What's Your Procedure for School District Data Breaches? #encryption #databreach

"853,478,157 RECORDS BREACHED," in 2014-2015 among education (K-16) entities (check list at bottom of this blog post). There are a LOT more breaches, though. 

Ever since I began working in a large urban school district many years ago, and even after I left, I've asked myself, "Why don't we have a consistent procedure for safeguarding sensitive data?" This concern came to a head several times, as I became aware of efforts to cover up the problem.

The first was from parents who had stumbled onto their child's confidential school records...district information techs worked frantically to remove the "breach" of confidential data from public view. Somehow, an Excel spreadsheet had found its way online, posted to a web site, containing confidential data. Another time, the data had been in a secretary's notebook that fell out of her purse on the way to her car and was lost. Or, a staff member who left an unencrypted laptop that was stolen from an unlocked vehicle parked in his driveway. I was already aware of campus principals who carried treasure troves of personally identifiable information on their external USB hard drives because they feared having anything on their "work laptop," for fear they might lose access to it and all their hard work.

In each of these scenarios, I remember asking, "Why can't we use free, open source encryption solutions to safeguard data? Why can't we provide training?" The answer was always the same--
"We need an enterprise level solution. If we show people how to encrypt data, then when the District needs to access that encrypted data, we will have to ask them to give us their encryption key or password. What if the person is disgruntled or departing staff member?"
Of course, you'll pay an arm and a leg for "enterprise level solutions"...and encryption is everyone's business. I remember when one district staff member left the District in question. She made sure to backup all her data--presumably, confidential data--to her external USB drive (unencrypted), then deleted it from her Windows laptop. It didn't matter that we could access her laptop...the data was gone and it would have taken special software to "un-delete" the data...a job easier said than done.

MAKE A DIFFERENCE
In this easy to edit GoogleDoc, Safeguarding Sensitive Data: Data Breach Prevention and Response Plan, I encourage you to review this hodge-podge of ideas and tips and make improvements that we all can share and take advantage of.


SCHOOL DATA BREACH EXAMPLES via PrivacyRights.org


Date Made PublicNameEntityType
Total Records
July 2, 2015Bonita Unified School District
San Dimas, California
EDUHACK
Unknown
The Bonita Unified School District notified parents and students of a breach when unauthorized access was discovered at San Dimas High School server.
On June 2, 2015 the district discovered the unauthorized access to the high school's student database and noticed that several students grades had been changed. The district believes that the individual (s) that changed the grades also downloaded personal information of students.
The information compromised included names, Social Security numbers, birthdates, medical information, the school's systems usernames and passwords, addresses, email addresses, and phone numbers.
The district is providing 12 months free of ProtectMyID Alert from Experian for those affected. Those with questions can call 1-909-971-8320 and ask for Donna Martin at ext. 5201 Monday through Friday 8:00 am to 4:30 pm Pacific Time.
Information Source:
California Attorney General
records from this breach used in our total: 0
July 2, 2015Harvard University
Cambridge, Massachusetts
EDUHACK
Unknown
Harvard University is notifying individuals of a data breach to their system that included 8 colleges and administrations.
Those colleges and administrations include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health.
The university has not commented on how many individuals were affected or what information was compromised. The university is requesting that anyone who is associated with any of the entities to change their username and password.
Information Source:
Media
records from this breach used in our total: 0
May 15, 2015Penn State College of Engineering
University Park, Pennsylvania
EDUHACK
18,000
Penn State's College of Engineering announced that their servers were hacked in two different intrustions. The hackers are believed to be based in China and may have exposed "at least 18,000 people and possibly other sensitive data".
Penn State's President sent a letter out to students and faculty informing them that the college's network had been disconnected to the Internet while they investigate the intrusio. Read more here:http://news.psu.edu/story/357654/2015/05/15/administration/message-presi...
The information compromised has not yet been made public, all College of Engineering faculty, staff and students were affected. Those who also had taken at least one engineering class would be affected as well. The university is requiring those who meet this criteria change their username and password. They have set up a VPN and will be required to use two-factor authentication.
Information Source:
Media
records from this breach used in our total: 0
April 10, 2015University of California, Riverside Graduate Division offices
Riverside, California
EDUPORT
Unknown
The University of California, Riverside's Graduate Divison offices notified individuals of a theft of a laptop computer that included graduate student application information including Social Security numbers, first and last names.
For questions call UCR's Risk Management Office at 1-866-827-4844
Information Source:
California Attorney General
records from this breach used in our total: 0
February 18, 2015University of Maine
Orono, Maine
EDUPORT
941
The University of Maine notified students of a data breach when a laptop was stolen with student roster information on it including Social Security numbers, phone numbers, email addresses, grade data and course information.
According to the university only 604 Social Security numbers were involved in the total of 941 records exposed.
Information Source:
Media
records from this breach used in our total: 604
February 17, 2015Escondido Union School District
Escondido, California
EDUPORT
Unknown
The Escondido Union School District notified some students and employees of the district of a data breach that occurred when a district owned tablet and external hard drive were stolen from a backpack belonging to a district employee.
The personal information saved on the laptop included student contact information, assessment results, and self reported income by parents.

