District to accelerate email security after phishing attack; tech director says 67 staff clicked link

The Hendrick Hudson Central School District said it will accelerate deployment of a new email-security system following a recent phishing attack that the technology director said affected dozens of staff.

Venita Joy, the district’s executive director for technology and innovation, told the board on May 27 that the district must migrate to a new inventory system after a vendor announced closure and that a planned email-security tool (Checkpoint) was moved forward after an attack in which, she said, "we had over 67 people who actually clicked on that email." Joy said the incident allowed the technology team to pilot the system early and that staff are manually quarantining suspicious messages until full activation.

Joy described additional data-loss prevention (DLP) concerns: district email traffic has included messages with driver’s-license numbers, Social Security numbers and student personally identifiable information. She said the new system will automatically encrypt messages leaving the district domain that contain such information and provide parents a six-digit code to decrypt documents such as IEPs, meeting the district’s audit and New York State requirements.

Board members discussed the phishing email’s subject line (which impersonated Superintendent Michael Trombley). Joy said the security tool studies email flows and can quarantine phishing messages automatically once activated; she and the board said the system should be turned on as soon as testing is complete.

What’s next: technology staff expect to enable the automated protections soon; in the meantime Joy continues manual quarantining of suspicious emails and the district will pursue the pilot arrangement with its consortium.