Seattle Public Schools inadvertently releases personal information
Technorati Tag: Security Breach
Date Reported:
11/01/08
Organization:
Seattle Public Schools
Contractor/Consultant/Branch:
International Union of Operating Engineers Local 609
Location:
Seattle, Washington
Victims:
District employees
Number Affected:
"up to 5,000"
Types of Data:
"personal information, including Social Security numbers"
Breach Description:
"The Seattle School District has offered to foot the bill for identity-theft protection for up to 5,000 district employees after the district acknowledged personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers."
Reference URL:
The Seattle Times
Report Credit:
Charles E. Brown, The Seattle Times
Response:
From the online source cited above:
The Seattle School District has offered to foot the bill for identity-theft protection for up to 5,000 district employees after the district acknowledged personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers.
The district acknowledged the error in a letter sent this week to district employees.
[Evan] The "this week" being referred to is the last week in October. Remember this as you read on.
"It is an unfortunate incident that occurred," said district spokesman David Tucker.
Included were about 700 members of International Union of Operating Engineers Local 609, which represents custodial, nutritional services, security- and alarm-monitoring workers.
Union officials said, and certified in writing, that personal information received from the district had been destroyed.
[Evan] For some reason, a statement like this makes me feel uneasy. I can't put a finger on it. So the information is "destroyed" then. When? By whom? How?
"We believe they are abiding by their declaration," Tucker said.
Tucker said the district released the information in an e-mail in February, after the union requested medical-benefit information.
[Evan] This is where I want to refer back to the announcement timing; the last week in October. Why the long time between? February to October is eight months. This time should be accounted for.
Included was salary information, home addresses and other data that should not have been released, said the letter to employees, signed by Brent Jones, the district's executive director of human resources.
As a public agency, the district is required to release certain information to union associations, when requested.
But Social Security numbers and home addresses for employees not represented by Local 609 should not have been disclosed to the union.
"Seattle Public Schools takes the protection of personal employee information very seriously," Jones' letter said.
[Evan] Yeah, everybody says this don't they?
Tucker said he had received no reports of improper use of the disclosed information. "We have no reason to believe that Social Security numbers at any time have been inappropriately used," he said.
"Any time an employer releases personal information like that, it's very significant," said David Westberg, Local 609's business manager. "It should never have happened."
Westberg said only two officials in the union office had access to the files before they were destroyed.
The district said the identity-theft protection program, monitoring credit information with a credit reporting agency, would be available free to employees who request it for up to a year.
Commentary:
I am wondering how the information was sent to the union. I assume it was sent via email. If this holds true, then I question whether or not sending confidential information through email is an accepted practice at the school district. This would not be a recommended or secure method of data transfer.
Past Breaches:
Unknown
Date Reported:11/01/08
Organization:
Seattle Public Schools
Contractor/Consultant/Branch:
International Union of Operating Engineers Local 609
Location:
Seattle, Washington
Victims:
District employees
Number Affected:
"up to 5,000"
Types of Data:
"personal information, including Social Security numbers"
Breach Description:
"The Seattle School District has offered to foot the bill for identity-theft protection for up to 5,000 district employees after the district acknowledged personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers."
Reference URL:
The Seattle Times
Report Credit:
Charles E. Brown, The Seattle Times
Response:
From the online source cited above:
The Seattle School District has offered to foot the bill for identity-theft protection for up to 5,000 district employees after the district acknowledged personal information, including Social Security numbers, was inadvertently released to a local union representing some district workers.
The district acknowledged the error in a letter sent this week to district employees.
[Evan] The "this week" being referred to is the last week in October. Remember this as you read on.
"It is an unfortunate incident that occurred," said district spokesman David Tucker.
Included were about 700 members of International Union of Operating Engineers Local 609, which represents custodial, nutritional services, security- and alarm-monitoring workers.
Union officials said, and certified in writing, that personal information received from the district had been destroyed.
[Evan] For some reason, a statement like this makes me feel uneasy. I can't put a finger on it. So the information is "destroyed" then. When? By whom? How?
"We believe they are abiding by their declaration," Tucker said.
Tucker said the district released the information in an e-mail in February, after the union requested medical-benefit information.
[Evan] This is where I want to refer back to the announcement timing; the last week in October. Why the long time between? February to October is eight months. This time should be accounted for.
Included was salary information, home addresses and other data that should not have been released, said the letter to employees, signed by Brent Jones, the district's executive director of human resources.
As a public agency, the district is required to release certain information to union associations, when requested.
But Social Security numbers and home addresses for employees not represented by Local 609 should not have been disclosed to the union.
"Seattle Public Schools takes the protection of personal employee information very seriously," Jones' letter said.
[Evan] Yeah, everybody says this don't they?
Tucker said he had received no reports of improper use of the disclosed information. "We have no reason to believe that Social Security numbers at any time have been inappropriately used," he said.
"Any time an employer releases personal information like that, it's very significant," said David Westberg, Local 609's business manager. "It should never have happened."
Westberg said only two officials in the union office had access to the files before they were destroyed.
The district said the identity-theft protection program, monitoring credit information with a credit reporting agency, would be available free to employees who request it for up to a year.
Commentary:
I am wondering how the information was sent to the union. I assume it was sent via email. If this holds true, then I question whether or not sending confidential information through email is an accepted practice at the school district. This would not be a recommended or secure method of data transfer.
Past Breaches:
Unknown
Posts Atom 1.0
Comments