TX: 14,000 Midland ISD students risk identity theft because of sloppy security
From the oh-FFS-dept.:
The identity information of 14,000 past and present Midland Independent School District students has been compromised by a computer theft.
Midland school Superintendent Ryder Warren says a laptop computer and external hard drive containing the information was stolen from the back of a district administrator’s car on Jan. 23. He says the information includes birthdates and Social Security numbers of all current students from seventh grade through high school seniors, along with graduates dating to the class of 2008.
Read more on NBCDFW.
In a February 3rd media notice linked from the district’s homepage as “Unauthorized Information Release Announcement,” Superintendent Warren writes:
Please be aware that Midland ISD is notifying parents and guardians of an unauthorized information release of selected current and former students’ information.
A computer theft caused the information breach, and MISD is working with the Midland Police Department following the incident.
Current and former MISD students’ Social Security numbers and dates of birth could potentially be used fraudulently. MISD encourages students and/or families to place a fraud alert on their credit lines and to contact at least one of the three major credit bureaus (Equifax, Experian, or TransUnion Corp.). Please see the attached letter for more information.
As the superintendent of schools, I deeply apologize for any inconveniences that may result from the theft. We are reviewing (and if needed – changing) all district-wide safety measures to help further ensure the security of confidential information in the future. MISD prioritizes the privacy and safety of students and families.
The January 31st notice to parents begins:
To current and former MISD parents or guardians,
This letter is being sent to you as a formal notice that personal information relating to your student, and maintained in a database by Midland ISD, may have been compromised by a recent theft. This notice constitutes the disclosure required under Section 521.053 of the Texas Business & Commerce Code.
On January 23, 2014, MISD was informed that a computer and an external hard drive which contained sensitive personal identifying information was stolen. A police report was immediately filed. MISD believes your student’s name, Social Security number and date of birth may have been contained within the files on the external hard drive.
At this time, MISD has no knowledge that your student’s name or personal identifying information has been accessed or misappropriated.
As part of the report to the Midland Police Department, we reported all of the names of those who could be affected. Your student’s name was included in this group reporting process. By reporting as a group, individually submitted police reports are not necessary.
Possible use of your student’s personal identifying information by unauthorized individuals may result in financial loss to your student. Please refer to the following web sites for helpful information:[…]
Read more of the notices here (pdf).
Neither of those notices happens to mention that the theft occurred from a district administrator’s car. Nor is there any mention of any disciplinary action taken against the administrator who left the devices in a vehicle. Was the administrator violating any established policy or was there no policy in place that says, “Hey, dummy, don’t leave PII lying around?”
Yes, I’m irked. This is really inexcusable that 14,000 students and their families now have to worry about identity theft because of slack practices by a district administrator.