School principal loses disk containing sensitive student information
Technorati Tag: Security Breach
Date Reported:
11/21/08
Organization:
Jackson-Madison County School System
Contractor/Consultant/Branch:
East Intermediate School
Location:
Jackson, Tennessee
Victims:
Students
Number Affected:
"more than 200"
Types of Data:
"Social Security numbers and test scores"
Breach Description:
"The Jackson-Madison County school system has hired National ID Recovery to monitor the personal information of more than 200 East Intermediate students after a computer disk containing Social Security numbers and test scores was stolen from the principal's car."
Reference URL:
The Jackson Sun
Associated Press via Knoxville News Sentinel
Report Credit:
Tajuana Cheshier, The Jackson Sun
Response:
From the online sources cited above:
The Jackson-Madison County school system has hired National ID Recovery to monitor the personal information of more than 200 East Intermediate students after a computer disk containing Social Security numbers and test scores was stolen from the principal's car.
[Evan] A principal is a leader in his/her school and is expected to lead by example.
Superintendent Nancy Zambito said it will cost the system more than $3,000 for one year of the monitoring service.
[Evan] $3,000 seems pretty insignificant in the big picture. One year of credit monitoring seems almost useless in the protection of a child's credit. After a year, then what? Is a Social Security number only good for a year, then expires? Nope.
Zambito said there is no evidence that any of the information on the disk has been used.
"We will do anything to make sure the families feel safe," Zambito said.
Zambito said East Intermediate Principal Bill Walker will face "significant disciplinary actions" for not securing the computer disk.
[Evan] I wonder what the school system's information security policy and procedures dictate for the protection of sensitive information. I also wonder how well the policy and procedures are communicated to staff. Did Mr. Walker think twice before carrying the disk off-site?
Walker is in his first year as principal of the school.
He started at East Intermediate as interim principal in January and was named principal in July.
[Evan] Not a good way to start a job.
"The disk was taken out of my car in a briefcase, and I'm extremely sorry that this has happened," Walker said.
"I wish as much effort has been made to promote that East Intermediate has made adequate yearly progress and good report card grades. This is a great school, and I'm honored to be here. I hate, if anything, that this takes away from what we're doing here, which is educate children."
[Evan] Obviously this is important, but this case shows how one incident has the potential to detract from positive accomplishments and progress.
Walker said it was last year's sixth-grade students who could be affected.
A letter was sent home with students, and a letter was mailed to parents from the school Thursday.
According to the letter, National Recovery will place a fraud alert at the three credit reporting agencies to determine if a credit file exists in a child's name, and it will give parents an immediate report.
If a credit file exists, a copy of the report will be ordered and reviewed to determine if any fraud is present.
The agency will research, make phone calls and make all efforts to clear the child's name, the letter said.
Monitoring will end Nov. 21, 2009.
[Evan] Again, then what? We can't make the information secret again (supposing it was to begin with).
Commentary:
It may be likely that the information on this disk will never be used to commit fraud or identity theft. The issue is that risk has been increased and it has been increased unnecessarily. One year of credit monitoring is better than nothing, but not by much. What will the school system do in order to reduce the risk of a similar breach occurring in the future?
Preacher warning!
Wouldn't it be nice if there was some kind of information security magic pill? Some kind of super-effective, all-inclusive, easy to use tool? That would be cool, but it ain't reality. Reality is that there are no shortcuts or magic pills or all-inclusive tools. Reality is that effective information security requires specialization, planning, education, work, and integration with all facets of business.
If you want simple, try this. The math is simple. More shortcuts = more risk = more impactful breaches = more lost dollars. Doesn't seem like a good way to run a business.
Past Breaches:
Unknown

11/21/08
Organization:
Jackson-Madison County School System
Contractor/Consultant/Branch:
East Intermediate School
Location:
Jackson, Tennessee
Victims:
Students
Number Affected:
"more than 200"
Types of Data:
"Social Security numbers and test scores"
Breach Description:
"The Jackson-Madison County school system has hired National ID Recovery to monitor the personal information of more than 200 East Intermediate students after a computer disk containing Social Security numbers and test scores was stolen from the principal's car."
Reference URL:
The Jackson Sun
Associated Press via Knoxville News Sentinel
Report Credit:
Tajuana Cheshier, The Jackson Sun
Response:
From the online sources cited above:
The Jackson-Madison County school system has hired National ID Recovery to monitor the personal information of more than 200 East Intermediate students after a computer disk containing Social Security numbers and test scores was stolen from the principal's car.
[Evan] A principal is a leader in his/her school and is expected to lead by example.
Superintendent Nancy Zambito said it will cost the system more than $3,000 for one year of the monitoring service.
[Evan] $3,000 seems pretty insignificant in the big picture. One year of credit monitoring seems almost useless in the protection of a child's credit. After a year, then what? Is a Social Security number only good for a year, then expires? Nope.
Zambito said there is no evidence that any of the information on the disk has been used.
"We will do anything to make sure the families feel safe," Zambito said.
Zambito said East Intermediate Principal Bill Walker will face "significant disciplinary actions" for not securing the computer disk.
[Evan] I wonder what the school system's information security policy and procedures dictate for the protection of sensitive information. I also wonder how well the policy and procedures are communicated to staff. Did Mr. Walker think twice before carrying the disk off-site?
Walker is in his first year as principal of the school.
He started at East Intermediate as interim principal in January and was named principal in July.
[Evan] Not a good way to start a job.
"The disk was taken out of my car in a briefcase, and I'm extremely sorry that this has happened," Walker said.
"I wish as much effort has been made to promote that East Intermediate has made adequate yearly progress and good report card grades. This is a great school, and I'm honored to be here. I hate, if anything, that this takes away from what we're doing here, which is educate children."
[Evan] Obviously this is important, but this case shows how one incident has the potential to detract from positive accomplishments and progress.
Walker said it was last year's sixth-grade students who could be affected.
A letter was sent home with students, and a letter was mailed to parents from the school Thursday.
According to the letter, National Recovery will place a fraud alert at the three credit reporting agencies to determine if a credit file exists in a child's name, and it will give parents an immediate report.
If a credit file exists, a copy of the report will be ordered and reviewed to determine if any fraud is present.
The agency will research, make phone calls and make all efforts to clear the child's name, the letter said.
Monitoring will end Nov. 21, 2009.
[Evan] Again, then what? We can't make the information secret again (supposing it was to begin with).
Commentary:
It may be likely that the information on this disk will never be used to commit fraud or identity theft. The issue is that risk has been increased and it has been increased unnecessarily. One year of credit monitoring is better than nothing, but not by much. What will the school system do in order to reduce the risk of a similar breach occurring in the future?
Preacher warning!
Wouldn't it be nice if there was some kind of information security magic pill? Some kind of super-effective, all-inclusive, easy to use tool? That would be cool, but it ain't reality. Reality is that there are no shortcuts or magic pills or all-inclusive tools. Reality is that effective information security requires specialization, planning, education, work, and integration with all facets of business.
If you want simple, try this. The math is simple. More shortcuts = more risk = more impactful breaches = more lost dollars. Doesn't seem like a good way to run a business.
Past Breaches:
Unknown
Comments