Important Cybersecurity Notice
The purpose of this Notice is to update the Huntsville community about the response of Huntsville City Schools (the “District”) to the cybersecurity incident that began on or around November 29, 2020.
On or around November 29, 2020, the District experienced a ransomware attack. Ransomware is a malicious software (called “malware”) that denies access to computer devices or files until a ransom is paid. To date, the District has not contacted the attacker or paid any ransom. For more information about ransomware, please visit the Cybersecurity & Infrastructure Security Agency Ransomware Website.
In an update on December 9, 2020, the District informed the community that the cybersecurity incident impacting the District did not impact the third-party providers that serve the District’s students (including, INow and Powerschool). That remains true.
Ransomware attacks do not necessarily result in sensitive information being stolen, and, to date, the District has discovered no evidence that impacted files have been stolen. However, the District, erring on the side of caution, is treating all information that was locked down as having been taken by the attacker.
In keeping with that cautious approach, this Notice is designed to notify potentially impacted individuals and to comply with the Alabama Data Breach Notification Act of 2018.
Again, the District is not aware of any actual or attempted misuse or theft of any personal information of our stakeholders. Instead, the District is providing this notification to you out of an abundance of caution.
Please review the information provided below to understand what information was impacted and what steps you can take to protect yourself or your student against any misuse of any impacted personal information.
What information may have been impacted?
The following non-public, personally identifiable information may have been accessed as part of the ransomware incident:
- State Student Identification Number (SSID) – For students enrolled during the following calendar years:
- Email addresses for Parents – Linked to SSIDs of students enrolled during calendar year 2020
- Social Security Numbers
- Employees who worked for the District from 2010-2020
- Contractors who performed services for the District from 2010-2020
- Students who participated in a club called “Fantastic Four” during calendar year 2008
What is the District doing to prevent this in the future?
Immediately upon learning of the attack, the District’s IT Team took steps to stop the spread of the ransomware. Additionally, the District’s administration engaged outside cybersecurity experts and law enforcement officials to secure the District’s network. The District continues to work with outside cybersecurity experts to do the following:
- Recover backup files to work around the disruption caused by the ransomware attack;
- Install and implement additional cybersecurity software designed to harden the District’s network against future attacks;
- Issue new devices to faculty and staff;
- Reimage impacted student devices;
- Implement improved encryption processes which will better protect files, including those with personally identifiable information, on the District’s local servers; and
- Train faculty, staff, administrators, and students on cybersecurity awareness.
What can you do?
If you believe you may be one of the individuals impacted by the cybersecurity incident, please remain vigilant, watching for instances of fraud or identity theft over the next 12 to 24 months by reviewing your account statements and monitoring your credit reports. You may obtain a free copy of your credit report once every 12 months from each of the three nationwide credit reporting agencies. To order your free annual credit report, please visit AnnualCreditReport.com or call 1-877-322-8228.
In addition, you may also contact one of the three nationwide reporting agencies listed below and place a fraud alert on your file. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or make certain changes to your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.
You may also place a security freeze on your credit report. A security freeze will prevent a credit reporting agency from releasing information in your credit report without your express authorization. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. If you chose to place a security freeze on your credit report, you must do so with each of the three credit reporting agencies.
You may contact the three nationwide credit reporting agencies about security freezes, fraud alerts, and other related topics, using the following contact information:
If you discover any suspicious or unusual activity on your accounts or suspect identity theft or fraud, be sure to report it immediately to your financial institutions. You may also contact the Federal Trade Commission (“FTC”) or local law enforcement to report incidences of identity theft or fraud.
Who can you call if you have questions?
If you have any questions about the content of this Notice, please call (256) 428-7773 during the following hours of operation (for all dates below, the call center will accept calls from 8:00 a.m. to 4:30 p.m. Central):
- Monday, December 21 - Open
- Tuesday, December 22 - Open
- Wednesday, December 23 - Open
- Thursday, December 24 - Closed
- Friday, December 25 - Closed
- Monday, December 28 - Open
- Tuesday, December 29 - Open
- Wednesday, December 30 - Open
- Thursday, December 31 - Closed
- Friday, January 1 - Closed
- Monday, January 4 - Open
- Tuesday, January 5 - Open
- Wednesday, January 6 - Open
- Thursday, January 7 - Open
- Friday, January 8 - Open
While the District’s response team will make every effort to address any questions you may have about the content of this Notice, please note that the District’s response team:
- Will not receive or share any personally identifiable information;
- Will not confirm whether you or your student were specifically impacted by this potential data breach;
- Will not provide any information that is not already covered on this page; but
- Will try to answer questions about the content covered on this Notice, if possible.
This page will remain on the District’s website until January 31, 2021.