DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Maybe we should prohibit school districts from maintaining electronic databases

Posted on November 21, 2011 by Dissent

Yes, I know that idea would send us back in time, but yet another ridiculous data breach involving a public school’s system being hacked by students has me pulling my hair out and wishing for more regulation or something.  WXPI in Pennsylvania reports:

Investigators said the hacking began in May on two students’ home computers. Police said the teens tried several passwords and combinations until they broke through the school’s online security system.

Police said the students got teachers’ addresses, salaries and Social Security numbers.

Read more on WXPI. The incident occurred at Blairsville High School, which is part of the Blairsville-Saltsburg School District. In related coverage, WTAE reports that the district’s only statement was:

The Blairsville-Saltsburg School District administration has investigated the breach and turned the matter over to the PA State Police at the Indiana Barracks. Upon advice from the district solicitor, Mr. Jack Cambest, no further statement can be made at this time.”

There is no statement on the district’s or high school’s web site.

I’ll go out on a limb here and suggest that if it only took the teens a few tries at user/pass combinations, the district did not have a strong user/pass combination on its system.

Nor do they appear to have a good log/monitoring protocol in place if the hacking/intrusions began in May and the only way they learned of the breach was because one of the students raised his hand in class and showed off by telling  the class the teacher’s Social Security number!

Public school districts collect and store a tremendous amount of sensitive information on students, their parents, and families.  They also collect and store and Medicaid information in those cases where Medicaid is being billed for special services being provided to a student.

Picture this:  your child’s Social Security Number, your Social Security Number, your child’s diagnoses and medications, her Medicaid number, your family’s social history, the name of your employer, any subsidies you receive, your religion, and other sensitive information are all exposed on the Internet for over a year and are indexed by search engines. Or all that wonderfully rich information is accidentally shared via a file-sharing program an employee has on their home computer that they use to login to district databases. It could happen.  And you’d have no recourse unless you could prove actual unreimbursed harm.  Your stress, your embarrassment, any time you spend trying to ensure that you do not become a victim of ID theft are all …. on you.

To my knowledge, not one school district has ever been fined for having poor security or for a data breach.  While some might argue that fining a district is tantamount to fining the victims whose tax dollars will pay for the fine, does it seem right that schools generally get off with no consequences other than the costs of breach notification and maybe credit monitoring?

The situation is likely to only get worse as the federal government seeks even more data for post-school tracking.

So what do we do?  Well, how about we start with prohibiting public schools from using Social Security numbers as identifiers – something they should have done voluntarily over a decade ago?  And we make them remove SSN from all computers so that they cannot be accidentally leaked on the Internet.   Then we can talk about the rest of it.  But let’s start with prohibiting the use of SSN.

Or do you have a better idea? If so, sound off in the Comments section.

Category: Breach IncidentsCommentaries and AnalysesEducation SectorHackInsiderOf NoteU.S.

Post navigation

← December court date for Manning in WikiLeaks case
Community agency worker is accused of selling Holocaust survivors’ ID information →

2 thoughts on “Maybe we should prohibit school districts from maintaining electronic databases”

  1. major_tom says:
    November 22, 2011 at 7:09 am

    If they have something to be thankful for, its that kids did this. It just proves that the hackers have some OTHER high value choices to exploit. Its like fish jumping into the boat when it comes to security.

    Why can’t schools be held to a higher standard? Now think of this. These kids have learned an “art”. Others that are curious may do the same. Unless their actions are considered painful, they could end up trying this again at a future date, and with possibly dire career consequences.

    Schools have to go through certifcation boards, no? who certifies the school records are secure. Probably some old sap, getting ready to retire or who doesn’t give a 2-cents worth to anything. They ask some lame questions, fill out a vague Q&A interview form, sigh, sign and turn it in.

    Talk about keeping security tight at the lowest level. This is the place to start. If the new generations coming up can see a process in place, maybe they can make a difference and make this place a little more secure. As of right now, everyone else is failing miserably at security. For those that get offended by “everyone”, I assume your not out there doing more than your share.
    Awareness training goes a long way. Especially in the young environment. About every 4 years have an FBI rep visit a school, or have the school visit a regionally sponsored mandatory event at an auditorium and make the kids understand what others have received in jailtime for PII and SSN abuse. Include crime awareness training and offer anonymous toll free lines to report suspicious activities.

    That will set the tone for them. Then all actions of PII or SSN abuse, the person responsible for the breach/leak/insider shopuld have a mandatory jail sentence or other serious infraction. Most just are forced to retire, resign or otherwise. Whats that tell me? they just move on to somewhere else to do potentially where they left off. No mandatory training, or public service time calling the customers and saying “I’m sorry, I am one of the individuals that have compromised your identity”. No one has the…… fortitude to make the events shameful because it will bring unwanted shame to the accused. LOL. Geesh. Tell that to the victims. The system is broke – – – minus the crooks who are taking full advantage of the issues without much retaliation from the justice systems. Crazy.

    1. admin says:
      November 22, 2011 at 7:43 am

      “who certifies the school records are secure.”

      If a business promises security and fails wildly, they may face problems with the FTC for deceptive practices. What is the equivalent for a school district that promises to keep student data secure but is ridiculously lax in security? Has the U.S. Dept. of Education ever done anything about lax data security by a public school district or state education department? Have they ever even audited districts or required states to conduct real audits? As far as I know, the answers are no, no, and no.

      If your kid can’t be trusted to drive safely, you don’t just buy them a car and toss them the keys. If schools can’t be trusted to do a reasonable job of security sensitive data, maybe we shouldn’t allow them to put themselves and others at risk.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.
  • Websites selling hacking tools to cybercriminals seized
  • ConnectWise suspects cyberattack affecting some ScreenConnect customers was state-sponsored
  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database
  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.