Yes, I know that idea would send us back in time, but yet another ridiculous data breach involving a public school’s system being hacked by students has me pulling my hair out and wishing for more regulation or something. WXPI in Pennsylvania reports:
Investigators said the hacking began in May on two students’ home computers. Police said the teens tried several passwords and combinations until they broke through the school’s online security system.
Police said the students got teachers’ addresses, salaries and Social Security numbers.
Read more on WXPI. The incident occurred at Blairsville High School, which is part of the Blairsville-Saltsburg School District. In related coverage, WTAE reports that the district’s only statement was:
The Blairsville-Saltsburg School District administration has investigated the breach and turned the matter over to the PA State Police at the Indiana Barracks. Upon advice from the district solicitor, Mr. Jack Cambest, no further statement can be made at this time.”
There is no statement on the district’s or high school’s web site.
I’ll go out on a limb here and suggest that if it only took the teens a few tries at user/pass combinations, the district did not have a strong user/pass combination on its system.
Nor do they appear to have a good log/monitoring protocol in place if the hacking/intrusions began in May and the only way they learned of the breach was because one of the students raised his hand in class and showed off by telling the class the teacher’s Social Security number!
Public school districts collect and store a tremendous amount of sensitive information on students, their parents, and families. They also collect and store and Medicaid information in those cases where Medicaid is being billed for special services being provided to a student.
Picture this: your child’s Social Security Number, your Social Security Number, your child’s diagnoses and medications, her Medicaid number, your family’s social history, the name of your employer, any subsidies you receive, your religion, and other sensitive information are all exposed on the Internet for over a year and are indexed by search engines. Or all that wonderfully rich information is accidentally shared via a file-sharing program an employee has on their home computer that they use to login to district databases. It could happen. And you’d have no recourse unless you could prove actual unreimbursed harm. Your stress, your embarrassment, any time you spend trying to ensure that you do not become a victim of ID theft are all …. on you.
To my knowledge, not one school district has ever been fined for having poor security or for a data breach. While some might argue that fining a district is tantamount to fining the victims whose tax dollars will pay for the fine, does it seem right that schools generally get off with no consequences other than the costs of breach notification and maybe credit monitoring?
The situation is likely to only get worse as the federal government seeks even more data for post-school tracking.
So what do we do? Well, how about we start with prohibiting public schools from using Social Security numbers as identifiers – something they should have done voluntarily over a decade ago? And we make them remove SSN from all computers so that they cannot be accidentally leaked on the Internet. Then we can talk about the rest of it. But let’s start with prohibiting the use of SSN.
Or do you have a better idea? If so, sound off in the Comments section.
If they have something to be thankful for, its that kids did this. It just proves that the hackers have some OTHER high value choices to exploit. Its like fish jumping into the boat when it comes to security.
Why can’t schools be held to a higher standard? Now think of this. These kids have learned an “art”. Others that are curious may do the same. Unless their actions are considered painful, they could end up trying this again at a future date, and with possibly dire career consequences.
Schools have to go through certifcation boards, no? who certifies the school records are secure. Probably some old sap, getting ready to retire or who doesn’t give a 2-cents worth to anything. They ask some lame questions, fill out a vague Q&A interview form, sigh, sign and turn it in.
Talk about keeping security tight at the lowest level. This is the place to start. If the new generations coming up can see a process in place, maybe they can make a difference and make this place a little more secure. As of right now, everyone else is failing miserably at security. For those that get offended by “everyone”, I assume your not out there doing more than your share.
Awareness training goes a long way. Especially in the young environment. About every 4 years have an FBI rep visit a school, or have the school visit a regionally sponsored mandatory event at an auditorium and make the kids understand what others have received in jailtime for PII and SSN abuse. Include crime awareness training and offer anonymous toll free lines to report suspicious activities.
That will set the tone for them. Then all actions of PII or SSN abuse, the person responsible for the breach/leak/insider shopuld have a mandatory jail sentence or other serious infraction. Most just are forced to retire, resign or otherwise. Whats that tell me? they just move on to somewhere else to do potentially where they left off. No mandatory training, or public service time calling the customers and saying “I’m sorry, I am one of the individuals that have compromised your identity”. No one has the…… fortitude to make the events shameful because it will bring unwanted shame to the accused. LOL. Geesh. Tell that to the victims. The system is broke – – – minus the crooks who are taking full advantage of the issues without much retaliation from the justice systems. Crazy.
“who certifies the school records are secure.”
If a business promises security and fails wildly, they may face problems with the FTC for deceptive practices. What is the equivalent for a school district that promises to keep student data secure but is ridiculously lax in security? Has the U.S. Dept. of Education ever done anything about lax data security by a public school district or state education department? Have they ever even audited districts or required states to conduct real audits? As far as I know, the answers are no, no, and no.
If your kid can’t be trusted to drive safely, you don’t just buy them a car and toss them the keys. If schools can’t be trusted to do a reasonable job of security sensitive data, maybe we shouldn’t allow them to put themselves and others at risk.