Information Source:
Media
records from this breach used in our total: 0
January 21, 2015Mount Pleasant School District
Mount Pleasant, Texas
EDUHACK
915
Mount Pleasant School District has informed approximately 915 present and former staff members that their personal information may have been compromised between January 18th 2015 and January 21st 2015.

A spokesperson for Mount Pleasant School District stated “Forest Hills District had a denial of service and discovered they had been hacked,” she said. “The district’s technology director found a Tweet that mentioned us. She looked us up on the Web and called us to let us know on Tuesday.”
When the technology director for Mount Pleasant clicked on the link, it directed him to a file that included names, addresses and Social Security numbers” of MPISD staff.
Information Source:
Media
records from this breach used in our total: 915
January 1, 2015Fast Forward Academy
Altamonte Springs, Florida
EDUHACK
Unknown
The Fast Forward Academy LLC has notified customers of a data breach to their systems that store customer and partner information. The information compromised included names, addresses, Social Security numbers, and email addresses.
The company is providing access to Triple Bureau Credit Monitoring services at no charge for 12 months. Those affected can enroll at https://www.myidmanager.com/promo_code.html and provide the code provided by the company or call 1-866-717-94291-866-717-9429 FREE to set up services or their help line at 1-800-405-61081-800-405-6108 FREEMonday through Friday between the hours of 8 a.m. to 5 p.m. EST.
Information Source:records from this breach used in our total: 0
December 12, 2014University of California Berkeley
Berkeley, California
EDUHACK
Unknown
The University of California Berkeley has notified individuals of a data breach in their Real Estate Division that resulted in unauthorized access to servers used to support a number of Real Estate programs and work stations. 
These workstations contained files that included some personal information. The investigation of the hacking showed that these servers were breached in mid-to late September.
The personal information included names, Social Security Numbers, credit card numbers and driver's license numbers.
The university is offering identity theft protection and fraud resolution through ID Experts for free for one year. For those affected call 1-877-846-63401-877-846-6340  Monday through Friday from 6 a.m to 6 p.m Pacific Time or go towww.myidcare.com/ucbinfo.



