Maybe we should prohibit school districts from maintaining electronic databases
Yes, I know that idea would send us back in time, but yet another ridiculous data breach involving a public school’s system being hacked by students has me pulling my hair out and wishing for more regulation or something. WXPI in Pennsylvania reports:
Investigators said the hacking began in May on two students’ home computers. Police said the teens tried several passwords and combinations until they broke through the school’s online security system.
Police said the students got teachers’ addresses, salaries and Social Security numbers.
Read more on WXPI. The incident occurred at Blairsville High School, which is part of the Blairsville-Saltsburg School District. In related coverage, WTAE reports that the district’s only statement was:
The Blairsville-Saltsburg School District administration has investigated the breach and turned the matter over to the PA State Police at the Indiana Barracks. Upon advice from the district solicitor, Mr. Jack Cambest, no further statement can be made at this time.”
There is no statement on the district’s or high school’s web site.
I’ll go out on a limb here and suggest that if it only took the teens a few tries at user/pass combinations, the district did not have a strong user/pass combination on its system.
Nor do they appear to have a good log/monitoring protocol in place if the hacking/intrusions began in May and the only way they learned of the breach was because one of the students raised his hand in class and showed off by telling the class the teacher’s Social Security number!
Public school districts collect and store a tremendous amount of sensitive information on students, their parents, and families. They also collect and store and Medicaid information in those cases where Medicaid is being billed for special services being provided to a student.
Picture this: your child’s Social Security Number, your Social Security Number, your child’s diagnoses and medications, her Medicaid number, your family’s social history, the name of your employer, any subsidies you receive, your religion, and other sensitive information are all exposed on the Internet for over a year and are indexed by search engines. Or all that wonderfully rich information is accidentally shared via a file-sharing program an employee has on their home computer that they use to login to district databases. It could happen. And you’d have no recourse unless you could prove actual unreimbursed harm. Your stress, your embarrassment, any time you spend trying to ensure that you do not become a victim of ID theft are all …. on you.
To my knowledge, not one school district has ever been fined for having poor security or for a data breach. While some might argue that fining a district is tantamount to fining the victims whose tax dollars will pay for the fine, does it seem right that schools generally get off with no consequences other than the costs of breach notification and maybe credit monitoring?
The situation is likely to only get worse as the federal government seeks even more data for post-school tracking.
So what do we do? Well, how about we start with prohibiting public schools from using Social Security numbers as identifiers – something they should have done voluntarily over a decade ago? And we make them remove SSN from all computers so that they cannot be accidentally leaked on the Internet. Then we can talk about the rest of it. But let’s start with prohibiting the use of SSN.
Or do you have a better idea? If so, sound off in the Comments section.