DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Two years later, Texas parent who reported a breach gets prosecutors off his back and his laptop returned

Posted on September 13, 2011 by Dissent

A Texas parent who reported a school district security breach involving sensitive student records spent the next two years facing federal charges and trying to get his laptop back

Back in August 2009,  DataBreaches.net reported that a parent had his work and personal computers seized by the FBI after he reported a security breach to his child’s school district, Leander ISD, and the Texas Education Agency. The parent, Mark Short, had discovered a working login on the district’s web site for a vendor-maintained database of students’ educational records. Having not received all of his child’s records that he had requested under FERPA (the federal law that gives parents the right to inspect all of their children’s education records), Short explored the database enough to confirm that it contained additional records on his child as well as sensitive information on other students. Short then notified the district of their security lapse and filed a complaint with the state.

Rather than thanking him for alerting them to their security gaffe and FERPA noncompliance, the district reportedly referred the matter to law enforcement, who treated him as a criminal.

Short informed DataBreaches.net that his personal laptop was seized by FBI agents without a search warrant “under the guise of concluding the investigation.” Short claims that he was not informed that he could refuse, and that after the FBI hung on to the computer for one week and he started insisting on its return, the FBI first obtained and served him with a search warrant for the laptop they had already seized.

Short has kept DataBreaches.net apprised of the case over the past two years, and now reports:

Two years after the FBI seized my personal property and just two days before a scheduled hearing to force the return of my computer, the US District Attorney has decided to not prosecute and return my computer.

This is after I was offered plea agreements two or more times and refused. Then I would get threatened that I would face prosecution if I did not accept.

The entire situation has been costly for Short, who lost his job due to the FBI showing up his workplace and seizing his work computer. It also created significant family stress. Short tells DataBreaches.net:

This has been a huge “pain in the ass” in order to assert individual rights and force a return of personal property – potentially improperly obtained; however, the government has really exceeded their mandate in this case. For them to seize my computer, refuse to return it (even after two years) without even making a formal charge is insane.

I can see why some people would rather just give-in to the federal government and simply forfeit their personal property. However, I cannot do that and allow the continued erosion of individual constitutional rights and freedoms.

In the meantime, the school district that had failed to turn over all his child’s records and that had failed to adequately secure access to the outsourced records has incurred no penalty for noncompliance with FERPA’s requirement nor for the breach.

What’s wrong with this picture?

Category: Breach IncidentsCommentaries and AnalysesEducation SectorExposureOf NoteOtherU.S.Unauthorized Access

Post navigation

← WA: Bonney Lake Doctor Office Burglarized
UK: Security helpline gets 174 calls from worried reservists →

7 thoughts on “Two years later, Texas parent who reported a breach gets prosecutors off his back and his laptop returned”

  1. withheld says:
    September 16, 2011 at 3:26 pm

    Serves him right. He committed a crime by rooting around in an unsecured server. Just as a burglar commits a crime by entering your house when you didn’t lock the door. The fact that security was poor doesn’t justify his criminal act. That this guy only lost his job and wasn’t arrested should count him as lucky. And besides, he deserves it for spying on his kid.

    1. Danindixie says:
      September 17, 2011 at 7:16 pm

      “Spying on his kid” – ? Are you KIDDING me? Parents cannot “spy” on their kids; by definition, they MUST and SHOULD know what their children are up to, including their grades and school performance.
      Regardless of whether he should or should not have poked around the database, the fact that the school has NOT been prosecuted is unfathomable.

      1. admin says:
        September 17, 2011 at 7:45 pm

        I share your amazement that “withheld” would consider this spying on a child. The parent was attempting to do what the FTC and every major advocacy organization recommends parents do: inspect your child’s records. In this case, the parent’s diligent efforts were thwarted by a district that seemingly decided they were only obligated to provide records if he could tell them what the records were, by name. Of course, since most parents have no idea what’s in their child’s records (which is why they should request inspection of ALL records), it’s impossible for any parent to provide such specific information. One would have to believe that the district had no knowledge of what they had uploaded to eSped or conveniently forgot about eSped when replying to his FERPA demands. Otherwise, there’s no reasonable excuse that I can find for their failure to produce the records in response to his request.

        Of course, that doesn’t justify taking matters into your own hands, but when your district withholds records and the state doesn’t enforce the law, I am not inclined to want to prosecute a parent who did not try to hide what he had done and even alerted them to their security breach so as to prevent someone less honorable from accessing those data.

  2. withheld says:
    September 20, 2011 at 9:53 am

    So let me get this straight: everyone is entitled to privacy, UNLESS they are minors, in which case their parents are justified hacking into school computers to find out if there is something they don’t know.

    This is absurd.

    1. admin says:
      September 20, 2011 at 11:23 am

      There is no privacy of minors’ education records from their parents. At age 18, the rights transfer to the student and then the parent has very limited rights.

      Parents have the right to inspect the education records to protect their children. Read FERPA and the history of the legislation some time.

      This is a data security/breach issue that would not have occurred had the district complied with FERPA. Their failure to do so doesn’t make the parent’s act legal, but it does make it somewhat understandable to anyone who’s experienced with the system and the frustration parents experience trying to protect their children by inspecting records for inaccuracies, false claims about disciplinary matters, etc.

      IMO, the only place a recognized privacy violation comes into it is to the extent that the parent viewed other students’ information, thereby violating their privacy. But for you to claim that parents who inspect or try to inspect education records that they are legally entitled to inspect are spying on their children, well, you’re entitled to your opinion, however ridiculous or trollish it seems to others.

  3. garykva says:
    September 23, 2011 at 6:33 am

    Bottom line is, there are proper procedures for requesting information. If the information is not available in a timely matter there are grievance actions one can take. Taking things into your own hands – especially if there are moral or legal issues involved is a touchy subject. Its not only his children records that he went over, the potential was for him to have viewed many other personal issues that may be listed in the school records about other children and teachers that may be sensitive. Unless the “visit” was controlled and overseen by a representative of the school or state authority, it was a bad move on his part.

    The FBI will always side with a more trusted organization over a person. If he was thinking a bit more clearer, he may have relized that after bugging them about the kids records, that they may have a mild grudge against him, and what a better way to get him off the schools’ back than to twist the story to make him look bad in the limelight. He should have contacted the local authorities and given his story there are well, it would have covered his behind alittle better. News is drama, most of the facts may or may not be hearsay. Don’t always believe everything you read as 100% accurate because dirt sells.

    He may have been the victim in this case, but next time seek legal counsel, or ask a what if question to the state board of education before you dive into something thats a potential slap upside the head. If you would have told the state about the insecurity of the site, and the fact that they have been ignoring your requests, you’d still have your job and they may not.

  4. Mathieu says:
    September 26, 2011 at 12:34 pm

    This is an amazing story, thank you Databreaches for publishing it for our consumption.

    I’m always amazed the people out there with the “Serves him right” attitude. I personally would rather someone with good intentions find my information and make me aware of it so I can secure it than to have some nefarious individual find it and use it to their advantage without my knowledge.

    Admin, I’m sure you have better numbers than I do – but it costs the average citizen years of headache and thousands and thousands of dollars to get their identity sorted after it has been stolen and used illegally.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.