Information Source:
California Attorney General
records from this breach used in our total: 0
November 14, 2014Seattle Public Schools
Seattle , Washington
EDUDISC
8,000
The Seattle Public School District announced in a letter to parents Thursday about a data breach that involved their children's information.
"Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed."
Over 800 special education students were involved in a breach. The information involved in the breach included their names, addresses, student identification numbers, test scores and disabilities.
Information Source:
Media
records from this breach used in our total: 0
October 1, 2014Provo City School District
Provo, Utah
EDUHACK
1,400
The Provo City School District notified employees of a "phishing" attack Monday September 29, 2014 which allowed access to employees email accounts. Some employee email accounts contained files that may have had personally identifiable information.
Currently the school district is investigating the breach and notifying those affected.
Information Source:
Media
records from this breach used in our total: 0
October 1, 2014Fort Hays State University
Hays, Kansas
EDUDISC
138
Fort Hays State University has notified 138 of it's graduates that their personal information may have been compromised when personal information was "accidentally" exposed on the Internet. The information exposed included Social Security Numbers and various other pieces of personal information.
The university stopped storing Social Security Numbers of students five years ago, however anyone who attended the university prior to 5 years ago, their SSN information is still part of the university database.
Information Source:
Media
records from this breach used in our total: 138
September 5, 2014California State University, East Bay
Hayward, California
EDUHACK
Unknown
California State University, East Bay has notified individuals of a data breach that has occurred on August 11, 2014 when the University discovered unauthorized access to individuals information when an overseas IP address appears to have used a software tool designed to access information on a server without being detected. The server targeted contained personal information on various employment record transactions and some extended learning course information.
The specific information breached included names, addresses, Social Security Numbers and dates of birth.
The University has set up 12 months free of Experian's ProtectMyID for those affected. For additional questions or concerns individuals can contact (888) 738-3759 a toll free number specifically set up to deal with questions/concerns regarding this breach.
Information Source:
California Attorney General
records from this breach used in our total: 0
August 7, 2014University California Santa Barbara
Santa Barbara, California
EDUHACK
Unknown
The University California Santa Barbara has notified unauthorized access to some archival payroll data that included names, social security numbers and direct deposit banking information.
The University has contracted with ID Experts to provide free credit monitoring service, and insurance for identity theft restoration.
If you need assistance enrolling or have additional questions, the University is requesting individuals call the UCSB / ID Experts team at 1-877-919-9184, between the hours of 6:00 am and 6:00 pm Pacific Time.
Information Source:
California Attorney General
records from this breach used in our total: 0
July 16, 2014Douglas County School District
Castle Rock, Colorado
EDUPORT
Unknown
Douglas County School District notified employees of a data breach of their personal information when a laptop containing their personal information was stolen.
In a letter sent to district employees, the district stated that the stolen computer contained some workers' Social Security numbers and bank account information.
The district is currently investigating the breach.
Information Source:
Media
records from this breach used in our total: 0
July 14, 2014Orangeburg-Calhoun Technical College
Orangeburg, South Carolina
EDUPORT
20,000
"Orangeburg-Calhoun Technical College in South Carolina is notifying 20,000 former and current students and faculty members that an unencrypted laptop computer stolen this month from a staff member's office contained their personal information."
The information contained on the laptops included names, birth dates and Social Security numbers of individuals.
The college stated that the information goes back 6 or 7 years and that they believe the thief was after the hardware, not the data stored on it. The college neglected to comment on whether or not they are providing credit monitoring services for those affected.
Information Source:
Media
records from this breach used in our total: 20,000
July 11, 2014University of Illinois, Chicago
Chicago, Illinois
EDUHACK
Unknown
The University Illinois Chicago (UIC) notified former students of a data breach to their system that included the exposure of personal data.
"A website security breach made two College of Business Administration documents from the 2002 spring semester accessible — a roster from a Special Topics in Accounting course and an advising list for all junior and senior accounting majors, according to a statement from the university".
Personal information was exposed, including Social Security numbers. The university has not stated how many students were affected, and the breach is currently under investigation.
Information Source:
Media
records from this breach used in our total: 0
July 10, 2014University Development and Alumni Relations at the Penn State College of Medicine
Philadelphia, Pennsylvania
EDUHACK
1,176
Penn State has notified 1,176 individuals that a data breach of their personal information had been breached.  The Office of University Development and Alumni Relations at the Penn State College of Medicine was found to be "infected with malware that enabled it to communicate with an unauthorized computer outside the network".
The university used Social Security numbers as a personally identifiable number for students and these SSNs were found in an archived College of Medicine alumni list last used in 2005.
The university put out this information:
"For information about Penn State's efforts to minimize computer security risks, visit the University's Be Safe website athttp://its.psu.edu/be-safe. For more detailed information about identity theft risks and prevention, visithttp://www.ftc.gov/bcp/edu/microsites/idtheft/."

Information Source:
Media
records from this breach used in our total: 1,176
July 8, 2014Park Hill School District
Kansas City, Missouri
EDUINSD
Unknown
The Park Hill School District has informed current and former Park Hill students and employees of a data breach to their system. A former employee downloaded files onto a hard drive without authorization. When the employee connected it to a home network, the files went onto the Internet.
The information leaked included personnel files and Social Security numbers.
Information Source:
Media
records from this breach used in our total: 0
July 2, 2014Milford Schools
Milford, Massachusetts
EDUPORT
25
Up to  25 students at Milford Schools may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May.
The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts.
The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers.
Multi-State Billing will reimburse costs related to security freezes for the next three years. Information about reimbursement can be obtained by emailing customersupport@msb-services.com or phoning (855) 285-7433(855) 285-7433  . Because the children aren't actual victims of identity theft, the credit agencies may charge up to $5 each time to place, temporarily lift or permanently remove a security freeze.

