Technorati Tag: Security Breach
Date Reported:
5/16/08
Organization:
Downingtown Area School District
Contractor/Consultant/Branch:
None
Victims:
Staff members and county taxpayers
Number Affected:
"71 teachers" and "several thousand tax payers"
Types of Data:
W-2 forms, Social Security numbers, and home addresses
Breach Description:
"DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district. Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9."
Reference URL:
CBS Channel 3 News
The Philadelphia Inquirer
Report Credit:
CBS Channel 3 News
Response:
From the online sources cited above:
DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district.
Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9.
[Evan] I hope school district officials are embarrassed. Do you think that this kid used exceptional skill? I would guess that the school information was a pretty easy target.
Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students.
[Evan] The information was "distributed to other students"? Ouch. Why does the school possess personal information belonging to several thousand tax payers?
The files apparently contained salary information and social security numbers.
Police said the students involved in the incident have been identified and the data was safely recovered.
[Evan] Were all copies of the data safely recovered? How would you be certain? Once information has been compromised, how do you un-compromise it? I don't think you can.
The district is working to determine how far the breach reached and secure their network from future abuse.
[Evan] People like to put information security into a nice little package. You can't. It's more than that, and the solutions to the school district's information security problems are more than determining the extent of this breach and securing their network.
Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft.
[Evan] This may or may not be true, but what about the other students that received copies?
As a precaution, all staff members were notified of the incident and told to check their personal data.
"We are still early in the investigation and cannot provide further details," Lt. Steven J. Plaugher of the Downingtown Police Department said in a statement last night. "No arrests have been made at this time."
"We just determined a week ago what happened," said Patricia McGlone, spokeswoman for the district. "The school board will go forward with a disciplinary hearing, which will be separate from the police investigation."
It is unclear if the student will face charges.
The incident marks the second time private information has been obtained by a student at the school. Officials said a student was charged after hacking the system in December 2007.
[Evan] This should be a sign, eh? Two incidents in six months. Do you suppose the district determined "how far the breach reached and secure their network from future abuse" in that case too?
Commentary:
This breach reminds of the "Students breach Williamsville Central School District security" posting we made on April 15th. I think these two cases are very similar. School districts across the country seem to collect and poorly protect unnecessary personal information.
Past Breaches:
Unknown
Date Reported: 5/16/08
Organization:
Downingtown Area School District
Contractor/Consultant/Branch:
None
Victims:
Staff members and county taxpayers
Number Affected:
"71 teachers" and "several thousand tax payers"
Types of Data:
W-2 forms, Social Security numbers, and home addresses
Breach Description:
"DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district. Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9."
Reference URL:
CBS Channel 3 News
The Philadelphia Inquirer
Report Credit:
CBS Channel 3 News
Response:
From the online sources cited above:
DOWNINGTOWN, Pa. (CBS 3) ? Authorities are investigating the theft of personal information from a computer in a Chester County school district.
Downingtown Area School District officials said that a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9.
[Evan] I hope school district officials are embarrassed. Do you think that this kid used exceptional skill? I would guess that the school information was a pretty easy target.
Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students.
[Evan] The information was "distributed to other students"? Ouch. Why does the school possess personal information belonging to several thousand tax payers?
The files apparently contained salary information and social security numbers.
Police said the students involved in the incident have been identified and the data was safely recovered.
[Evan] Were all copies of the data safely recovered? How would you be certain? Once information has been compromised, how do you un-compromise it? I don't think you can.
The district is working to determine how far the breach reached and secure their network from future abuse.
[Evan] People like to put information security into a nice little package. You can't. It's more than that, and the solutions to the school district's information security problems are more than determining the extent of this breach and securing their network.
Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft.
[Evan] This may or may not be true, but what about the other students that received copies?
As a precaution, all staff members were notified of the incident and told to check their personal data.
"We are still early in the investigation and cannot provide further details," Lt. Steven J. Plaugher of the Downingtown Police Department said in a statement last night. "No arrests have been made at this time."
"We just determined a week ago what happened," said Patricia McGlone, spokeswoman for the district. "The school board will go forward with a disciplinary hearing, which will be separate from the police investigation."
It is unclear if the student will face charges.
The incident marks the second time private information has been obtained by a student at the school. Officials said a student was charged after hacking the system in December 2007.
[Evan] This should be a sign, eh? Two incidents in six months. Do you suppose the district determined "how far the breach reached and secure their network from future abuse" in that case too?
Commentary:
This breach reminds of the "Students breach Williamsville Central School District security" posting we made on April 15th. I think these two cases are very similar. School districts across the country seem to collect and poorly protect unnecessary personal information.
Past Breaches:
Unknown
