Stolen Reynoldsburg City Schools laptop affects students
Technorati Tag: Security Breach
Date Reported:
8/28/08
Organization:
Contractor/Consultant/Branch:
None
Victims:
Students
Number Affected:
4,259
Types of Data:
"names, addresses, phone numbers and Social Security numbers"
Breach Description:
"REYNOLDSBURG, Ohio — A laptop containing the personal information of at least 4,000 students was stolen late last week, according to a Reynoldsburg City School district spokeswoman."
Reference URL:
Report Credit:
Reynoldsburg City Schools
Response:
From the online sources cited above:
REYNOLDSBURG, Ohio — A laptop containing the personal information of at least 4,000 students was stolen late last week, according to a Reynoldsburg City School district spokeswoman.
[Evan] I dream of the day that we no longer read about stolen unencrypted laptops that store sensitive information. Pipe dream?
A laptop computer that contained the names, addresses, phone numbers and Social Security numbers of 4,259 district students was stolen over the weekend
About 6,300 students attend classes in the Reynoldsburg City School District.
The employee, who has been placed on paid administrative leave, said the laptop was stolen from his car while he attended a wedding.
[Evan] Obviously not a good place to keep a laptop, especially this laptop.
District officials said the employee was using the laptop to collect data for the district's lunch program
He completed that work last week but didn't delete the information from the laptop
[Evan] Some people would probably question why this information was allowed on the laptop in the first place.
The employee informed administrators that files on the laptop contained students' personal information, including Social Security numbers.
the employee should have deleted the database before taking the laptop off district property
That was where the misjudgements [sic] were made: 1. Not deleting the database. 2. Leaving the laptop in the back seat of a car, Hoffman said. (Reynoldsburg City Schools Assistant Superintendent Dan Hoffman)
[Evan] Don't forget about the misjudgments made by the school district, poor laptop security and access control. We (information security personnel) cannot expect employees to always comply with policy and good judgment. We can try to improve employee compliance with training and awareness, but this is not foolproof.
"As a district, we're assuming the responsibility for this loss," Hoffman said, "although we think there was poor judgment used by the employee in leaving the laptop in the car."
[Evan] I hope that this isn't an attempt by the school district to pass the buck. I am sure that there are things that the school district could have (should have) done to prevent this breach.
Affected students are in first through 12th grade.
On Thursday, the district stuffed envelopes with letters that explained the situation.
The letters were being mailed to parents on Friday.
The district said parents would also receive automated phone calls from a call system.
Security experts told 10TV News that it can be difficult to track fraud when it comes to young victims because they do not have credit. Still, they said parents should not panic.
[Evan] It is never a good idea to panic. If I were a parent, I would demand answers and accountability (not just the employee).
"I would say don't panic and to gather information," said Kathy Virgallito with Consumer Credit Counseling Service. "Work with the school and the officials there to identify exactly what happened (and) what the scope of the situation is and to see what kind of plan the school will put together to assist those families"
[Evan] Sound advice, but I don't know if I would call Consumer Credit Counseling Service "Security experts".
"We recognize it's really a district-wide responsibility to protect this sort of data. We really regret we were not able to do that," Hoffman said.
Officials said they were already in the process of deleting students' Socials security numbers, and within two weeks the numbers will be eliminated from the system.
[Evan] Excellent!
Reynoldsburg officials are considering policies, such as requiring staff members to take more care with district property, to prevent similar events.
[Evan] Policy don't mean squat if employees are not properly trained and the policy isn't enforced.
Reynoldsburg City Schools plans to offer credit monitoring services to affected families, and will contact them as soon as more information becomes available.
The district plans to ask an outside agency to review data handling practices and procedures district-wide and to make recommendations for improvement.
[Evan] Great! I hope they choose the "outside agency" wisely.
Columbus police were investigating the laptop theft.
Any further questions may be directed to the district offices at 501-1020.
Commentary:
It really stinks when kids are affected by a breach caused by poorly informed and poorly (security) educated adults. Once a Social Security number is exposed, how do you ever un-expose it?
Past Breaches:
Unknown
Posts Atom 1.0
Comments