On the principle of “no good deed goes unpunished,” some of those who have discovered and reported breaches have been terminated or prosecuted for their actions, such as Providence Home Services systems analyst Steven Shields who alleged that he was fired for reporting a breach, John Denning who alleges that Kaiser fired him because he reported breaches, and more recently, Andres Reyes and Howard Jordan, who allege that they were fired for reporting security breaches at Lake Worth Utilities. Now a parent of a disabled student alleges that he is being investigated by the FBI because he discovered and reported a security breach that his child’s school district has not owned responsibility for.
Under the federal law known as FERPA, parents have the right to inspect their child’s education records. But as many parents learn, a request for those records often does not result in all of the child’s records being produced because records are often scattered across different offices and service providers without any central system of tracking records.
And so it was that Mark L. Short, a parent of a special education student residing in the Leander ISD, found himself trying to figure out how to get the district to provide all of his child’s records if he didn’t know what the records were and where they were. The request for records was not a matter of idle curiosity to Short, who had a dispute with the district over a disciplinary matter and sought the records as part of his case. Short informs this site that by reading the Special Education section of the district’s public web site in February, he first learned that many education records were being stored on a server in Massachusetts through eSped (www.esped.com).
He claims that it wasn’t until four months later, however, when he went back to a publicly available document on Leander’s web site called “Welcome to the World of eSped” that he noticed that screen shots of the eSped system in that public document displayed logins and passwords to the system. Short informs this site that he impulsively tested one of the logins on eSped’s site and found that it gave him access to Leander’s special education records.
According to Short, not only was he able to access records on his own child, but he determined that he could access other students’ records as well. The records included progress reports and special education documents on students as well as medical reports and in some cases, Social Security Numbers.
Furthermore, Short alleges that because Leander’s publicly available “welcome” document instructed personnel to initially login to the eSped site using the format [email protected] and the default password “lisd,” the system was wide open to anyone who simply looked at a roster of school personnel and input the name with “lisd” as the password until they found someone who had not changed the default password.
According to Short, the document had been publicly available for at least four months. It is not clear when that file was first uploaded to Leander’s public web site, and the district has neither acknowledged nor denied that it contained a working login and password.
Short says that on June 26, he contacted the school district and the Texas Education Agency (TEA) to alert them to the situation and to ask the state to investigate and ensure that the district complied with both federal special education law and FERPA in terms of providing adequate privacy and security protection of the records and in terms of maintaining a list so that the district knew what records it had on each student and where the records were located. According to Short, the district did not respond to his June 26th notification of the breach although his phone indicated a missed call with no message from them on either July 6 or July 7. He asserts that they only notified parents of the breach on July 7 after he went to the media with the story about the breach and the media started contacting the district.
In its notification to parents, Superintendent Bret Champion wrote (emphasis in the letter is as in the original letter):
Dear Parent of a Student Eligible or Considered for Special Education Services:
I want you to be aware of some information that recently came to my attention. Leander ISD received information that there was an incident of unauthorized web access to certain students’ electronic education records.These electronic records are protected by federal law, and are available to authorized employees only.Because of how seriously we take the protection of our students’ records, I want to outline the steps LISD is taking.
Upon receiving the information, the District immediately initiated an investigation and coordinated with appropriate third-party experts.(These experts are bound by a confidentiality agreement with LISD). The District quickly confirmed that its electronic records are not available to the general public via its website.
The District has not allowed any unauthorized access to student records nor disseminated any student records.Nevertheless, it appears that one individual gained unauthorized electronic access to confidential information.
The District immediately eliminated the path that was apparently used to gain the unauthorized access and took several additional steps to enhance security. At present, it does not appear that the unauthorized access involves motives related to identity theft. Nevertheless, because of the seriousness of any unauthorized access, the District has initiated a complaint with appropriate law enforcement.
While the District is not at liberty to comment further concerning an ongoing investigation, specific parent inquiries may be made to my office at 434-xxxx or 434-xxxx [redacted].
Nowhere, however, does the District’s notification address Short’s allegation that the district’s own publicly available file provided a working login and password to access the entire system.
The matter was referred by the District to the police, and the FBI subsequently opened an investigation. According to Short, a police officer and FBI agent came to his home on July 7. He tells this site that he invited them in and cooperated with them fully, explaining how he uncovered the breach and what he observed. When they asked to take his home computer, he allowed them to, even though they had no warrant. Short says that when they didn’t return it after a week, he called them to inquire about when he might get it back. On August 14, he received a terse message from them that they would contact him on August 17. On that day, two FBI agents showed up at his home and handed him a warrant dated August 12 for the computer they already had in their possession.
Short reports that the FBI also showed up at the Dallas-area firm where he worked as a software engineer and removed his office computer. On July 16, Short’s manager informed him that the FBI had seized his work computer and that he was suspended without pay until the investigation was complete. On July 21, he was informed by management that the FBI had notified his employer that there was no malicious information on the computer and that they were fine with him returning to work and accessing the internet. Although Short returned to work as per his manager’s communication, he says that it immediately became clear to him that the environment was now tense because of the FBI involvement, and he subsequently resigned his position.
So a parent who alleges that he was not given access to records that federal law says he has a right to inspect, inspected those records by exploiting an alleged security breach by the district which he then reported to them and as a result, he is now out of work and may be charged with unauthorized computer access. Granted that federal education law does not include a “help yourself” or “do it yourself” clause, but does this seem like a good use of the FBI’s resources? And do you think that this parent should be prosecuted if the facts are as he alleges?
I contacted the district to ask them to comment specifically on Short’s allegations that a document on their public web site contained a working login and password and as to whether they sent all employees an email to immediately ensure that they were not using the default “lisd” password. I also asked them whether it would have been possible to make up a name such as [email protected] and gain access using the default password or if the system verified the validity of a user’s name. Finally, I asked them to respond to Short’s claim that they were using the investigation to divert attention from their own role in the breach.
A spokesperson for the district reiterated that they would not discuss the matter as it was under investigation, but did send the following statement:
Your inquiry to the district poses several questions regarding an alleged data breach of earlier this year. As you noted, the district is not commenting on this issue since it is being investigated by the FBI. No all-employee email was sent since the system was entirely shut down to all access. In regards to validation of passwords, the district does not publicly disclose any security measures that it uses to manage its network.
The district has never referred to anyone involved in this incident as a hacker or criminal. If “parents and individuals” are posting such views on various websites, they are doing this individually, and are singularly responsible for such comments. The district does not make it a practice to respond to blogs or websites, as these are individually operated and not part of the district’s communications protocols.
While I appreciate the district’s courtesy in replying, it seems that we still have no confirmation or denial from them as to whether a document on their site provided a working login and password to the system. The district spokesperson with whom I spoke indicated that he had no information on when the FBI investigation might be concluded.