Prince William County Public School information exposed through peer-to-peer network
Technorati Tag: Security Breach
Date Reported:
8/26/08
Organization:
Prince William County Public Schools (PWCS)
Contractor/Consultant/Branch:
Porter Traditional School
Montclair Elementary School
Victims:
"students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees"
Number Affected:
"more than 2,600"
Types of Data:
names, addresses, email addresses, student identification numbers, Social Security numbers and other confidential information
Breach Description:
"Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer."
Reference URL:
PWCS News Release
ABC Channel 7 News
The Examiner
NBC Channel 4 News
Report Credit:
Prince William County Public Schools
Response:
From the online sources cited above:
Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer.
The data, which do not appear to have been compromised, were immediately secured and a number of steps have been taken to address the matter, including the creation of a special telephone "hotline" and paying for individual’s credit protection.
[Evan] As you will read later, the information was exposed via a peer-to-peer network application. LimeWire. KaZaA, Napster, Gnutella, etc. are examples of peer-to-peer network applications. These applications are typically used to share music, pictures and other files with hundreds and thousands of other application users around the world. I don't know how you would be able to determine whether or not the information was compromised with any certainty.
The exposed student information was limited to students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees.
Each individual (or the parent/guardian) has been contacted directly.
[Evan] By phone or letter? Either way, this would take a pretty significant effort!
An investigation conducted by PWCS has revealed that the student data included names, addresses, and/or student identification numbers for 1625 students associated with Porter Traditional School and Montclair Elementary School. The names and social security numbers of 65 employees were exposed, as well as other confidential information for 257 Division employees.
The names, addresses, and email addresses of 736 volunteers at Porter Traditional School were also exposed.
Immediately upon learning of the exposure of confidential School Division data, PWCS secured the information and commenced an investigation to determine the scope and duration of this exposure.
It was determined that a school-based employee, while working on school business from home on a personal computer, inadvertently exposed certain PWCS information to the public through a file-sharing program.
[Evan] It is generally not wise to allow access to sensitive school information from a home computer. Home personal computers are too hard to secure and are often outside of organization control. If the school requires work from home, it is a better idea to issue secure (encrypted, patched, firewalled, non-admin, etc.) laptops. Then train employees to access sensitive information through a VPN on a secure server and only to store information on the laptop if absolutely necessary. Home personal computers are often shared by more than one member of the family which increases the risk considerably.
The lapse was "completely inadvertent," said spokesman Ken Blackstone.
"If somebody else had the file-sharing software and had a connection to this person," they might have accessed the information, he said. "It wasn’t like it was on a Web site."
[Evan] According to Download.com, LimeWire has been downloaded over 158,000,000 times. If this was the application used, don't you think that there is a pretty good chance that "somebody else has the file-sharing software"? Mr. Blackstone should learn how these programs work. Connecting to this person is trivial.
The information was discovered by an outside "good Samaritan" security specialist, who notified the schools, Blackstone said.
[Evan] I wonder if this is my friend Rian Wroblewski at RedTeam Protection. I'll have to send him an email to ask.
"Of course, when you’re dealing with technology, which changes constantly, you certainly try to not leave any stone unturned," he said. "This has nothing to do with the school district’s network or network infrastructure. It was outside the realm of our network."
[Evan] I think Mr. Blackstone should learn a little about information security too. Information security is not a network or network infrastructure issue. It is much, much more than that.
To date, the School Division’s investigation has produced no evidence that this information was compromised during this period.
The School Division has contacted all appropriate authorities and credit monitoring companies, and will also provide a credit monitoring service at no charge to the employees whose social security numbers were exposed.
In addition, PWCS is currently reviewing its policy and Internet practices to determine whether there are other measures which can be taken to protect the confidentiality of School Division information.
[Evan] Good. This should be done continually as a part of information security management.
"We take this situation very seriously and we are very sorry this happened," said Ms. Rae E. Darlington, deputy superintendent.
All Prince William County Public Schools employees are required to comply with the Division’s Acceptable Use and Internet Safety Policy (Regulation 295-1), which, if followed, would have prevented this incident from occurring.
[Evan] Were the employees trained on this policy, or was it handed to them as part of some employment packet? Many organizations just print the policy out for employees and tell them that they need to sign a "read and understand" form. This is lazy. Have you read your information security policies? How many of your employees do you think have? If you are an information security professional, then you probably have read your policies, but most other employees never do.
In addition to the letter sent to each person directly affected by this incident, PWCS is asking the media for assistance with notifying the public.
Information is also posted to the PWCS Web site - pwcs.edu - and television station - PWCS-TV - on Comcast channel 18 and Verizon FIOS channel 36.
For obvious reasons, PWCS is not publicizing the exact information exposed in order to protect each individual’s privacy.
Should any of these individuals have questions regarding the specific nature of any exposed information relating to them, they are asked to contact the special PWCS call center using the telephone "hotline" that has been set up to answer questions from those employees, parents, and volunteers who have received a letter.
They can call from 9 a.m. to 3:30 p.m. on Monday through Friday, or email their questions to .
Commentary:
The news release from PWCS is very informative. It seems like they permit some not so good information security practices. They are not alone.
Past Breaches:
Unknown
Date Reported:8/26/08
Organization:
Prince William County Public Schools (PWCS)
Contractor/Consultant/Branch:
Porter Traditional School
Montclair Elementary School
Victims:
"students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees"
Number Affected:
"more than 2,600"
Types of Data:
names, addresses, email addresses, student identification numbers, Social Security numbers and other confidential information
Breach Description:
"Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer."
