Breach affects "every student enrolled at Joliet West High School"
Technorati Tag: Security Breach
Date Reported:
4/10/08
Organization:
Joliet Township High Schools District 204
Contractor/Consultant/Branch:
Joliet West High School
Victims:
Students
Number Affected:
"every student enrolled at Joliet West High School"*
*According to the Joliet West High School Report Card there were 2,584 students enrolled in 2007
Types of Data:
Names and Social Security numbers
Breach Description:
"JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School."
Reference URL:
The Herald News
Report Credit:
Brian Stanley, The Herald News
Response:
From the online source cited above:
JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School.
The student allegedly downloaded a list of names and Social Security numbers to his iPod on March 7, according to reports.
Police Chief Fred Hayes said the school learned George C. Janecek, 18, had gotten the information after he showed it to other students who notified a teacher that day.
"Apparently, Janecek, who is in the school's ROTC program, has authorized access to a computer at the school to work on the ROTC Web site," said Hayes. "But he does not have authorized access to student data."
[Evan] I wonder. I doubt that Mr. Janacek circumvented (or some people call it "hacked") the systems to access the information. He may not have had explicit access, meaning nobody told him specifically that he is authorized to access the personal information, but I am guessing that he was "authorized", meaning that his user account was allowed access (due to process deficiencies, poor information security governance, whatever).
The school conducted an internal investigation which concluded March 13 when they notified Joliet police of the breach.
"We conducted an investigation that day and arrested Janecek on a misdemeanor charge of computer tampering," Hayes said.
Police seized the computer and iPod he reportedly used.
"Our investigation determined none of the data was used or disseminated," Hayes said.
[Evan] Really? How would the school's investigation determine this? Admittedly I have never forensically examined an iPod before, but I wonder how you could determine that the information was not transferred or disseminated elsewhere. Mr. Janacek must have been pretty proud of his conquest if he was bragging about it to other students.
School district spokeswoman Kristine Schlismann said the issue is a police matter.
[Evan] The singular issue in dealing with Mr. Janecek and his actions may be a police matter, but the school district should not discount the other issues that may exist around their information security program (if it exists).
"Investigators have assured us that there is no reason to believe that any accessed information was communicated to third parties," she said. "In compliance with the Illinois Personal Information Protection Act, a letter will be sent to any person whose personal information may have been obtained."
Commentary:
I assume that there are many many schools across the nation that do not adequately secure personal information. I am surprised that we don't hear about more breaches like this one. Assuming that they do occur, may be the schools are not even aware.
Past Breaches:
Unknown
Date Reported:4/10/08
Organization:
Joliet Township High Schools District 204
Contractor/Consultant/Branch:
Joliet West High School
Victims:
Students
Number Affected:
"every student enrolled at Joliet West High School"*
*According to the Joliet West High School Report Card there were 2,584 students enrolled in 2007
Types of Data:
Names and Social Security numbers
Breach Description:
"JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School."
Reference URL:
The Herald News
Report Credit:
Brian Stanley, The Herald News
Response:
From the online source cited above:
JOLIET -- Police say a student using a school computer last month was able to access personal information about every student enrolled at Joliet West High School.
The student allegedly downloaded a list of names and Social Security numbers to his iPod on March 7, according to reports.
Police Chief Fred Hayes said the school learned George C. Janecek, 18, had gotten the information after he showed it to other students who notified a teacher that day.
"Apparently, Janecek, who is in the school's ROTC program, has authorized access to a computer at the school to work on the ROTC Web site," said Hayes. "But he does not have authorized access to student data."
[Evan] I wonder. I doubt that Mr. Janacek circumvented (or some people call it "hacked") the systems to access the information. He may not have had explicit access, meaning nobody told him specifically that he is authorized to access the personal information, but I am guessing that he was "authorized", meaning that his user account was allowed access (due to process deficiencies, poor information security governance, whatever).
The school conducted an internal investigation which concluded March 13 when they notified Joliet police of the breach.
"We conducted an investigation that day and arrested Janecek on a misdemeanor charge of computer tampering," Hayes said.
Police seized the computer and iPod he reportedly used.
"Our investigation determined none of the data was used or disseminated," Hayes said.
[Evan] Really? How would the school's investigation determine this? Admittedly I have never forensically examined an iPod before, but I wonder how you could determine that the information was not transferred or disseminated elsewhere. Mr. Janacek must have been pretty proud of his conquest if he was bragging about it to other students.
School district spokeswoman Kristine Schlismann said the issue is a police matter.
[Evan] The singular issue in dealing with Mr. Janecek and his actions may be a police matter, but the school district should not discount the other issues that may exist around their information security program (if it exists).
"Investigators have assured us that there is no reason to believe that any accessed information was communicated to third parties," she said. "In compliance with the Illinois Personal Information Protection Act, a letter will be sent to any person whose personal information may have been obtained."
Commentary:
I assume that there are many many schools across the nation that do not adequately secure personal information. I am surprised that we don't hear about more breaches like this one. Assuming that they do occur, may be the schools are not even aware.
Past Breaches:
Unknown
Posts Atom 1.0
Comments