Sep 062014

Dennis Culver reports:

California State University officials said today the university’s East Bay information security team has discovered a breach in a web server used to store personal employee information.

Officials said the security breach occurred on Aug. 23, 2013 and was discovered Aug. 11 of this year. The university learned through the subsequent investigation an unknown person broke into a university web server used to store various employment transaction records and some extended learning course information.

Officials said a malicious software tool allowed an unauthorized person to copy a data file containing the full names, addresses and Social Security numbers of 6,036 individuals. The birth dates of 508 individuals were also on the data file.

Read more on SFBay.

A template of the notification letter sent to employees was submitted to California’s Attorney General, and is viewable here (pdf).

Sep 052014

An update to this breach:

Cumberland Valley School District Friday continued to warn parents about a hacking incident after a forensic specialist concluded in a report that there is not a 100 percent guarantee that no confidential information was accessed.

The information Friday stems from an incident on Aug. 21 in which district administration was notified of evidence that an outside hacker accessed the district’s computer network.

School district officials said Friday that it appears the hacker may have been from Eastern Europe and that he/she used a district server as a “pass through” to store information.

Read more on The Sentinel.

Sep 042014

Jonathan Mayer writes:

I’m excited to be teaching Stanford Law’s first Coursera offering this fall, on government surveillance. In preparation, I’ve been extensively poking around the platform; while I found some snazzy features, I also stumbled across a few security and privacy issues.

  1. Any teacher can dump the entire user database, including over nine million names and email addresses.
  2. If you are logged into your Coursera account, any website that you visit can list your course enrollments.
  3. Coursera’s privacy-protecting user IDs don’t do much privacy protecting.

The balance of this piece provides some detail on each of the vulnerabilities.

Read more on Web Policy.

Sep 032014

News12 reports:

The Florida School District reported a student security breach Wednesday after some students posted copies of their official class schedules online.

When students at the S.S. Seward Institute received their schedules over the weekend, school officials say some of them shared the schedules online. In addition to classes, the paperwork also had student ID numbers, along with their computer IDs and passwords.

Read more on News12 Westchester.

So this was a self-inflicted privacy/security breach by students and not the district’s breach, although hopefully, they’ll reissue ID numbers and passwords.

And yes, this is a teachable moment.

Aug 312014

Ally Marotti and Bowdeya Tweh report:

The Forest Hills School District had a computer security breach earlier this month, where information on all of the district’s more than 9,000 students was accidentally sent to most district parents.

District officials Friday told parents about the breach that included student identification numbers, home addresses and parent email addresses.

They acted after opponents of the district’s controversial building plans apparently used the parent list to send a mass email urging opposition to a $103 million building bond issue on the November ballot.

Erika Daggett, communications coordinator for the Anderson Township district, said the security breach occurred through a back-to-school notification where the student and parent information was mistakenly attached.


Aug 292014

CBC News reports:

Memorial University is dealing with a privacy breach after three desktop computers were stolen from the School of Social Work on its St. John’s campus.

Communications Director Dave Sorensen said the computers were stolen from temporary offices in Coughlan College about two weeks ago.

Sorenson said the university is still investigating, but it looks like personal information of nine people was on the hard drives.

Read more on CBC