Reference URL:
PWCS News Release
ABC Channel 7 News
The Examiner
NBC Channel 4 News
Report Credit:
Prince William County Public Schools
Response:
From the online sources cited above:
Prince William County Public Schools (PWCS) recently learned that certain personal information relating to a small group of students, staff, and volunteers was inadvertently exposed to the public through the Internet for a period of approximately five weeks this summer.
The data, which do not appear to have been compromised, were immediately secured and a number of steps have been taken to address the matter, including the creation of a special telephone "hotline" and paying for individual’s credit protection.
[Evan] As you will read later, the information was exposed via a peer-to-peer network application. LimeWire. KaZaA, Napster, Gnutella, etc. are examples of peer-to-peer network applications. These applications are typically used to share music, pictures and other files with hundreds and thousands of other application users around the world. I don't know how you would be able to determine whether or not the information was compromised with any certainty.
The exposed student information was limited to students who attend, have attended, or have applied to Porter Traditional School since its opening in 2004; a small number of students who attended Montclair Elementary School for several years prior to the 2004-05 school year; a limited number of parent volunteers at Porter Traditional School, and a select number of School Division employees.
Each individual (or the parent/guardian) has been contacted directly.
[Evan] By phone or letter? Either way, this would take a pretty significant effort!
An investigation conducted by PWCS has revealed that the student data included names, addresses, and/or student identification numbers for 1625 students associated with Porter Traditional School and Montclair Elementary School. The names and social security numbers of 65 employees were exposed, as well as other confidential information for 257 Division employees.
The names, addresses, and email addresses of 736 volunteers at Porter Traditional School were also exposed.
Immediately upon learning of the exposure of confidential School Division data, PWCS secured the information and commenced an investigation to determine the scope and duration of this exposure.
It was determined that a school-based employee, while working on school business from home on a personal computer, inadvertently exposed certain PWCS information to the public through a file-sharing program.
[Evan] It is generally not wise to allow access to sensitive school information from a home computer. Home personal computers are too hard to secure and are often outside of organization control. If the school requires work from home, it is a better idea to issue secure (encrypted, patched, firewalled, non-admin, etc.) laptops. Then train employees to access sensitive information through a VPN on a secure server and only to store information on the laptop if absolutely necessary. Home personal computers are often shared by more than one member of the family which increases the risk considerably.
The lapse was "completely inadvertent," said spokesman Ken Blackstone.
"If somebody else had the file-sharing software and had a connection to this person," they might have accessed the information, he said. "It wasn’t like it was on a Web site."
[Evan] According to Download.com, LimeWire has been downloaded over 158,000,000 times. If this was the application used, don't you think that there is a pretty good chance that "somebody else has the file-sharing software"? Mr. Blackstone should learn how these programs work. Connecting to this person is trivial.
The information was discovered by an outside "good Samaritan" security specialist, who notified the schools, Blackstone said.
[Evan] I wonder if this is my friend Rian Wroblewski at RedTeam Protection. I'll have to send him an email to ask.
"Of course, when you’re dealing with technology, which changes constantly, you certainly try to not leave any stone unturned," he said. "This has nothing to do with the school district’s network or network infrastructure. It was outside the realm of our network."
[Evan] I think Mr. Blackstone should learn a little about information security too. Information security is not a network or network infrastructure issue. It is much, much more than that.
To date, the School Division’s investigation has produced no evidence that this information was compromised during this period.
The School Division has contacted all appropriate authorities and credit monitoring companies, and will also provide a credit monitoring service at no charge to the employees whose social security numbers were exposed.
In addition, PWCS is currently reviewing its policy and Internet practices to determine whether there are other measures which can be taken to protect the confidentiality of School Division information.
[Evan] Good. This should be done continually as a part of information security management.
"We take this situation very seriously and we are very sorry this happened," said Ms. Rae E. Darlington, deputy superintendent.
All Prince William County Public Schools employees are required to comply with the Division’s Acceptable Use and Internet Safety Policy (Regulation 295-1), which, if followed, would have prevented this incident from occurring.
[Evan] Were the employees trained on this policy, or was it handed to them as part of some employment packet? Many organizations just print the policy out for employees and tell them that they need to sign a "read and understand" form. This is lazy. Have you read your information security policies? How many of your employees do you think have? If you are an information security professional, then you probably have read your policies, but most other employees never do.
In addition to the letter sent to each person directly affected by this incident, PWCS is asking the media for assistance with notifying the public.
Information is also posted to the PWCS Web site - pwcs.edu - and television station - PWCS-TV - on Comcast channel 18 and Verizon FIOS channel 36.
For obvious reasons, PWCS is not publicizing the exact information exposed in order to protect each individual’s privacy.
Should any of these individuals have questions regarding the specific nature of any exposed information relating to them, they are asked to contact the special PWCS call center using the telephone "hotline" that has been set up to answer questions from those employees, parents, and volunteers who have received a letter.
They can call from 9 a.m. to 3:30 p.m. on Monday through Friday, or email their questions to .
Commentary:
The news release from PWCS is very informative. It seems like they permit some not so good information security practices. They are not alone.
Past Breaches:
Unknown
Posted by Evan Francen at 8/31/2008 10:10 PM 
Categories: Prince William County Public Schools, Employee Mistake
Categories: Prince William County Public Schools, Employee Mistake
Posts Atom 1.0
Comments