DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Boston Public Schools To Change Student ID Cards After Flash Drive with Information Was Lost by Plastic Card Systems

Posted on August 13, 2013 by Dissent

Oops. Via WBUR, we learn of a breach involving Boston Public Schools.

Here’s the statement from BPS’s web site:

The Boston Public Schools is changing the design of Boston OneCard student ID badges, changing MBTA CharlieCard assignments and is changing library card numbers for students following a vendor’s loss of a flash drive that contained badge sticker images Friday afternoon. The vendor, Northborough-based Plastic Card Systems, is contracted to create OneCard ID badges for the upcoming school year.

None of the information contained on the drive can be used by an unauthorized person to access student records or log-in to any electronic systems. The sticker image data on the drive is limited to student names, school, age, grade, ID number, library card number, CharlieCard number and for about two-thirds of the cards, a photo. The drive did not contain any confidential student contact information, such as a home address, phone number, social security number or birth date.

BPS is sending multilingual calls and letters to families beginning today informing them of the situation and outlining our response. Families will not need to take any action and students will receive the new OneCard ID badges on schedule at the beginning of the school year. Families with questions can call (617) 635-9046during normal business hours. A fact-sheet can be downloaded here.

The drive lost by the vendor contains .pdf images that are used to print 21,054 student ID badges for students across 36 schools – which include high schools and some middle schools that span grades 6-12. Elementary schools, K-8 schools and stand-alone middle schools are not affected. Plastic Card Systems reported the company could not find the drive after picking it up from BPS on Friday afternoon. Searches Friday night and over the weekend were not successful.

“The loss of any student data by a vendor is a serious breach of protocol and we want to be sure our families know exactly what happened and what we are doing about it,” said BPS interim Superintendent John McDonough. “It is important to emphasize the information on the drive is limited to what appears on ID badges – and this cannot be used to access student records. However, we are generating new library card numbers and changing CharlieCard numbers to make sure the data on the lost drive cannot be used. We take information security extremely seriously and want to be transparent about the immediate steps we are taking to limit any impact on families due to the vendor’s loss of this drive.”

“Plastic Card Systems deeply regrets the unfortunate accidental loss of the Boston Public Schools student data files and we understand how families will be upset, as we are upset, by the situation,” said Plastic Card Systems President Don Axline. “We will make all efforts to help Boston Public Schools in addressing this situation and will assist in any way possible to quickly rectify the situation.”

What happened?

  • Our vendor, Plastic Card Systems, picked up a box of blank OneCard ID badges and a flash drive that contained student ID images and data for the badges. The company later reported it had lost track of the flash drive.
  • OneCards are the student ID badges that act as a BPS ID, a Boston Public Library card and an MBTA CharlieCard. School staff scan the badges every morning to track attendance.

What was on the lost flash drive?

  • The sticker image data on the drive is limited to student names, school, age, grade, ID number, library card number, CharlieCard number and for about two-thirds of the cards, a photo. The drive did not contain confidential student contact information, such as home address, phone number, parents’ name, social security number or birth date.
  • The drive the vendor lost contains .pdf images that are used to print stickers for 21,054 student ID badges for students across 36 schools – which include high schools and some middle schools that span grades 6-12. Elementary schools, K-8 schools and stand-alone middle schools are not affected
  • None of the information contained on the drive can be used by an unauthorized person to access student records or log-in to any electronic systems. BPS requires additional validation, such as a parents’ name, birthdate or address before releasing student information – and this information was not on the lost drive.

What is BPS doing about it?

  • Over the weekend BPS began to change the design of OneCards so the images on the lost drive can no longer be used.
  • BPS is changing CharlieCard number assignments so MBTA information on the lost drive will no longer be valid. We will also issue new library card numbers for those that were not previously activated. Students who already activated their library card have created a PIN code that prevents misuse.
  • BPS is sending automated calls to affected families and will also send letters notifying families of the situation.

What do families and students need to do?

  • Students will receive their new OneCards on time for the start of school.
  • Changes to the 2013-14 CharlieCard numbers will not affect students in any way, because these are new numbers created each year. Students with library cards will need to begin using the new card design this fall.

The lost flash drive contained badge sticker information for students in these schools:
• Another Course to College
• Boston Adult Technical Academy
• Boston Arts Academy
• Boston Community Leadership Academy
• Boston Day and Evening Academy
• Boston Green Academy
• Boston International
• Boston Latin Academy
• Boston Latin School
• Brighton High School
• Burke High School
• Charlestown High School
• Community Academy
• Community Academy of Science and Health
• Dearborn School
• Dorchester Academy
• East Boston High School
• English High School
• Excel High School
• Fenway High School
• Horace Mann School
• Greater Egleston High School
• Kennedy Health Careers Academy
• Lyon High School
• Madison Park High School
• Margarita Muñiz Academy
• McKinley Preparatory High School
• McKinley South End Academy
• Newcomers Academy
• New Mission High School
• O’Bryant School for Math and Science
• Quincy Upper School
• TechBoston Academy
• Snowden International High School
• Urban Science Academy
• West Roxbury Academy

Related posts:

  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
Category: Education SectorLost or MissingSubcontractor

Post navigation

← Ca: Norfolk General Hospital notifies 1,300 of privacy breach
ACC staffer faces inquiry after clients’ records stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.