted with this sort of evidence, the school district issued a password reset for all employees and enabled two-factor authentication protection. 

However, the incident was heavily downplayed, officials stating in a press release yesterday that these were "precautionary measures taken after unfounded report of a hack of email servers."

"Paterson Public Schools information technology (IT) officials announced today that all email passwords for the district’s employees have been changed after a local blog published an unfounded report that the district’s email servers had been hacked."

While the email server may not have been compromised, the alleged hacker's claim of access to all the district's information systems suggests that they had a way into the district's computer network.

If employees used email credentials to also log into their computers, as  school board member and chairman of the technology committee Kenneth Simmons told Paterson Times, this means that the data was stored on other systems than the email server.

The legal intimidation

The newspaper's article on the breach clearly did not sit well with the county's Public Schools superintendent Eileen Shafer. In a letter responding to Rahman's story, and signed by the district’s attorney Robert E. Murray, she said the following:

"Moreover, those individuals who elected to confide in you has caused the District to be unfairly held out for ridicule in the community. This is serious reputational harm to the entire School District. Thus, a civil court action must be pursued."

Rahman was also demanded to provide Paterson Public Schools the information he received from the supposed perpetrator, "with no copies have been made or distributed."

As expected, the reporter did his homework and responded in a new article pointing out that the First Amendment and media law are on his side, allowing him to protect both sources and information.

It is important to note that the district's officials were unaware of the breach incident until Rahman notified them, and he confirmed the validity of the stolen data before running the story. Furthermore, the breach likely impacted individuals that are not employees of the Paterson Public Schools.

Simmons said that a number of logins that high "must include student accounts."

Update [05.20.2019]: Paterson Public Schools superintendent Eileen Shafer offered an explanation for the letter she sent to Paterson Times newspaper, saying that its purpose was not to threaten the publication or the reporter with legal action.

"Neither the reporter nor his news organization was the potential target for any litigation by the District," Shafer told Jayed Rahman on Friday.