Student data was among the information compromised in the December system breach reported by the Altoona Area School District last week.

According to an email sent Friday to parents and guardians, student names, address and, in some cases, date of birth, were accessed in the cybersecurity incident.

Superintendent Charles Prijatelj said the district is working with cybersecurity experts to investigate the scope and nature of the breach and will notify “those directly affected” when the investigation is complete.

The district does not store personal credit card information or student Social Security numbers on any district server, according to information provided to families.

In addition to the email, Prijatelj included a list of frequently asked questions regarding the breach, notably that the cyber attack occurred in December 2021.

The district did not announce the breach until last week, after the Mirror received several phone calls about teacher information being released on the dark web.

According to one caller, teacher names, full addresses, telephone numbers, Social Security numbers and insurance ID numbers were found on the dark web. The caller said some people learned of the information breach from credit card alert apps.

During an interview Thursday, Prijatelj said the district faces about 100 cyber attacks each week.

“Our system is bombarded on a regular basis,” he said.

In the December attack, though, Prijatelj said the hackers were able to encrypt the district’s routing server before its security systems locked the perpetrators out.

The district notified the FBI of the breach and is working with Arete, a cybersecurity company, amid the ongoing investigation.

Prijatelj admitted last week that a ransom was demanded and that the district did not pay.

In the FAQ sent to students’ families, the district said once the attack was discovered, the IT team took steps to contain the incident and temporarily took systems offline in an effort to protect the district’s internal network.

In addition to Arete, the district has engaged external legal counsel to assist with the investigation and remediation efforts.

“We are currently investigating the incident with the support of third-party forensics experts in order to determine the scope of the incident,” according to the district release. “While we have no evidence of misuse of this data, we are working in tandem with our expert advisors to understand the full extent of the incident.”

Former district employees also may have been affected by the breach as information on former employees is kept for recordkeeping and administrative purposes, according to the report.

The district will be providing credit monitoring for anyone potentially impacted by the breach.

In addition, the district has offered to replace insurance cards for all individuals who are insured through AASD.

The district did note that the breach was contained to the internal systems and cannot spread to other personal devices.

While the district did not give a timeframe for how long the investigation will take, Prijatelj said the district will share additional information as it becomes available.

Prijatelj’s email also included guidance to help teachers, staff and others protect personal information, including reviewing account statements, using two-factor authentication and alerts, and obtaining free credit reports.

The district said individuals may want to consider putting a fraud alert on credit reports and a security freeze on credit files. The freeze will prevent new credit from being opened in an individual’s name without the use of a PIN number issued when the freeze is initiated.

“I understand this incident has created a lot of concern and we will continue to remediate any issues that may arise,” Prijatelj said in the email.