Virginia Beach City Public Schools notifies parents of breach
|
Date Reported:
6/17/10
Organization:
Virginia Beach City Public Schools
Contractor/Consultant/Branch:
Ocean Lakes High School
Location:
Victims:
Virginia Beach City Public Schools students
Number Affected:
"about 16,000 students attending 22 schools"
Types of Data:
"names, addresses and Social Security numbers"
Breach Description:
"A student gained access to a computer file last month containing names, addresses and Social Security numbers of about 16,000 students attending 22 Beach schools, administrators said Thursday."
Reference URL:
The Virginian-Pilot
WVEC Channel 13 News
Virginia Beach City Public Schools "Important Information About Computer Security and Student Data"
Virginia Beach City Public Schools breach notification letter
Report Credit:
Lauren Roth, The Virginian-Pilot
Response:
From the online sources cited above:
VIRGINIA BEACH -- An Ocean Lakes High School student had access to confidential student data at 22 Virginia Beach Public Schools, according to police and school officials.
Data included names, birthdays, identification numbers and Social Security numbers.
The student, who neither police nor school officials would identify, had access to the information May 6 in the library of Ocean Lakes High School.
[Evan] I am wondering why library computers are not segmented and isolated from systems containing sensitive (confidential) information. Poor design.
While he had access to files at 22 schools, officials do not know which files he actually opened or why he was trying to access them.
He tried to print some of it, according to Virginia Beach Public Schools Chief Information Officer Ramesh Kapoor.
An "incorrect security setting" on temporary files left the student profles vulnerable, Kapoor said.
[Evan] Due to the fact that we (information security professionals) know that mistakes will occur, we build redundancy into our protections (defense-in-depth). A single "incorrect security setting" can lead to a significant breach, but should it?
"This was not a hacking," Kapoor stressed.
Chief Information Officer Ramesh Kapoor said the security setting on the data file was changed immediately on May 6, but it was unknown how long it had been accessible.
As a result, police do not plan to charge the juvenile with a felony, though misdemeanor charges are possible, police spokesman MPO Adam Bernstein said.
The school system mailed a letter today to parents at the 22 schools -- about a quarter of the city's schools -- advising of the breach and providing phone numbers to initiate a fraud alert on their children's credit report, if they feel the need.
[Evan] Holy cow, this is a big school district!
The incorrect security setting in the computer servers was immediately fixed, Kapoor said.
Kapoor said there is no problem with the system, just a human error on one setting.
[Evan] No offense to Mr. Kapoor, but this is why CIOs often don't make good information security professionals (e.g. CSOs). What is this "one setting" anyway? Is it file permissions? Seems like it.
"We take security very seriously," he said. "We constantly review and upgrade security."
[Evan] If I had a dollar for every time I had heard this, I would be a rich man. Who would admit to the opposite?
The Va. Beach School System posted a list of the schools on its Website, along with the letter that was sent.
Jimmie Baker, who has four children at Thalia Elementary, said he's surprised the schools didn't have adequate protections to prevent such access. Thalia is one of the affected schools.
Baker said this incident won't shake his faith in the school administration. "I don't think any of them would put the kids or kids' family in jeopardy."
[Evan] I agree that the school administration did not willfully "put the kids or kids' family in jeopardy", but they did put them in a situation where they are at an increased risk (amount debatable) of harm.
Bill Brunke, a School Board member whose older daughter attends Ocean Lakes High, said he is more concerned about data security than about someone being harmed.
Commentary:
We (FRSecure) regularly get calls for assistance from schools (secondary and post-secondary). Most of the time we get called in response to a computer misuse incident and/or breach. A vast majority of the breaches could have been avoided if just a few precautionary steps would have been taken beforehand. In this case, a student used a library computer at one of the schools to gain access to the school district's sensitive information systems, due to an "incorrect security setting." Does anyone see a problem with this?
Library computers are not your typical computer systems. They should be viewed as semi-public systems; meaning that they are used by more than one person in a loosely controlled environment. They are not too unlike a kiosk system, and there is often little supervision of the user.
What are these computers meant for? Once this is determined (and documented), restrict access to only what is needed. Most library computer systems are used for research and only require Internet access. There is no legitimate reason that I can think of, given my limited knowledge of this specific situation, where a library system should have any access to back-end support systems. I would even suggest that they not be on the same network.
The problems appear to extend beyond one "incorrect security setting". The "incorrect security setting" and breach are only symptoms.
Past Breaches:
Unknown
Posted by Evan Francen at 6/18/2010 10:01 AM 
Categories: Virginia Beach City Public Schools, Poor Design, Ocean Lakes High School
Categories: Virginia Beach City Public Schools, Poor Design, Ocean Lakes High School
Posts Atom 1.0
It's great to see you back commenting on breaches, Evan!
Take another look at the district's letter. They tell the parents that a student engaged in unauthorized access, but nowhere do they admit or acknowledge that it was an error on their part that permitted the student to access the records. Talk about pointing fingers....
Reply to this
Hey Dissent! It's nice to be doing my small part.
I agree with you. We shouldn't be, and we aren't surprised. Hope to hear more from you in the future!
Reply to this