Personal Las Cruces Public Schools Special Ed information posted online
Technorati Tag: Security Breach
Date Reported:
5/7/08
Organization:
Las Cruces Public Schools ("LCPS")
Contractor/Consultant/Branch:
None
Victims:
Teachers, principals, administrators and other LCPS employees. The breach also affected students enrolled in special education programs.
Number Affected:
1,800*
*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
Types of Data:
"confidential student and staff information, including some personal identifying data"
Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."
Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News
Report Credit:
Las Cruces Public Schools
Response:
From the online sources cited above:
LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.
"We began a thorough investigation to determine how this happened and to prevent it from happening in the future. The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."
Rounds said there is currently no indication that the data has been misused.
Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.
The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.
For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place. If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.
However, the individuals affected will be notified of what information was released, he said
Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.
Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.
Some data for other special education students may have been released as well.
"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said
"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services. "As of today, we’ve located the data in two Internet sites and removed it. We’re continuing to search for any other locations where it may exist."
On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way. This will be paid at school district expense.
Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.
"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said. "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."
Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures. This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University. Cooper is also the former Director of Security and Research Computing at NMSU
Commentary:
Human errors will happen as long as we are humans, I suppose. Not that we should just accept defeat and use it as an excuse. There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches. Without knowing more detail, it's hard to say what could have been done better. Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc. I guess I'm not sure.
I do appreciate Mr. Rounds' response. The response to the breach and notification was swift. I also like the press conference and ad-hoc committee established to review LCPS policy and procedure. I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).
Past Breaches:
Unknown
Date Reported:5/7/08
Organization:
Las Cruces Public Schools ("LCPS")
Contractor/Consultant/Branch:
None
Victims:
Teachers, principals, administrators and other LCPS employees. The breach also affected students enrolled in special education programs.
Number Affected:
1,800*
*1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs AND 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
Types of Data:
"confidential student and staff information, including some personal identifying data"
Breach Description:
"LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds."
Reference URL:
LCPS news release (Word document download)
LCPS press conference (Word document download)
Las Cruces Sun-News
Report Credit:
Las Cruces Public Schools
Response:
From the online sources cited above:
LAS CRUCES - The Las Cruces Public Schools has announced that confidential student and staff information, including some personal identifying data, was unintentionally posted on the Internet. Immediately upon learning that the data was posted, the district took steps to remove the data from the Internet site where it was found, said Superintendent Stan Rounds.
"We began a thorough investigation to determine how this happened and to prevent it from happening in the future. The investigation includes a search of the Internet to determine if the information is located anywhere online and how to remove it."
Rounds said there is currently no indication that the data has been misused.
Preliminary information indicates a part-time LCPS computer data analyst unintentionally posted information from a secure LCPS special education computer database, named SEAS (Special Education Automated System), and placed it onto an un-secure website.
The data in question was contained within two electronic database files that were posted on the Internet between Tuesday, April 29 and Monday, May 5, 2008.
For the time being, Rounds said he is not disclosing what specific information was posted online to prevent any potential compromise to those affected
[Evan] The compromise has already taken place. If a bad guy/gal is in possession of the information, he/she probably knows what he/she has without us having to tell him/her.
However, the individuals affected will be notified of what information was released, he said
Those affected include 1,750 teachers, principals, administrators and other LCPS employees who had access to the SEAS system because they work with special education children or programs.
Also affected were 50 students enrolled in special education programs at various LCPS schools, local charter schools, and home schools
[Evan] It especially stinks when children are affected.
Some data for other special education students may have been released as well.
"We’ve already begun to notify the affected individuals about what specific information is involved and we will assist them in taking appropriate safeguards," Rounds said
"If we find any of the information on the web, we will immediately take all appropriate steps to have it removed," said Jeff Harris, LCPS director of technology support services. "As of today, we’ve located the data in two Internet sites and removed it. We’re continuing to search for any other locations where it may exist."
On Monday, May 5, when the Superintendent learned of the potential breach, he directed that each student and staff member affected be provided credit fraud protection for up to one year to ensure their private information was not jeopardized in any way. This will be paid at school district expense.
Rounds said the experienced part-time employee who unintentionally disclosed the data has been placed on administrative leave and no longer has access to any LCPS computer, data, or server.
"LCPS goes to great lengths to ensure student and staff confidentiality, but this incident appears to be caused by human error," Rounds said. "This also highlights the need for the district to review its data security and privacy policies to make sure it never happens again."
Rounds said an ad-hoc committee is being established to immediately review LCPS policies and procedures. This committee will be chaired by Dr. Shaun Cooper, the current Chief Information Officer at New Mexico State University. Cooper is also the former Director of Security and Research Computing at NMSU
Commentary:
Human errors will happen as long as we are humans, I suppose. Not that we should just accept defeat and use it as an excuse. There are numerous controls with varying degrees of effectiveness that information security personnel implement to reduce the frequency and impact of human error related breaches. Without knowing more detail, it's hard to say what could have been done better. Was the cause of this breach simple oversight or lack of awareness, poor training, lack of production control (no formal review and approval process for posting information to public sites), etc. I guess I'm not sure.
I do appreciate Mr. Rounds' response. The response to the breach and notification was swift. I also like the press conference and ad-hoc committee established to review LCPS policy and procedure. I hope that the committee and effort will be ongoing long after this breach is forgotten (by those not personally affected).
Past Breaches:
Unknown
Posts Atom 1.0
Comments