CDS data breach spurs digital review and recommitment to student safety

A data breach at Community Day School is prompting a review of protocols and recommitment to student safety.

On Sept. 11, 2024, a staffer at the Jewish day school discovered the transfer of approximately 466 school-related files by a now former employee to their personal email account. The transfer occurred between May 23 and June 5 — shortly before the former employee was to be terminated. Included within the transfer were 133 files containing student-related content, including health information and classroom performance records related to nearly 100 current and former CDS families.

In accordance with Pennsylvania law, Casey Weiss, CDS’ head of school, informed parents and staff of the breach on Oct. 16. Hours later, she met with the Chronicle.

Get The Jewish Chronicle Weekly Edition by email and never miss our top stories Free Sign Up

“There is nothing more important to me than the safety of the children in my care and the safety of all of our families, be it physical safety or the safety of student-protected information,” Weiss said. “We will continue to act as an institution of integrity and transparency. The sacred duty of educating and protecting our students is our No. 1 priority.”

Weiss said she learned of the breach on Sept. 11.

At that time, an “immediate” investigation was launched, she said, resulting in cessation of external access to student materials. The school began a series of conversations with law enforcement and attorneys specializing in data breach cases. CDS additionally conducted a “root cause analysis” to understand both how the breach occurred and determine best practices moving forward.

“Several measures have been put in place, internally, to assure that something like this never occurs again,” Weiss said.

Following the breach, CDS hired FSA Consulting to upgrade the school’s computing infrastructure (FSA Consulting is owned by Evan Stein, the Chronicle’s board chair).

In addition to optimizing digital tools, a policy was shared with staff strictly forbidding the use of personal email accounts to access or view school files. Parents of impacted minor dependents have been granted free access to cyber monitoring services for 12 months. The service, Weiss said, will search for parents’ and children’s personal data on the dark web and provide notifications if potentially identifiable information is found.

CDS is also providing families with fraud assistance through Cyberscout, a TransUnion company.

Based on the school’s investigation, “We have no reason to believe that anything fraudulent was done with this information, or that it was misused at any point,” Weiss said. “We also can confirm that this individual does not have access to any of the files transferred to their personal email.”

CDS welcomed Maggie Feinstein, director of the 10.27 Healing Partnership, to the school Tuesday to speak with parents and staff.

News of the data breach can prompt feelings of disempowerment or anger, “which is normal and healthy,” Feinstein said. “The best thing to do is be in dialogue and community, and look for opportunities to enhance your knowledge.”

Weiss said she understands concerns regarding both the breach and timeline of events. “We take this very seriously and informed parents as quickly as possible.”

Before notifying parents and staff, CDS officials needed to determine the nature of the information compromised, who was affected and ensure compliance with state and federal requirements, she said.

Weiss encouraged parents and staff to reach out to her, Feinstein or CDS’s Board Chair Shiri Friedman with any questions.

Friedman said she is impressed by Weiss’ leadership as well as the fact that the school will continue working with law enforcement regarding the breach.

As for whether the school will pursue legal action against the former staffer, “All I can say at this point is that we are taking this very seriously,” Weiss said. “We are taking the appropriate course of action necessary to safeguard our kids, because there is nothing more important than the safety of our children.” PJC

Adam Reinherz can be reached at areinherz@pittsburghjewishchronicle.org.