Crisfield High School ID cards with Social Security numbers
Technorati Tag: Security Breach
Date Reported:
10/13/08
Organization:
Somerset County Public Schools
Contractor/Consultant/Branch:
Crisfield Academy & High School
Lifetouch, Inc.
Location:
Crisfield, Maryland
Victims:
Students
Number Affected:
"more than 400"
Types of Data:
Names and Social Security numbers
Breach Description:
"WESTOVER, Md. (Map, News) - Somerset County schools superintendent Karen-Lee Brofee says some of the student ID cards issued last week at Crisfield High School mistakenly included the students' Social Security numbers."
Reference URL:
The Daily Times
Examiner.com
Report Credit:
Earl Holland, The Daily Times
Response:
From the online sources cited above:
WESTOVER -- A Somerset County school has recalled hundreds of student identification cards after realizing a breach of highly sensitive information.
Crisfield High School pulled more than 400 IDs citing a situation in which the Social Security numbers of some of students were printed on the cards.
[Evan] Unbelievable.
The cards were originally distributed Oct. 7.
Karen-Lee Brofee, Somerset County schools superintendent, said the incident was a result of an incorrect information file electronically sent to Lifetouch Inc., which manufactures the cards.
[Evan] Human error? Why does the school district need Social Security numbers in the first place? Is there a law or regulation that requires the school to collect sensitive information belonging to its students? Knowing some of our laws and regulations, it would not surprise me. If the high school must collect sensitive information, then all persons granted access to the sensitive information need specialized training on how to use the information as safely as possible. Furthermore, information security awareness programs should be ongoing and indefinite. It’s a bad idea to grant someone privileges to sensitive information and just assume that they know how to use it.
Brofee said Lifetouch has since destroyed the file containing the compromised information.
the situation was isolated to Crisfield High
Not all of the cards had the vital numbers printed on them, but all cards were collected and destroyed anyway
new cards are being manufactured and will be distributed to students on Friday
"It was a human error in one school," Brofee said. "Some of the cards only had five numbers, some had no numbers and some, unfortunately, had the Social Security number printed on them."
[Evan] Can we just rack this up to human error? Is human error just a symptom of a larger issue?
According to Brofee, all students who attend Somerset County schools are assigned identification numbers that are not Social Security numbers.
While Crisfield High quickly resolved the issue with the flawed cards, the incident had parents of the children who attend the school alarmed.
"In this day and age, something like this happening is dumb," said Louis Esposito of Marion Station.
[Evan] Dumb, maybe. Irresponsible, definitely.
Esposito said he learned of the Social Security numbers being printed on the card after his two sons noticed the last four numbers on his youngest son's ID card were similar to his lunch code, which consists of a student's Social Security number.
[Evan] I certainly would not recommend using Social Security numbers as lunch codes. Again, bigger issue?
Esposito said he called both Crisfield High as well Assistant Superintendent Doug Bloodsworth to notify them about about [sic] concerns involving the cards.
In addition to notifying the school, Esposito told Lifetouch about the error and learned the photography company was just as taken aback.
"They were shocked," he said. "They said the numbers were given to them by the school as identification numbers."
Both Esposito and Brofee commended the cooperation with and efforts made by Lifetouch regarding the handling of the situation; the company is to destroy the cards.
Brofee said that precautions have been taken by the school to ensure another incident such as this will not happen again.
[Evan] Like what? I think parents should demand answers. Shouldn't they?
"This was a very serious breach," she said. "We were very grateful that we were alerted immediately about the situation."
Esposito, who as a result of the incident filed for fraud protection for his son, said that the situation was more than just worry for his children.
"My concern was also for the people out there who could've possibly been victims and not know it," he said.
[Evan] Good point. Is the school planning to notify all those affected?
Commentary:
I nitpick a lot. We all should.
