DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Maybe we should prohibit school districts from maintaining electronic databases

Posted on November 21, 2011 by Dissent

Yes, I know that idea would send us back in time, but yet another ridiculous data breach involving a public school’s system being hacked by students has me pulling my hair out and wishing for more regulation or something.  WXPI in Pennsylvania reports:

Investigators said the hacking began in May on two students’ home computers. Police said the teens tried several passwords and combinations until they broke through the school’s online security system.

Police said the students got teachers’ addresses, salaries and Social Security numbers.

Read more on WXPI. The incident occurred at Blairsville High School, which is part of the Blairsville-Saltsburg School District. In related coverage, WTAE reports that the district’s only statement was:

The Blairsville-Saltsburg School District administration has investigated the breach and turned the matter over to the PA State Police at the Indiana Barracks. Upon advice from the district solicitor, Mr. Jack Cambest, no further statement can be made at this time.”

There is no statement on the district’s or high school’s web site.

I’ll go out on a limb here and suggest that if it only took the teens a few tries at user/pass combinations, the district did not have a strong user/pass combination on its system.

Nor do they appear to have a good log/monitoring protocol in place if the hacking/intrusions began in May and the only way they learned of the breach was because one of the students raised his hand in class and showed off by telling  the class the teacher’s Social Security number!

Public school districts collect and store a tremendous amount of sensitive information on students, their parents, and families.  They also collect and store and Medicaid information in those cases where Medicaid is being billed for special services being provided to a student.

Picture this:  your child’s Social Security Number, your Social Security Number, your child’s diagnoses and medications, her Medicaid number, your family’s social history, the name of your employer, any subsidies you receive, your religion, and other sensitive information are all exposed on the Internet for over a year and are indexed by search engines. Or all that wonderfully rich information is accidentally shared via a file-sharing program an employee has on their home computer that they use to login to district databases. It could happen.  And you’d have no recourse unless you could prove actual unreimbursed harm.  Your stress, your embarrassment, any time you spend trying to ensure that you do not become a victim of ID theft are all …. on you.

To my knowledge, not one school district has ever been fined for having poor security or for a data breach.  While some might argue that fining a district is tantamount to fining the victims whose tax dollars will pay for the fine, does it seem right that schools generally get off with no consequences other than the costs of breach notification and maybe credit monitoring?

The situation is likely to only get worse as the federal government seeks even more data for post-school tracking.

So what do we do?  Well, how about we start with prohibiting public schools from using Social Security numbers as identifiers – something they should have done voluntarily over a decade ago?  And we make them remove SSN from all computers so that they cannot be accidentally leaked on the Internet.   Then we can talk about the rest of it.  But let’s start with prohibiting the use of SSN.

Or do you have a better idea? If so, sound off in the Comments section.

Category: Breach IncidentsCommentaries and AnalysesEducation SectorHackInsiderOf NoteU.S.

Post navigation

← December court date for Manning in WikiLeaks case
Community agency worker is accused of selling Holocaust survivors’ ID information →

2 thoughts on “Maybe we should prohibit school districts from maintaining electronic databases”

  1. major_tom says:
    November 22, 2011 at 7:09 am

    If they have something to be thankful for, its that kids did this. It just proves that the hackers have some OTHER high value choices to exploit. Its like fish jumping into the boat when it comes to security.

    Why can’t schools be held to a higher standard? Now think of this. These kids have learned an “art”. Others that are curious may do the same. Unless their actions are considered painful, they could end up trying this again at a future date, and with possibly dire career consequences.

    Schools have to go through certifcation boards, no? who certifies the school records are secure. Probably some old sap, getting ready to retire or who doesn’t give a 2-cents worth to anything. They ask some lame questions, fill out a vague Q&A interview form, sigh, sign and turn it in.

    Talk about keeping security tight at the lowest level. This is the place to start. If the new generations coming up can see a process in place, maybe they can make a difference and make this place a little more secure. As of right now, everyone else is failing miserably at security. For those that get offended by “everyone”, I assume your not out there doing more than your share.
    Awareness training goes a long way. Especially in the young environment. About every 4 years have an FBI rep visit a school, or have the school visit a regionally sponsored mandatory event at an auditorium and make the kids understand what others have received in jailtime for PII and SSN abuse. Include crime awareness training and offer anonymous toll free lines to report suspicious activities.

    That will set the tone for them. Then all actions of PII or SSN abuse, the person responsible for the breach/leak/insider shopuld have a mandatory jail sentence or other serious infraction. Most just are forced to retire, resign or otherwise. Whats that tell me? they just move on to somewhere else to do potentially where they left off. No mandatory training, or public service time calling the customers and saying “I’m sorry, I am one of the individuals that have compromised your identity”. No one has the…… fortitude to make the events shameful because it will bring unwanted shame to the accused. LOL. Geesh. Tell that to the victims. The system is broke – – – minus the crooks who are taking full advantage of the issues without much retaliation from the justice systems. Crazy.

    1. admin says:
      November 22, 2011 at 7:43 am

      “who certifies the school records are secure.”

      If a business promises security and fails wildly, they may face problems with the FTC for deceptive practices. What is the equivalent for a school district that promises to keep student data secure but is ridiculously lax in security? Has the U.S. Dept. of Education ever done anything about lax data security by a public school district or state education department? Have they ever even audited districts or required states to conduct real audits? As far as I know, the answers are no, no, and no.

      If your kid can’t be trusted to drive safely, you don’t just buy them a car and toss them the keys. If schools can’t be trusted to do a reasonable job of security sensitive data, maybe we shouldn’t allow them to put themselves and others at risk.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car
  • Google agrees to pay Texas $1.4 billion data privacy settlement
  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.