How Safe is Data?
The above information makes you wonder how much of student data has been hacked. How easy is it to hack into student data? Is any personal data safe? How can your student’s information be used? From What we fear is here ~ As seen with my own eyes:
What we fear is here. It’s not an InBloom leak – probably a local hacker who seems quite ticked off at Sachem School District. According to the first page of the hacker’s site, he/she claims that the data was exposed 2 years ago by someone else and is doing this now because the district did nothing about it and would not admit it. He/she says the data will continue to be leaked (it still is now) until the district makes an admission to their errors.
I saw the data myself – how? Well, News12 Long Island stated the forum name where the data was posted. The hacker was posting frequently – quicker than the moderator or administrator of the forum could take it down.
I saw medical records (immunization, allergy, etc) and a letter from a doctor stating the child was prescribed Ritalin and his dosage. I saw a list of student ID’s with their names and whether they were receiving free lunch or not. I saw report cards. District registration documents (including name, address, date of birth, parent info.) I saw disciplinary records – a letter to a parent (name and address included) stating their child had been suspended for smoking marijuana on the bus. BOTH the parent’s and child’s name and address were on the letter.
The writer makes this important point:
A 17 year-old was subsequently charged with illegally accessing and downloading Sachem students’ records in 2012 and 2013. How much personal information on students was hacked? From Office of Inadequate Security:
The district contacted the police on November 8 after learning that some information had been uploaded to a web page, although as the district’s FAQ on the breach notes, they first became aware of the breach in July and again in August, when they also reportedly contacted the police.
The information leaked online reportedly included a list of 15,000 student names dating back to the early 2000s and school identification numbers and lunch designations. There was also another list with 12,000 names and school identification numbers posted, but only about 900 of those were different than what had been posted already. Additionally, records for about 360 Sachem High School East graduates from 2008 were also posted, along with a report on about 130 Sachem High School North students in the 2010-2011 year who received “instructional services in an alternative setting,” the district said in a statement on the district’s website.
….So… it seems that the district did not detect when the database was breached in 2012 of 2013, and had the hacker not uploaded the data to a local web site, the breach might never have been detected. What does that say about the state of data security for the school district? Note that while some of the data uploaded does not seem to be too sensitive, free lunch program status does convey information about the families’ economic situation, and information on students educated in alternative settings suggests that those records include what should be protected information about students with disabilities (or in some cases, perhaps, disciplinary problems leading to other settings).
Take note of this sentence: it seems that the district did not detect when the database was breached in 2012 of 2013, and had the hacker not uploaded the data to a local web site, the breach might never have been detected. (MEW note: I believe it should read “database was breached in 2012 or 2013)
Is it concerning to anyone that had not a hacker exposed the information the breach could have created an open spigot of personal information being funneled to unauthorized parties for quite some time? How is the school district held accountable for the data breach? The article continues:
No free credit monitoring services have been offered to anyone and the district says Social Security numbers were not involved. But until the teen’s hard drive is searched, it may be premature to suggest that what was uploaded to web sites was all of what was acquired.
From my reading of the situation, my guess is that the teen was able to get a staff member’s login credentials and used them to access the system.
Of course, nothing ever really happens to districts who experience these kinds of breaches. The U.S. Education Department doesn’t require breaches be reported to them and NYS is unlikely to do anything. Could the FTC do something? Yes, but historically, they have been hands-off in the education sector. Frankly, I wish the FTC would go after a few educational institutions at the k-12 and post-secondary level. With more districts compiling and sharing more student data that includes parental income and other details, the need for data security in the education sector has never been greater.
Update1: The teen has pleaded not guilty. Of note, the prosecutor claims the teen allegedly also “downloaded and took” student Social Security numbers and medical information. There was no indication as to whether it was uploaded to any site. Since the district’s public statements about the breach denied SSN were taken and made no mention of medical information, it’s time for local reporters to go back to the district and clarify exactly what types of information really were involved in this breach.
This teenager showed how easy it is to hack data on students. If schools can’t protect personal data then they shouldn’t be requiring it in the first place. If a breach does occur, the school should notify the parents immediately. Schools are gathering data through the Common Core State Standards Initiative for accountability purposes. From The Fordham Institute’s Misinformation About Missouri Standards & Common Core:
The Common Core Standards are needed to set “the foundation for the broader system of the broader college and career ready agenda: course requirements, assessments, data and accountability systems“. From Achieve pdf about the standards circa 2010):
If districts/schools won’t push back and refuse the data gathering, then they should be assigned the legal responsibility for the data mining and possible breaches. Target can be sued for privacy breaches, why can’t schools?