Information Source:
PHIPrivacy.net
records from this breach used in our total: 25
July 2, 2014Uxbridge School District
Uxbridge, Massachusetts
EDUPORT
Unknown
Students at Uxbridge School District may have had their personal information stolen due to a data breach with a third party billing service, Multi-State Billing Services, located in Somersworth, New Hampshire, when an employee's laptop was stolen from their locked vehicle in May.
The laptop was password protected but not encrypted, contained information on nearly 3,000 students from 19 school districts in Central and Eastern Massachusetts.
The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers.
Multi-State Billing will reimburse costs related to security freezes for the next three years. Information about reimbursement can be obtained by emailing customersupport@msb-services.com or phoning (855) 285-7433(855) 285-7433  . Because the children aren't actual victims of identity theft, the credit agencies may charge up to $5 each time to place, temporarily lift or permanently remove a security freeze.

Information Source:
PHIPrivacy.net
records from this breach used in our total: 0
June 30, 2014Butler University
Indianapolis, Indiana
EDUHACK
163,000
Butler University in Indianapolis Indiana informed students, staff and alumni of a data breach to their system. Over 160,000 individuals may have been affected when hackers may have accessed their personal information.
The university was contacted by California officials to "inform them that they had arrested an identity theft suspect who had a flash drive with Butler employee's personal information on it". In a letter sent to those affected, the university has said that "someone hacked the school's network sometime between November 2013 and May 2014".
The school officials have discovered that the information exposed included birthdates, Social Security numbers and bank account information of approximately 163,000 students, faculty and staff, alumni, and prospective students who never enrolle in classes at Butler.
The university is offering a year of free credit monitoring.

Information Source:
Media
records from this breach used in our total: 163,000
June 26, 2014Orange Public School District
Orange, New Jersey
EDUHACK
Unknown
A 16 year old New Jersey teen has been charged with unlawfully accessing the Orange Public School District's database and changing final grades and attendance records.
The Orange High School sophomore is facing multiple counts of second-degree computer theft for unlawfully accessing and altering data an one cound of hindering apprehension.
Reportedly, the student accessed the computer system after obtaining the password of a staff member. Authorities do not know how the teen was able to gain the password information. An investigation is still underway.

Information Source:
Media
records from this breach used in our total: 0
June 20, 2014UCDC, Washington Center
Washington, District Of Columbia
EDUHACK
Unknown
The University California, Washington Center received a notification of unsolicited emails being sent to alumni of the university. After an investigation, it was revealed that someone accessed the pre-enrollment system, GoSignMeUp.com, which is a cloud-based provider for the online course registration utilized by UCDC to host its online course registration process.
The information breach included usernames, passwords, addresses, principal e-mails, gender, birth dates and UCDC course information. The university has stated that they do not record or store any Social Security numbers or financial account information on any of its databases.
For those who were affected the university is recommending individuals change their password.
Those with questions are asked to contact techhelp@ucdc.edu
Information Source:
California Attorney General
records from this breach used in our total: 0
June 16, 2014Riverside Community College
Riverside, California
EDUDISC
35,212
Riverside Community College has suffered a data breach affecting 35,212 students. On May 30th, a district employee emailed a file containing information about all students who were enrolled in the spring term to a colleague working at home due to illness, for a research report that was on a deadline. The district employee used a personal email account to send the data because the file was too large for the district's secure email to send. The employee then typed in the incorrect email address.
The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.
The district has set up a Call Assistance Center at 1-888-266-9438 for affected students. The center will be open from 6 a.m to 6 p.m Monday through Friday for 90 days.
Information Source:records from this breach used in our total: 35,212
June 9, 2014College of the Desert
Palm Desert, California
EDUINSD
1,900
The College of the Desert in Palm Dale Calfornia informed individuals of a data breach in their system when a college employee sent an unauthorized attachment in an email to approximately 78 college employees,  that contained personal information of employees of the college.
The information contained in the attachment included names, Social Security numbers, dates of birth, geners, zip codes, titles of postions held at the university, employment anniversary date, employee identification numbers, insurance information,  active or retired employee status.
Those who are affected are asked to call Stan Dupree, HR and Labor Relations Director at 760-674-3777760-674-3777orsdupree@collegeofthedesert.edu
UPDATE (6/19/2014): According to new reports, The College of the Desert breach affected 1,900 current and former employees. The total individuals affected was not reported when the breach was made public.
Information Source:
California Attorney General
records from this breach used in our total: 1,900
May 30, 2014Arkansas State University College of Education and Behavioral Science's Department of Childhood Services
Jonesboro, Arkansas
EDUHACK
50,000
Arkansas State University was notified by the Arkansas Department of Human Services of a data breach in their College of Education and Behavioral Science's Department of Childhood Services database, potentially exposing personally identifiable information.
According to A-State's Chief Information Officer Henry Torres,  “we have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files,” Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.”
The breached involved a database related to the "Traveling Arkansas Professional Pathways (TAPP) Registry, which is a professional development system designed to track and facilitate training and continuing education for early childhood practictioners in Arkansas."
To date, the university has stated that Social Security numbers were compromised in the database, no other information as to the specific data was provided by the university.
Information Source:
Media
records from this breach used in our total: 50,000
May 22, 2014San Diego State University
San Diego , California
EDUDISC
Unknown
San Diego State University discovered a database that was set up and managed by the Pre-College Institute, containing names, Social Security numbers, dates of birth, addresses, and other personal information was mis-configured to enable any computer connected to the SDSU wired network with the program "File Maker"   The SDSU wired network consists of offices, some labs and the library.
For those with question or concerns about the incident are asked to contact Felecia Vlahos, the Information Security Officer at iso@sdsu.edu or via phone at toll free 1-855-594-0142 and refer to incident #H05007.


