Jun 192018

Roxana Hegeman reports:

A civil rights group filed a federal lawsuit Tuesday against Kansas Secretary of State Kris Kobach challenging a multi-state voter registration database it claims exposed sensitive information including partial Social Security numbers from nearly a thousand state voters.

The complaint by the American Civil Liberties Union of Kansas alleges “reckless maintenance” of the Interstate Voter Registration Crosscheck Program, which compares voter registration lists among participating states to look for duplicates.

Read more from AP on WABI.

Jun 182018

Rebecca Hill reports:

The British Home Office’s bid to reduce the number of potential claimants from a 2013 data breach that exposed the personal details of thousands of asylum seekers has been knocked back by the Court of Appeal.

Rather than simply publishing overall statistics on the family returns process – the system by which children who have no legal right to remain in the UK are returned to their country of origin – the Home Office uploaded a spreadsheet that also contained the information that the stats were based on.

This included the names of 1,598 lead applicants for asylum or leave to remain, along with other details including their age, nationality, the stage they had reached in the process and the office that dealt with their case – which could be used to infer where they lived.

Read more on The Register.

Jun 182018

Gopal Sathe reports:

Bengaluru — If you are the gentleman who bought Suhagra 50, a generic version of Viagra, and some Vomiford anti-nausea drops, on June 13 from a government-run Anna Sanjivini store in Anantpur in Rayalseema, your name, phone number and purchases, were listed on an Andhra Pradesh government website — until HuffPost alerted the authorities.

The link has since been taken down (you’re welcome).

Read more on Huffington Post (IN).

Jun 182018

If there is a Keystone Cops equivalent of a k-12 data breach, a recent incident involving Chicago Public Schools may be a strong contender.

Last week, this site noted a breach that seemed puzzling in its description. Since that time, some informed parents have reached out to me to provide me with more details about the incident.

It all started when Chicago Public Schools (CPS) sent a letter to parents of students who were eligible to select other schools for the 2018-2019 school year. The letter was intended to instruct the parents how to review the schools that their child was eligible for and how to indicate their choice.

Based on what was provided to DataBreaches.net by Cassie Creswell, co-director of Raise Your Hand Action, a Chicago-based public education advocacy group, it appears that instead of the letter having an attachment, the letter (only) contained a link to a file on Blackboard. That file contained 3,700 students’ and parents’ information. So every recipient who clicked on the link in the email would have seen – and could have downloaded – a file with thousands of students and parents’ information.

Why that file should be up on Blackboard with absolutely no login required was not explained by CPS in their breach notification letter.

According to Cressell, the fields were in the following format:

First_Name Last_Name HomePhone WorkPhone MobilePhone SMSPhone EmailAddress   ReferenceCode  Building

The names are the student’s name,  the phone numbers and email are for the parent, and the reference code is the child’s CPS student ID number, Creswell explained.  The field labeled “Building” contained a list of one or more  types of selective schools: AC, Regional Gifted Centers, Classical.

Frustratingly, it appeared that although CPS fairly quickly realized that they had had a data breach, they didn’t quite understand the nature of the breach. Initially, as their notification letter suggested, they seemed to believe that parents had actually received an attached file with 3,700 students’ information. Hence, they asked parents to basically “do the right thing” and delete the attachment without looking at it.

But there was no attachment, and it took CPS more than 4 hours to figure out that instead of asking parents to delete a nonexistent attachment, they needed to remove the unsecured file from Blackboard or otherwise lock it down.

So while CPS may have believed that they had responded appropriately to the breach by asking parents to delete an attached file, in actuality, the file remained where it had always been – up on Blackboard.  And any parents who hadn’t already accessed that file when they first got an email from CPS might have become curious and taken a look at the file in the more than 5 hours it allegedly took CPS to actually secure the file.

To make matters even worse, there’s some indication that this was not the first time CPS had made this exact type of error. DataBreaches.net was provided with a text copy of an email sent by CPS on March 10, 2017 that contacted parents about selective enrollment, and that supposedly contained an attachment, but actually contained a link to a live file on Blackboard:

*File attachments:*
SEHS Confirmation Reminder.csv
<https://connectdocs.blackboard.com/<redacted by DataBreaches.net>

This certainly appears to be the same scenario as the recent breach, and DataBreaches.net has reached out to CPS to ask them to confirm or deny whether this was the same kind of breach.

In a statement to DataBreaches.net, Creswell summarized parental frustration and fears:

We are deeply concerned about yet another improper sharing incident of student data in Chicago Public Schools. The district’s response to being notified of the breach was especially concerning because (1) it was clear that they initially didn’t understand how the data had been shared (on the web vs as an email attachment), and it took hours for them to disable the web site. And (2) this is at least the second time that they’ve made this exact mistake.

CPS has a $950K contract with Blackboard Connect, but it seems that they haven’t received either the training or the support needed to properly use this product, one which interfaces with their own Student Information System.

This is just an error that’s come to light publicly; what else is happening that the parents and the public don’t even see?

As noted above, DataBreaches.net reached out to CPS to ask them to confirm or deny that this was the second time that parents had been given a link to a file on Blackboard instead of being provided an attached form to complete. DataBreaches.net also posed two additional questions to Tony Howard, Executive Director, CPS Office of Access and Enrollment:

In terms of the current/most recent incident: Who determined that a file should be uploaded to Blackboard and made available without any login required? Was that an executive decision or did some hapless employee just screw up or….?


Is someone going to reconfigure connect.blackboard to require at least a password to access files on it? I’m concerned that someone could have uploaded a spreadsheet with hundreds of thousands of student names, IDs, and medical or SpEd information or other sensitive info.

No response was immediately received, but that is not surprising on a weekend and holiday. This post will be updated if a reply is received.

Jun 162018

We’ve seen mistakes made in responding to public records requests that result in people’s personnel information or identity information being improperly released.  But if there’s a mistake, and the receiving party is a journalist who agrees NOT to use the information and who destroys the data, should those whose data were revealed be entitled to $400,000 for alleged harm suffered as a result of that breach?  $400,000 for….. exactly what concrete harm or injury or is this a “Give us $400k because of what could happen” claim?  Rachel Riley reports:

Two high-ranking El Paso County Sheriff’s employees are threatening to sue the county for $400,000 over a clerical error that revealed personal information to a Colorado Springs weekly newspaper.

The county rejected their demand as “outrageous,” contending that sheriff’s Lt. Bill Huffor and his wife, Janet Huffor, the Sheriff’s Chief of Staff, have failed to demonstrate that they’ve been harmed by a county employee mistakenly sending unredacted copies of their personnel files to the Colorado Springs Independent in response to an open records request.


The Huffors’ attorney, Erin Jensen, alleged in a May 16 demand letter that the county violated the couple’s right to privacy, and that the disclosure could threaten the couple’s safety. Jensen added that Bill Huffor “routinely works operations against violent drug cartels” who could use the information to “exact revenge” against him or his family.

Read more on The Gazette.