Williamson County Schools learns of breach reported nine months ago

Technorati Tag:

Date Reported:
7/11/08

Organization:
Williamson County Schools

Contractor/Consultant/Branch:
None

Victims:
Students*

*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08

Number Affected:
5,169

Types of Data:
Names, testing scores, and Social Security numbers

Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."

Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News

Report Credit:
Liberty Coalition

Response:
From the online sources cited above:

FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.

Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen?  If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding.  Williamson County is in good company across the country.

The school district had to notify the Department of Education because this was a federal violation.

Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.

"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement.  Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information.  Ms. Sharber just earned my respect.

"It certainly is distressing to me that information was ever out there," said Sharber.

According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.

He resigned Friday.

"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."

It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.

They only found out a couple of weeks ago.

"A principal who had been contacted by a parent brought this to our attention on June 26th."

"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."

"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."

"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."

"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.

"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."

"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."

"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."

"On August 29, 2007, the web site was shut down."

"Mr. Nugent did not notify school authorities."

"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."

"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."

Sharber said the first step will be to look at revising policies on student information.

They will also pay for fraud alerts for the students.

It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.

"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber?  This statement is very good advice.

More than 5,000 students had their security information posted.

Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.

"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment?  Are/were Social Security numbers used as student IDs at the district?

"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."

The information was on the internet for about a month.

"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007.  I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches.  I'll elaborate below in the commentary section.

"I understand the anxiety that our parents are experiencing.", said Sharber

"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."

"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company".  Of course FRSecure would be glad to help.  I promise to keep the plugs to a minimum .

Commentary:
OK.  We all know that a breach affecting kids is especially bad.  We all know that we are all human and all humans make mistakes.  I presume that there are a number of risky information security behaviors at Williamson County Schools.  This risky behavior just so happened to expose personal information online.  What other risky behaviors will be addressed at the school district?

Now about the Liberty Coalition's role.  I appreciate the motives of Aaron Titus and the Liberty Coalition.  He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about).  My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people.  What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it.  Lyger at Attrition.org covers it well here.

In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware!  According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals."  It would have been nice if the victims were notified prior to a public press release.  I wonder why Mr. Nugent's relationship with the school district wasn't known earlier.  I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.

The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.

Past Breaches:
Unknown

 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 7/13/2008 2:45 PM Dissent wrote:
    Attrition.org and PogoWasRight.org both took strong exception to Liberty Coalition's methods. What especially concerns me is that they have created digital footprints on students who would otherwise have no digital footprints via a Google search. See my blog entries on them here, here, here and here.
    Reply to this
  • 7/15/2008 10:19 PM FW wrote:
    You are so right about questioning Liberty Coalition. The information that they list about teachers that had information posted, included School Name. I dont think that they try very hard to notify the organizations that are affected. A quick google search of just one of the elementary schools involved reports back in just .21 seconds.

    Maybe if they knew it was Tennessee Students, I don't know, drop a line to the Tennessee Department of Education.

    Anyway, I think that Mr. Titus and his organization are less interested in protecting the innocent than they are at tooting their own horn.

    A Pox on you Liberty Coalition.
    Reply to this
  • 7/22/2008 11:23 AM wcs student wrote:
    I had a friend of the family call my house and read my social security number from a public site. The information may have been taken down from the private website, but that doesn't mean our information isn't still out there floating around.

    It is also rediculous for Williamson County to say they will cover us for a year! What happens if I find out in two years that someone has taken my identity. It would no longer be Williamson County's fault and I would have to fix the problem at my own expense? That's unfair and wrong of Sharber!
    Reply to this
    1. 7/22/2008 12:34 PM Dissent wrote:
      *Which* public web site? And were other students' SSN on the public web site?

      Either let Evan know the web site, or email me with the web site info. If info is still out there from the original breach, WCS needs to be informed so that they can take immediate steps.

      As to the one year bit, you are not alone in thinking that one year may be insufficient. And some entities have changed their offer of 1-year to 2 years when enough people protested.
      Reply to this
  • 10/7/2008 6:25 PM wcsconcernedparent wrote:
    Think this is the end. Countless times student confidentiality is breached but this is the first time on such a wide scale event. Ask yourself, what happens when records are left open for public view, teachers talk openly about students, or student records leave the building. I've heard administrators talk with other parents about the status of a child that is unrelated to the parent. Is that legal?? So again, do you think this is the first and last time? Not until we let WCS, TN and the US FCC that this type of sharing of confidential information is not tolerable or defendable will it change.
    Reply to this

Page: 1 of 1
    Leave a comment