Information Source:
California Attorney General
records from this breach used in our total: 0
May 14, 2014University California Irvine
Irvine , California
EDUHACK
Unknown
On March 26, 2014, the California Information Security Office notified the University California Irvine that three of the computers in the Student Health Center had been infected by a keylogging virus, which captured the keystrokes as information was being entered into the computers, then transmitted the data to unauthorized servers. They believe that hackers gained information from February 14th through March 27th 2014.  As a result of the virus personal information of individuals was compromised.
The information included names, unencrypted medical information, potentially including health or dental insurance number, CPT codes, ICD9 codes and/or diagnosis, student ID numbers, non-student patient ID numbers, mailing addresses, telephone numbers, amounts paid to the Student Health Center for services, bank names and check numbers.
UC Irvine has contracted with ID Experts to provide one year of FraudStop credit monitoring and one year of CyberScan Internet monitoring for those affected. To enroll visit www.idexpertscorp.com/protect and use the code provided in the letter sent to those affected or call 1-877-810-8083.

Information Source:
California Attorney General
records from this breach used in our total: 0
April 22, 2014Iowa State University
Ames, Iowa
EDUHACK
29,780
Iowa State University has reported a data breach of one of their systems that exposed a large amount of data of individuals who were enrolled in the university over the past 17-year period.
Social Security numbers of approximately 30,000 people who enrolled in certain classes between 1995 and 2012 along with university ID numbers for nearly 19,000 additional people. Authorities believe that the person or persons motivation was apparently to generate enough computing power to create the virtual currency bitcoin.
The university is offering AllClear ID for 12 months free for those whose Social Security numbers were affected. AllClear representatives can be reached at 1-877-403-02811-877-403-0281.
Here is the link to the universities information regarding the breachhttp://www.news.iastate.edu/news/2014/04/22/serverbreach
For those who suspect fraud or question whether a request you receive is legitimate, please contact the ISU Foundation at 515-294-4607515-294-4607, the ISU Alumni Association at 515-294-6525515-294-6525, or Iowa State’s computer security team at serverbreach@iastate.edu.
Information Source:
Media
records from this breach used in our total: 29,780
March 27, 2014The University of Wisconsin-Parkside
Kenosha, Wisconsin
EDUHACK
15,000
Students were notified by officials from The University of Wisconsin-Parkside of a data breach that occured to their system by hackers that installed malware on one university server.
The information that is at risk includes names, addresses, telephone numbers, email addresses and Social Security numbers. The breach affects students who were either admitted or enrolled at the university since the fall of 2010.
The server was shut down and the hacking was reported to local authorities. After launching an investigation it appears the malware was searching for credit card information and they show no evidence that any Social Security numbers were compromised.
The university has set up a website with information for those who may have been affectedhttp://www.uwp.edu/explore/contactus/index.cfm 
Information Source:
Media
records from this breach used in our total: 15,000
March 6, 2014North Dakota University
Bismarck, North Dakota
EDUHACK
290,780
North Dakota University System has notified individuals of a security breach of a computer server that stores personal information on students, staff and faculty.
On February 7, 2014 the server was hacked into and more than 209,000 current and former students and 780 faculty and staff had personal information stored on thus server that included names and Social Security numbers according to Larry Skogen, the Interim Chancellor.
The university has notified officials and has set up a website www.ndus.edu/data with information and is organizing a call center for questions from those who were affected.
Authorities have announced that "an entity operating outside the Unites States apparently used the server as a launching pad to attack other computers, possibly accessing outside accounts to send phishing emails"
Information Source:
Media
records from this breach used in our total: 290,780
March 5, 2014Point Park University
Pittsburgh, Pennsylvania
EDUUNKN
1800
