After more than a week without an update on the Halloween cyberattack, JeffCo Public Schools’ officials on Friday provided parents a few details not yet disclosed about the hack.

While the review continues, JeffCo officials acknowledged that hackers were able to access student ID numbers, which are randomly generated. Officials said in an email to staff and families that this information does not disclose any personally identifiable student information.

Family banking information used for paying school fees is stored with third-party systems that do not appear to have been accessed, district officials noted.

The district’s Human Resources system, PeopleSoft, does not appear to have been compromised, officials said. Information in this system would contain sensitive information such as staff banking and social security numbers nefarious actors could use to steal someone’s identity.

Friday’s statement, however, did not disclose whether students with an Individualized Education Program, or IEP, have had their data compromised.

The hacker group SingularityMD, which has claimed credit for the data breach, maintains it stole IEPs – which can contain sensitive health care information such as prescribed medication and clinical diagnosis – dating back to 2020.

SingularityMD has also claimed credit for the On Oct. 5, cyberattack on Clark County School District in Nevada, the nation’s fifth largest with more than 300,000 students.

With roughly 14,000 employees and more than 65,000 students, JeffCo Public Schools is the second largest school district in Colorado behind Denver.

School officials disclosed the Oct. 31 hack after staff reported receiving an email threatening to uploaded sensitive employee and student information to the dark web if JeffCo Public Schools didn’t pay a $15,000 ransom in cryptocurrency.

Hundreds of JeffCo parents received a copy of the email from the hackers, which was obtained by The Denver Gazette.

“Your overall approach to cyber security is too relaxed,” Anihi Blep, likely an alias, wrote in an Oct. 31 email to several district executives, including Superintendent Tracy Dorland.

The ransom was later reduced to $2,000.

This cyber breach – the hackers have contended – was not politically motivated, but was simply a “business transaction.”

JeffCo officials have declined to say whether they paid the ransom. But law enforcement is investigating the breach.

According to the emails, the hackers provided JeffCo officials with a 1 gigabyte sample of the stolen 40 GB dataset, which in addition to IEPs, is purported to include student emergency contact names, phone, email and birthdates.

Of particular concern to JeffCo parents and security experts alike was the use of student birthdays in creating student passwords for Google Classroom, which is used for assignments. According to Google, the data is encrypted in transit and not shared with third parties.

Deb Howitt, a partner with Dorsey & Whitney, an international law firm with offices in Denver, has called using birth dates for passwords, “a terrible practice.”

Howitt, whose practice area includes data privacy and cybersecurity, has represented The Denver Gazette and The Colorado Springs Gazette on cyber security matters.

Attacks against education institutions is becoming more commonplace.

Last month, Colorado Department of Higher Education officials found themselves in a pickle after The Denver Gazette reported the system failed to promptly notify law enforcement about a massive data breach discovered in June. And in March, officials with Denver Public Schools disclosed the personal information of as many as 15,000 employees was stolen in a “cybersecurity incident” that lasted for a month.

State law requires government agencies and business operating in Colorado to report data, within 30 days of discovery, security breaches affecting 500 or more Coloradans.