Jun 262014

The University of California, Washington Center (UCDC) recently notified alumni of a breach involving their course pre-enrollment system. As a result of the June 7 attack on UCDC’s cloud-based provider, GoSignMeUp.com, alumni’s usernames, postal and email addresses, passwords, gender, date of birth, and courses taken were accessed.

The breach was discovered on June 9.

The school advised those affected to change their passwords, and said it was working with the provider to enhance security for user data.

DataBreaches.net e-mailed UCDC to inquire how the compromise of GoSignMeUp occurred and how many alumni were affected, but has not yet received any response.

DataBreaches.net also reached out to GoSignMeUp.com to inquire whether other clients were also affected or if the attack was confined to UCDC user data. They have not yet responded to the inquiry, either.

A copy of UCDC’s notification to the California Attorney General’s Office is available here (pdf).

This post will be updated if and when more information is available.

Jun 242014

The Summit Daily reports:

Last week Summit School District officials discovered a security issue that made some student and parent information available online.


The information the parent found came from an internal student data file the district used for automated calls to parents about their children’s negative food account balances.

The file contained the following information for all of the district’s roughly 3,200 students: student first and last name, grade level, school identification number, assigned PowerSchool number, current food service balance, phone number and the personal email address of the guardian.

Read more on Summit Daily.

Jun 242014

Susan Spencer reports:

 Parents whose children received services in Uxbridge public schools that were partially covered by the state Medicaid program are being encouraged to request a security freeze on their children’s credit reports after a laptop containing personal information was stolen from a Medicaid vendor’s vehicle.

Kevin M. Carney, superintendent of schools, sent a cover letter to affected families Monday with information from the vendor, Multi-State Billing Services of Somersworth, N.H., on how the breach occurred and what should be done to protect children from identity theft.

The Medicaid data records included information on students throughout the school system, from kindergarten through 12th grade.

Thomas Champion, a spokesman for Multi-State Billing Services, said, “The likelihood of exposure appears at this moment to be quite low.”

Nineteen school districts in Massachusetts and one in Vermont were affected, Mr. Champion said.

The affected districts in Central Massachusetts, besides Uxbridge, are Ashburnham-Westminster Regional, Milford, Northboro, Northboro-Southboro Regional, Southboro and Sutton.

Mr. Carney said that while there is no indication that the information was actually compromised, the school district and the vendor recommended that parents take precautionary measures.

According to a letter co-signed by Mr. Carney and Daniel Courter, general counsel for Multi-State Billing Services, a Multi-State laptop was stolen from a locked vehicle on May 28. The laptop was password protected but not encrypted. The police believe the theft was random.

The laptop contained such personal information as each child’s name, date of birth, Medicaid ID and Social Security number.

Read more on Telegram & Gazette.

Okay, children under 18 aren’t permitted to have a credit report, so there should be nothing to put a security freeze on, but maybe it will prevent someone from trying to establish credit.

This is being cross-posted to databreaches.net and phiprivacy.net because it involves the education sector contracting with a HIPAA-covered entity.

So why was a laptop with unencrypted personal information and Medicaid numbers left in the vendor’s vehicle? Did the district have a contract with Multi-State Billing Services that required encryption for data at rest? Did it prohibit devices being left in unattended vehicles?

Jun 242014

Just in Time Research: Data Breaches in Higher Education 

This “Just in Time” research is in response to recent discussions on the EDUCAUSE Higher Education Information Security Council (HEISC) discussion list about data breaches in higher education. Using data from the Privacy Rights Clearinghouse, this research analyzes data breaches attributed to higher education. The results from this review will be used to inform EDUCAUSE research, programs, products, and services.

Hardly a day goes by without a media report about a data breach that exposes the personally identifiable information (PII) of individuals. While much of the news regarding data breaches focuses on the harm to affected individuals, data breaches also harm the organization experiencing the breach. Potential direct financial costs of a data breach include legal representation, fines (depending on the nature of the breach), and the expense of notifying affected individuals. Organizations also face losses in reputation and consumer confidence. Particularly important for higher education institutions are reputational consequences, which could result in a loss of alumni donations and even a reduction in the number of students choosing to apply to or attend the institution.

Access the full report here (pdf, 7 pp.).

The research is based on the Privacy Rights Clearinghouse chronology, which relies heavily on the Open Security Foundation DataLossDB project, DataBreaches.net, and PHIprivacy.net – all three of which I am involved in. In addition, they use HHS’s public breach tool and NAID.

Jun 242014

John Luciew reports:

One thing is clear, the 16-year-old sophomore at the center of an alleged grade and attendance-record hacking case in Orange, N.J., apparently has some mad computer skills and plenty of smarts for executing elaborate plans. If only the student would apply those academic assets to his or her school work, then perhaps there wouldn’t be criminal charges of computer theft hanging over the student’s future right about now.

According to the Associated Press, the sophomore was arrested and charged late last week with using a school computer to change the grades and attendance records of multiple classmates.

Read more on PennLive.

Jun 212014

Several years ago, I wrote to the NYC Comptroller’s Office and asked them to re-audit the NYC Department of Education on information technology/data security. To my knowledge, they haven’t done so.

If you are a parent of a student in the NYC schools, this should concern you because the previous audit and two re-audits showed pretty dismal data security.

Here is the first page of the 2004 re-audit that explains the background and gives an overview of the findings, below. I’ll meet you on the other side.

NYC_DOE_AUDIT_7F04_137.pdf (SECURED) at 5.30.06 PM

Scary, isn’t it?  And the second page and balance of the report is even scarier.

You can read the full report on the Comptroller’s web site (pdf, 29 pp.)

So what has happened since 2004? Why hasn’t the city gone back and ensured that students’ personal and sensitive information is being adequately secured?

As best I can tell, other than the 2013 SESIS audit, which is (only) for the DOE’s Special Education Student Information System (and which also found data security issues), there has been no audit or independent assessment as to whether the DOE is keeping your child’s personal and sensitive information secure.

If you are concerned, you can use a form on the Comptroller’s site to suggest that they audit/re-audit the Dept. of Education for data security of students’ personal and sensitive information. I’d encourage you to do so.