Pembroke Public Schools personal data on the Net
Technorati Tag: Security Breach
Date Reported:
10/3/07
Organization:
Pembroke Public Schools
Contractor/Consultant/Branch:
None
Victims:
"people employed by, or volunteering in, the Pembroke Public Schools over the last four years"
Number Affected:
Unknown*
*An indication to the size of the school district is that there 199 FTEs in 2006 according to the "district profile"
Types of Data:
Name, date of birth, and Social Security number
Breach Description:
Personally identifiable information pertaining to Pembroke Public Schools employees and volunteers was stored on a server in clear-text, accessible via the internet without authentication for almost five months (May, 2007 to October 2nd, 2007).
Reference URL:
Letter Date October 3rd from Pembroke Public Schools Superintendent Frank Hackett
The Patriot Ledger Online Story
Report Credit:
Pembroke Public Schools
Response:
Taken from the official letter dated October 3rd, 2007 written by Pembroke Public Schools Superintendent Frank Hackett and the Patriot Ledger:
"Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district’s computer system"
"I am writing to inform you that late yesterday afternoon we discovered a technical weakness associated with data storage on one of our computer servers that could have allowed someone to access personal information on people employed by, or volunteering in, the Pembroke Public Schools over the last four years"
[Comfyllama] This is more of an "administrative" weakness than it is a "technical" weakness. This is a HUGE oversight on the part of whoever manages security for the school district.
"To the best of our knowledge, this information could have been accessible from May 2007 to October 2, 2007."
"The information would have included the person’s name, date-of-birth and social security number. Once we learned of this problem, we took immediate corrective action: access to these files is no longer available. A full investigation is ongoing to establish the facts surrounding this incident."
"‘‘It was not easy to get to, but it was there, so, ultimately, there was some exposure to confidential personal data,’’ Hackett said Monday. ‘‘It just was there, lying dormant, unless you came across it through a search engine.’’"
[Comfyllama] I understand the comment, but from a security standpoint this means nothing.
"Hackett said the files may still exist as what are known as cached files on the Google search engine."
[Comfyllama] Say what? #1, there are more cached search engines than just Google. #2, did anyone contact the search engines to have the information removed? Correct me if I am wrong but removing information from Google's cache takes weeks unless there is a court order.
"Town officials have spent several days trying to get in touch with Google and getting outside help, the superintendent said."
[Comfyllama] Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, Phone: +1
‘‘We’re pretty confident that they (the files) are no longer available,’’ School committee Chairman Michael Tropeano said."
[Comfyllama] Say what? "Pretty confident"? Oh boy.
"It is important to note that there was no criminal penetration of our server or any of the personal information on that server, and that all files were secured as of the evening of October 2, 2007."
"Tropeano said someone ‘‘would have to have had the exact file name and location on the server, so it’s not as though you could go there and type in our long Web address and (the data) would just pop up.’’"
[Comfyllama] This is an almost comical statement. Seems like we have had more than our share of "security through obscurity" type comments in breaches lately.
"We apologize for this very unfortunate incident. If you have any questions, or if we may be of any assistance, please contact us at ."
Commentary:
I get the feeling that everyone involved with this breach has little experience in protecting confidential information. My advice would be that if you don't know how to protect confidential information then don't collect and certainly don't try to store it. Social Security numbers stored in clear-text on a server that is accessible through the Internet without authentication is a recipe for disaster.
Consider this data compromised, no matter how hard it may have been to find. I would be amazed if this file was not accessed at some point during the almost five months of exposure.
Past Breaches:
Unknown
Date Reported:10/3/07
Organization:
Pembroke Public Schools
Contractor/Consultant/Branch:
None
Victims:
"people employed by, or volunteering in, the Pembroke Public Schools over the last four years"
Number Affected:
Unknown*
*An indication to the size of the school district is that there 199 FTEs in 2006 according to the "district profile"
Types of Data:
Name, date of birth, and Social Security number
Breach Description:
Personally identifiable information pertaining to Pembroke Public Schools employees and volunteers was stored on a server in clear-text, accessible via the internet without authentication for almost five months (May, 2007 to October 2nd, 2007).
Reference URL:
Letter Date October 3rd from Pembroke Public Schools Superintendent Frank Hackett
The Patriot Ledger Online Story
Report Credit:
Pembroke Public Schools
Response:
Taken from the official letter dated October 3rd, 2007 written by Pembroke Public Schools Superintendent Frank Hackett and the Patriot Ledger:
"Personal information on anyone who worked or volunteered for the Pembroke schools in the last four years was accessible via the Internet because of a weakness in the district’s computer system"
"I am writing to inform you that late yesterday afternoon we discovered a technical weakness associated with data storage on one of our computer servers that could have allowed someone to access personal information on people employed by, or volunteering in, the Pembroke Public Schools over the last four years"
[Comfyllama] This is more of an "administrative" weakness than it is a "technical" weakness. This is a HUGE oversight on the part of whoever manages security for the school district.
"To the best of our knowledge, this information could have been accessible from May 2007 to October 2, 2007."
"The information would have included the person’s name, date-of-birth and social security number. Once we learned of this problem, we took immediate corrective action: access to these files is no longer available. A full investigation is ongoing to establish the facts surrounding this incident."
"‘‘It was not easy to get to, but it was there, so, ultimately, there was some exposure to confidential personal data,’’ Hackett said Monday. ‘‘It just was there, lying dormant, unless you came across it through a search engine.’’"
[Comfyllama] I understand the comment, but from a security standpoint this means nothing.
"Hackett said the files may still exist as what are known as cached files on the Google search engine."
[Comfyllama] Say what? #1, there are more cached search engines than just Google. #2, did anyone contact the search engines to have the information removed? Correct me if I am wrong but removing information from Google's cache takes weeks unless there is a court order.
"Town officials have spent several days trying to get in touch with Google and getting outside help, the superintendent said."
[Comfyllama] Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, Phone: +1
‘‘We’re pretty confident that they (the files) are no longer available,’’ School committee Chairman Michael Tropeano said."
[Comfyllama] Say what? "Pretty confident"? Oh boy.
"It is important to note that there was no criminal penetration of our server or any of the personal information on that server, and that all files were secured as of the evening of October 2, 2007."
"Tropeano said someone ‘‘would have to have had the exact file name and location on the server, so it’s not as though you could go there and type in our long Web address and (the data) would just pop up.’’"
[Comfyllama] This is an almost comical statement. Seems like we have had more than our share of "security through obscurity" type comments in breaches lately.
"We apologize for this very unfortunate incident. If you have any questions, or if we may be of any assistance, please contact us at ."
Commentary:
I get the feeling that everyone involved with this breach has little experience in protecting confidential information. My advice would be that if you don't know how to protect confidential information then don't collect and certainly don't try to store it. Social Security numbers stored in clear-text on a server that is accessible through the Internet without authentication is a recipe for disaster.
Consider this data compromised, no matter how hard it may have been to find. I would be amazed if this file was not accessed at some point during the almost five months of exposure.
Past Breaches:
Unknown
Posts Atom 1.0
Comments