It was a heck of a week for Pulaski County Special School District employees. One hundred of them got pink slips on Wednesday in a downsizing move, and all former and current employees received emails or phone messages late Friday night alerting them to a data breach in February that had just been discovered. Cynthia Howell reports:
Pulaski County Special School District leaders said Friday that personal information about all district employees dating back to January 2012 was improperly sent to a personal email account by an employee who left the district in late February.
Primarily, the health insurance benefits information that is at issue in the data breach includes employee names and Social Security numbers, said Will Reid, the district’s chief technology officer. But in some cases, the information included additional information about district employees.
Reid said that at this point district leaders do not believe that the information has been shared with anyone beyond the one employee.
Read more on Arkansas Online.
There’s a lot of information missing needed to evaluate risk. Was the employee authorized to access that personal information as part of their work? Did s/he have legitimate need of employee data back to 2012 as part of that work? Did s/he have a pattern of taking work home, and had that been permitted? When did s/he forward it to the personal email account – before or after they learned they were being terminated? And of course, does a forensic examination of their home computer indicate that the information may have been exfiltrated or copied from there?
But if employees had or have questions of the incident, they were told they could call the district’s help desk – but only after spring break.
There’s nothing like waiting to get answers when you’re worried about identity theft, right?