Past Breaches:
Unknown
Date Reported:10/13/08
Organization:
Somerset County Public Schools
Contractor/Consultant/Branch:
Crisfield Academy & High School
Lifetouch, Inc.
Location:
Crisfield, Maryland
Victims:
Students
Number Affected:
"more than 400"
Types of Data:
Names and Social Security numbers
Breach Description:
"WESTOVER, Md. (Map, News) - Somerset County schools superintendent Karen-Lee Brofee says some of the student ID cards issued last week at Crisfield High School mistakenly included the students' Social Security numbers."
Reference URL:
The Daily Times
Examiner.com
Report Credit:
Earl Holland, The Daily Times
Response:
From the online sources cited above:
WESTOVER -- A Somerset County school has recalled hundreds of student identification cards after realizing a breach of highly sensitive information.
Crisfield High School pulled more than 400 IDs citing a situation in which the Social Security numbers of some of students were printed on the cards.
[Evan] Unbelievable.
The cards were originally distributed Oct. 7.
Karen-Lee Brofee, Somerset County schools superintendent, said the incident was a result of an incorrect information file electronically sent to Lifetouch Inc., which manufactures the cards.
[Evan] Human error? Why does the school district need Social Security numbers in the first place? Is there a law or regulation that requires the school to collect sensitive information belonging to its students? Knowing some of our laws and regulations, it would not surprise me. If the high school must collect sensitive information, then all persons granted access to the sensitive information need specialized training on how to use the information as safely as possible. Furthermore, information security awareness programs should be ongoing and indefinite. It’s a bad idea to grant someone privileges to sensitive information and just assume that they know how to use it.
Brofee said Lifetouch has since destroyed the file containing the compromised information.
the situation was isolated to Crisfield High
Not all of the cards had the vital numbers printed on them, but all cards were collected and destroyed anyway
new cards are being manufactured and will be distributed to students on Friday
"It was a human error in one school," Brofee said. "Some of the cards only had five numbers, some had no numbers and some, unfortunately, had the Social Security number printed on them."
[Evan] Can we just rack this up to human error? Is human error just a symptom of a larger issue?
According to Brofee, all students who attend Somerset County schools are assigned identification numbers that are not Social Security numbers.
While Crisfield High quickly resolved the issue with the flawed cards, the incident had parents of the children who attend the school alarmed.
"In this day and age, something like this happening is dumb," said Louis Esposito of Marion Station.
[Evan] Dumb, maybe. Irresponsible, definitely.
Esposito said he learned of the Social Security numbers being printed on the card after his two sons noticed the last four numbers on his youngest son's ID card were similar to his lunch code, which consists of a student's Social Security number.
[Evan] I certainly would not recommend using Social Security numbers as lunch codes. Again, bigger issue?
Esposito said he called both Crisfield High as well Assistant Superintendent Doug Bloodsworth to notify them about about [sic] concerns involving the cards.
In addition to notifying the school, Esposito told Lifetouch about the error and learned the photography company was just as taken aback.
"They were shocked," he said. "They said the numbers were given to them by the school as identification numbers."
Both Esposito and Brofee commended the cooperation with and efforts made by Lifetouch regarding the handling of the situation; the company is to destroy the cards.
Brofee said that precautions have been taken by the school to ensure another incident such as this will not happen again.
[Evan] Like what? I think parents should demand answers. Shouldn't they?
"This was a very serious breach," she said. "We were very grateful that we were alerted immediately about the situation."
Esposito, who as a result of the incident filed for fraud protection for his son, said that the situation was more than just worry for his children.
"My concern was also for the people out there who could've possibly been victims and not know it," he said.
[Evan] Good point. Is the school planning to notify all those affected?
Commentary:
I nitpick a lot. We all should.
Past Breaches:
Unknown
Posted by Evan Francen at 10/16/2008 1:08 PM 
Categories: Employee Mistake, Somerset County Public Schools
Categories: Employee Mistake, Somerset County Public Schools
Posts Atom 1.0
Comments