There has been another development in a data breach involving the Sachem Central School District on Long Island (previous coverage here and here). As I commented previously, it sounded to me like they suspected an insider breach but it wasn’t clear if it was an employee or a student hacker they suspected. Well, now we know, as an arrest has been made. Newsday reports that a 17 year old teenager who had been a student at the Sachem High School North allegedly accessed and downloaded Sachem students’ records in 2012 and 2013 and uploaded data to 1Apps.com and Sachemspun.com.
The district contacted the police on November 8 after learning that some information had been uploaded to a web page, although as the district’s FAQ on the breach notes, they first became aware of the breach in July and again in August, when they also reportedly contacted the police.
The information leaked online reportedly included a list of 15,000 student names dating back to the early 2000s and school identification numbers and lunch designations. There was also another list with 12,000 names and school identification numbers posted, but only about 900 of those were different than what had been posted already. Additionally, records for about 360 Sachem High School East graduates from 2008 were also posted, along with a report on about 130 Sachem High School North students in the 2010-2011 year who received “instructional services in an alternative setting,” the district said in a statement on the district’s website.
Matthew Calicchio has been charged with felony computer trespass and is expected to be arraigned today.
So… it seems that the district did not detect when the database was breached in 2012 of 2013, and had the hacker not uploaded the data to a local web site, the breach might never have been detected. What does that say about the state of data security for the school district? Note that while some of the data uploaded does not seem to be too sensitive, free lunch program status does convey information about the families’ economic situation, and information on students educated in alternative settings suggests that those records include what should be protected information about students with disabilities (or in some cases, perhaps, disciplinary problems leading to other settings).
The district says it has complied with NYS data breach notification law:
Notices compliant with the New York State Technology Law and General Business Law are being generated to individuals whom we reasonably believe were affected by this criminal act. We have been in contact with the Office of the New York State Attorney General in this regard as well.
No free credit monitoring services have been offered to anyone and the district says Social Security numbers were not involved. But until the teen’s hard drive is searched, it may be premature to suggest that what was uploaded to web sites was all of what was acquired.
From my reading of the situation, my guess is that the teen was able to get a staff member’s login credentials and used them to access the system.
Of course, nothing ever really happens to districts who experience these kinds of breaches. The U.S. Education Department doesn’t require breaches be reported to them and NYS is unlikely to do anything. Could the FTC do something? Yes, but historically, they have been hands-off in the education sector. Frankly, I wish the FTC would go after a few educational institutions at the k-12 and post-secondary level. With more districts compiling and sharing more student data that includes parental income and other details, the need for data security in the education sector has never been greater.
Update1: The teen has pleaded not guilty. Of note, the prosecutor claims the teen allegedly also “downloaded and took” student Social Security numbers and medical information. There was no indication as to whether it was uploaded to any site. Since the district’s public statements about the breach denied SSN were taken and made no mention of medical information, it’s time for local reporters to go back to the district and clarify exactly what types of information really were involved in this breach.