Williamson County Schools learns of breach reported nine months ago
Posted by Evan Francen at 7/12/2008 11:58 PM and is filed under Employee Mistake,Williamson County Schools 
Technorati Tag: Security Breach
Date Reported:
7/11/08
Organization:
Williamson County Schools
Contractor/Consultant/Branch:
None
Victims:
Students*
*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08
Number Affected:
5,169
Types of Data:
Names, testing scores, and Social Security numbers
Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."
Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News
Report Credit:
Liberty Coalition
Response:
From the online sources cited above:
FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.
Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.
The school district had to notify the Department of Education because this was a federal violation.
Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.
"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.
"It certainly is distressing to me that information was ever out there," said Sharber.
According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.
He resigned Friday.
"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."
It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.
They only found out a couple of weeks ago.
"A principal who had been contacted by a parent brought this to our attention on June 26th."
"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."
"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."
"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."
"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.
"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."
"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."
"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."
"On August 29, 2007, the web site was shut down."
"Mr. Nugent did not notify school authorities."
"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."
"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."
Sharber said the first step will be to look at revising policies on student information.
They will also pay for fraud alerts for the students.
It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.
"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.
More than 5,000 students had their security information posted.
Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.
"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?
"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."
The information was on the internet for about a month.
"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.
"I understand the anxiety that our parents are experiencing.", said Sharber
"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."
"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum
.
Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?
Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.
In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.
The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.
Past Breaches:
Unknown
Date Reported: 7/11/08
Organization:
Williamson County Schools
Contractor/Consultant/Branch:
None
Victims:
Students*
*"3,052 ACT students and 2,117 students who took the second grade test were affected", Source: Student Information News Conference Text 7/11/08
Number Affected:
5,169
Types of Data:
Names, testing scores, and Social Security numbers
Breach Description:
"FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online."
Reference URL:
Williamson County Student Information News Conference
News Channel 5
WREG Channel 3 News
WSMV Channel 4 News
Report Credit:
Liberty Coalition
Response:
From the online sources cited above:
FRANKLIN, Tenn.- It now appears a security breach at Williamson County schools was much worse than expected. School officials now say more than 5,000 students may have been affected when a school employee accidently posted their personal information online.
Now the county could lose some federal funding because of the mistake.
[Evan] Do you really think that this will happen? If we looked deeper into the way the public school systems handle confidential information, half of the school districts would lose funding. Williamson County is in good company across the country.
The school district had to notify the Department of Education because this was a federal violation.
Director of Schools, Rebecca Sharber is taking on the responsibility of fixing the problem.
"I'm the head of the school system. I'm accountable," said Sharber.
[Evan] What a fantastic statement. Corporate CEOs, non-profit executive directors, etc. ARE ultimately responsible for the protection of information. Ms. Sharber just earned my respect.
"It certainly is distressing to me that information was ever out there," said Sharber.
According to school officials, former assessment specialist, Chris Nugent is responsible for the computer mix-up.
He resigned Friday.
"Mr. Nugent has resigned his position as Assessment Specialist, effective immediately."
It was August last year when Nugent mistakenly loaded the info on a personal web page, but he never alerted the district.
They only found out a couple of weeks ago.
"A principal who had been contacted by a parent brought this to our attention on June 26th."
"The information given to us indicated that our assessment specialist, Chris Nugent, was involved. This was the first we had heard of this situation."
"We began our investigation immediately asking Mr. Nugent to gather all data that could possibly be associated with this situation."
"We thought at that time he would be able to supply the names of students possibly involved in the most timely manner."
"When Mr. Nugent was unable to get that information for us, our attorney Jason Golden contacted the Liberty Coalition, the organization that had posted the Internet report presented to us by the principal."
[Evan] The Liberty Coalition posted the information surrounding the breach in October, 2007, many months before the victims were ever made aware.
"Yesterday afternoon, the Liberty Coalition was able to provide the names of the students affected."
"Our investigation indicates that the student information was posted on a private website created by Mr. Nugent sometime during the month of August, 2007."
"On August 28, 2007, the Liberty Coalition notified Mr. Nugent that private student information was on his web site."
"On August 29, 2007, the web site was shut down."
"Mr. Nugent did not notify school authorities."
"Our investigation has established that Mr. Nugent had confidential student files on the same thumb-drive with his personal files."
"We believe that when Mr. Nugent uploaded his personal files to a web site he created, he inadvertently uploaded our student files."
Sharber said the first step will be to look at revising policies on student information.
They will also pay for fraud alerts for the students.
It could cost the district hundreds of thousands of dollars to pay for those fraud alerts.
"I would say to other school districts they need to really, really check their policies and procedures on how student data is being used," said Sharber.
[Evan] Again, did I mention that I respect Ms. Sharber? This statement is very good advice.
More than 5,000 students had their security information posted.
Most of those are high school students who took the ACT in the 2006-2007 school year, and second graders who took the TCAP the same year.
"We have learned that most students who took the second grade TCAP achievement test and most students who took the ACT test during the 2006-07 school year had social security numbers on a private website during August of 2007."
[Evan] Is there some kind of legal requirement that states that a Social Security number must be tied to test scores, or was this just poor judgment? Are/were Social Security numbers used as student IDs at the district?
"Our review of the records shows that 3,052 ACT students and 2,117 students who took the second grade test were affected."
The information was on the internet for about a month.
"I want to thank the parents of Williamson County Schools for their patience and understanding and the positive suggestions they have shared as we have conducted our investigation and gone public with this information.", said Sharber
[Evan] The Liberty Coalition went public with this breach in October, 2007. I appreciate the motives of the Liberty Coalition, but I am not pleased with the way they report breaches. I'll elaborate below in the commentary section.
"I understand the anxiety that our parents are experiencing.", said Sharber
"On Monday, we will be calling all parents of students whose social security numbers were exposed to let them know their child was affected, and we will follow up that phone call with a letter."
"We are working to locate a security company, and at our expense, we will cover the cost of fraud protection for the students affected."
[Evan] I hope that the school locates a good "security company". Of course FRSecure would be glad to help. I promise to keep the plugs to a minimum
.Commentary:
OK. We all know that a breach affecting kids is especially bad. We all know that we are all human and all humans make mistakes. I presume that there are a number of risky information security behaviors at Williamson County Schools. This risky behavior just so happened to expose personal information online. What other risky behaviors will be addressed at the school district?
Now about the Liberty Coalition's role. I appreciate the motives of Aaron Titus and the Liberty Coalition. He maintains the SSNBreach.org web site where he publicizes information security breaches that his organization finds (or is informed about). My attention was first drawn to Aaron Titus in August 2007, when he reported the Louisiana Board of Regents breach affecting ~200,000 people. What drew my attention to his report was not the breach itself, but the way in which it he proceeded to report it. Lyger at Attrition.org covers it well here.
In this case, the Liberty Coalition publicly posted this breach in October, 2007 which is more than 9 months before the victims were ever made aware! According to the Liberty Coalition press release; "We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals." It would have been nice if the victims were notified prior to a public press release. I wonder why Mr. Nugent's relationship with the school district wasn't known earlier. I don't have the details that the Liberty Coalition does surrounding this breach, so I can only speculate.
The fact that some breaches are reported on SSNBreach.org prior to notification (in this case nine months), I chose to generally not report them here at The Breach Blog.
Past Breaches:
Unknown
Comments