WASHINGTON TERRACE — The website of a company used by Weber School District, “MySchoolFees,” has been compromised. Parents and students are being asked to stop making online payments through the site until further notice.
The school district announced the security breach Tuesday on its website and through a posting on its Facebook page.
“Weber School District uses MySchoolFees, a third party vendor, to facilitate online fee payments, including school lunch. We have become aware that this third party company’s web page was compromised this afternoon. The company assures us that no student data was lost or compromised,” the posting said. “Weber District is in the process of working with this company to determine exactly what happened, and what this compromise might mean for Weber School District and our patrons.”
A forensic review of the situation has been promised by MySchoolFees, according to the posting.
“It appears it was a web page hack,” said Nate Taggart, spokesman for the school district.
The district will continue to use Facebook and its website to keep patrons updated about the MySchoolFees issue.
“In the meantime, as a precautionary measure, we have suspended using the system until we hear otherwise,” Taggart said.
Students who still owe fees are asked to make payments directly to their school.
Bill Tatton, vice president of Internet technology for TES Software/MySchoolFees, which is based in Montana, said the server breach was discovered within 18 minutes of the hack.
“We actually saw the person in what's called the website directory, and he had replaced home pages for MySchoolFees with an announcement of his prowess as a hacker,” said Tatton, by phone from his office in Cottage Grove, Ore.
The server was immediately shut down, and the company started scanning to see what the hacker had done. Even though the initial signs put up by the hacker said “data breach,” Tatton said there is no evidence that data was compromised.
“When we started the company, we had to decide whether we wanted to make consumers go through the inconvenience of entering their credit card information every time, or store it,” he said.
They opted to ask customers to enter their information for each payment, and some people have complained, but they may feel better about it now.
“There is no credit card information in our server,” Tatton said. “It is impossible for a credit card breach to occur on our server.”
TES Software pays Trustwave Spiderlabs Forensics to attack its website every month, according to Tatton, to test security. A forensic team from that company will spend next week examining an image of the hard drive, to conclusively determine if any data was compromised.
“When we find out, we'll release that report,” said Tatton.
According to Tatton, more than 200 schools use the service. Each of the schools was immediately notified of the breach, and the 140,000 associated parents who have made payments on the website will receive a letter.
“We're doing everything to make sure we stay transparent,” he said.
Contact reporter Becky Wright at 801-625-4274 or firstname.lastname@example.org. Follow her on Twitter at @ReporterBWright.