Oops. Via WBUR, we learn of a breach involving Boston Public Schools.
Here’s the statement from BPS’s web site:
The Boston Public Schools is changing the design of Boston OneCard student ID badges, changing MBTA CharlieCard assignments and is changing library card numbers for students following a vendor’s loss of a flash drive that contained badge sticker images Friday afternoon. The vendor, Northborough-based Plastic Card Systems, is contracted to create OneCard ID badges for the upcoming school year.
None of the information contained on the drive can be used by an unauthorized person to access student records or log-in to any electronic systems. The sticker image data on the drive is limited to student names, school, age, grade, ID number, library card number, CharlieCard number and for about two-thirds of the cards, a photo. The drive did not contain any confidential student contact information, such as a home address, phone number, social security number or birth date.
BPS is sending multilingual calls and letters to families beginning today informing them of the situation and outlining our response. Families will not need to take any action and students will receive the new OneCard ID badges on schedule at the beginning of the school year. Families with questions can call (617) 635-9046during normal business hours. A fact-sheet can be downloaded here.
The drive lost by the vendor contains .pdf images that are used to print 21,054 student ID badges for students across 36 schools – which include high schools and some middle schools that span grades 6-12. Elementary schools, K-8 schools and stand-alone middle schools are not affected. Plastic Card Systems reported the company could not find the drive after picking it up from BPS on Friday afternoon. Searches Friday night and over the weekend were not successful.
“The loss of any student data by a vendor is a serious breach of protocol and we want to be sure our families know exactly what happened and what we are doing about it,” said BPS interim Superintendent John McDonough. “It is important to emphasize the information on the drive is limited to what appears on ID badges – and this cannot be used to access student records. However, we are generating new library card numbers and changing CharlieCard numbers to make sure the data on the lost drive cannot be used. We take information security extremely seriously and want to be transparent about the immediate steps we are taking to limit any impact on families due to the vendor’s loss of this drive.”
“Plastic Card Systems deeply regrets the unfortunate accidental loss of the Boston Public Schools student data files and we understand how families will be upset, as we are upset, by the situation,” said Plastic Card Systems President Don Axline. “We will make all efforts to help Boston Public Schools in addressing this situation and will assist in any way possible to quickly rectify the situation.”
What happened?
- Our vendor, Plastic Card Systems, picked up a box of blank OneCard ID badges and a flash drive that contained student ID images and data for the badges. The company later reported it had lost track of the flash drive.
- OneCards are the student ID badges that act as a BPS ID, a Boston Public Library card and an MBTA CharlieCard. School staff scan the badges every morning to track attendance.
What was on the lost flash drive?
- The sticker image data on the drive is limited to student names, school, age, grade, ID number, library card number, CharlieCard number and for about two-thirds of the cards, a photo. The drive did not contain confidential student contact information, such as home address, phone number, parents’ name, social security number or birth date.
- The drive the vendor lost contains .pdf images that are used to print stickers for 21,054 student ID badges for students across 36 schools – which include high schools and some middle schools that span grades 6-12. Elementary schools, K-8 schools and stand-alone middle schools are not affected
- None of the information contained on the drive can be used by an unauthorized person to access student records or log-in to any electronic systems. BPS requires additional validation, such as a parents’ name, birthdate or address before releasing student information – and this information was not on the lost drive.
What is BPS doing about it?
- Over the weekend BPS began to change the design of OneCards so the images on the lost drive can no longer be used.
- BPS is changing CharlieCard number assignments so MBTA information on the lost drive will no longer be valid. We will also issue new library card numbers for those that were not previously activated. Students who already activated their library card have created a PIN code that prevents misuse.
- BPS is sending automated calls to affected families and will also send letters notifying families of the situation.
What do families and students need to do?
- Students will receive their new OneCards on time for the start of school.
- Changes to the 2013-14 CharlieCard numbers will not affect students in any way, because these are new numbers created each year. Students with library cards will need to begin using the new card design this fall.
The lost flash drive contained badge sticker information for students in these schools:
• Another Course to College
• Boston Adult Technical Academy
• Boston Arts Academy
• Boston Community Leadership Academy
• Boston Day and Evening Academy
• Boston Green Academy
• Boston International
• Boston Latin Academy
• Boston Latin School
• Brighton High School
• Burke High School
• Charlestown High School
• Community Academy
• Community Academy of Science and Health
• Dearborn School
• Dorchester Academy
• East Boston High School
• English High School
• Excel High School
• Fenway High School
• Horace Mann School
• Greater Egleston High School
• Kennedy Health Careers Academy
• Lyon High School
• Madison Park High School
• Margarita Muñiz Academy
• McKinley Preparatory High School
• McKinley South End Academy
• Newcomers Academy
• New Mission High School
• O’Bryant School for Math and Science
• Quincy Upper School
• TechBoston Academy
• Snowden International High School
• Urban Science Academy
• West Roxbury Academy