DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Rostering, Provisioning, Owning Your Stack, and Transparency: a Look at Lewis Palmer

Posted on May 28, 2016 by Dissent

The Lewis Palmer School District data security vulnerability and breach continues to concern parents, and I had updated my original post with some observations by Bill Fitzgerald. Now Bill has written his own post on the situation. Giving myself unbridled permission to quote liberally from his thoughtful write-up, here’s part of it:

At the 5/19 school board meeting, a parent shared her experience speaking with the district IT staff. In her public comments, she shared talking with school officials in the fall of 2015 about some of her concerns. The testimony begins at the 53:40 mark of the video. In her testimony, it appears like the student’s login id to Google Apps is the same as their student ID. Therefore, based on how Google Apps works, student emails would also be student IDs, thus ensuring that kids in a class know everyones login ID.

I’m concerned that children are having to log into GAFE with their student ID numbers. And I was told that is just the way it is.

At this point, it’s worth noting that just knowing someone’s login ID is not sufficient to gain access. If, however, passwords were known, then that is a serious privacy issue.

And, it appears that the Lewis Palmer School District used birthdays as passwords, and announced this online from at least September 24, 2013 to March 14, 2016.

Read more on FunnyMonkey.

To be clear, Bill is hypothesizing as to what might have happened and how it happened, but his analysis makes sense. What doesn’t make sense is why the district didn’t address the issue.  Yes, it’s time-consuming and inconvenient to re-assign credentials, but given the risks of not doing this properly, and the amount of sensitive information that could be obtained by a curious peer or parent, the situation demanded an effective response. Allowing the situation to continue with the vulnerability strikes me as wildly inconsistent with any claims to care about privacy and data security.

 

Category: Education SectorOtherU.S.

Post navigation

← AU: Recruitment agency accused of dumping thousands of documents containing jobseeker’s confidential data in a skip bin outside recently closed store
NY: Holley Central School District investigates possible hacking →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation
  • Qilin Offers “Call a lawyer” Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • Ireland’s Data Protection Commission publishes 2024 Annual Report
  • The headlines suggested Freedman Healthcare suffered a ransomware attack that affected patient data. The reality was quite different.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data
  • DOJ Seeks More Time on Tower Dumps

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.