On Wednesday March 5, 2014 Point Park University in Pittsburgh Pennsylvania notified employees of a possible data breach that included names, home addresses, Social Security numbers, wage information, birthdates, bank accounts and routing numbers.
The Point Park President stated that as many as 1,800 employees could have been affected by this breach.
"The university was expecting a package from its payroll processing vendor Ceridian, but when the package arrived to campus it was missing all of the accompanying reports, according to an internal email obtained by the Pittsburgh Post-Gazette."
The university is working with authorities and an investigation has been launched. The law firm that represents the university is currently putting a letter together to those who were affected that will include call-center information and other services offered.
Information Source:
Media
records from this breach used in our total: 1,800
February 26, 2014Indiana University
Bloomington, Indiana
EDUHACK
146,000
Indiana University announced that the personal data of 146,000 students and graduates was breached. The information included their Social Security numbers and addresses and may have affected students and graduates from 2011 to 2014 at seven of its campuses.
According to the university "The information was not downloaded by an authorized individual looking for specific sensitive data, but rather was accessed by three automated computer data-mining applications, called webcrawlers, used to improve Web search capabilities."
The university also announced that the information was stored in an insecure location for the past 11 months. The site has since been locked down.
The university has set up a hotline 1-866-254-14841-866-254-1484 for students as well as a websitehttp://bit.ly/1kbX505 with information on how to monitor credit accounts and answers to any additional questions regarding an individuals exposure. The university will also be providing the Social Security numbers of those affected to the three major credit-reporting agencies.
Information Source:
Media
records from this breach used in our total: 146,000
February 19, 2014University of Maryland
College Park, Maryland
EDUHACK
309,079
The University of Maryland, located in College Town Maryland, had one of their records databases hacked Tuesday January 18, 2014 around 4:00 a.m by an outside source.
This particular database holds information dating back to 1998 and includes names, Social Security numbers, dates of birth and university identification numbers for 309,079 people affiliated with the school at their College Park and Shady Grove campuses.
The hackers did not alter anything in the actual database, but apprarently have made a "copy" of the information. The university commented at how sophisticated the attack was by the hacker or hackers and they must have had a "very significant understanding" of how the database was designed and maintained, including the level of encryption and protection of the database.
According to the university President, school officials are investigating the breach and taking steps to prevent any further system intrusions.
The college has put out the following statements:
"The University is offering one year of free credit monitoring to all affected persons. Additinoal information will be communicated within the next 24 hours on how to activate this service.
University email communications regarding this incident will not ask you to provide personal information. Please be cautious when sharing personal information.
All updates regarding this matter will be posted to this website.  If you have any questions or comments, please call our special hotline at 301-405-4440 or email us at datasecurity@umd.edu".

Information Source:
Media
records from this breach used in our total: 309,079
January 7, 2014Risk Solutions International LLC, Loudoun County Public Schools
Ashburn, Virginia
EDUDISC
Unknown
Loudoun County school officials have responded to a data breach that made publicly available personal information about students and staff members, along with detailed emergency response plans for each school.
More than 1,300 links could be accessed through a Google search, thought to be password protected, unveiled thousands of detailed documents as to how each school in the district will respond to a long list of emergencies, which included the staging areas for response teams as well as where the students and staff would be located during an emergency.
Additional documents that could be accessed included students' courrse schedules, locker combinations, home addresses, phone numbers and birthdates along with the address and cell phone numbers for many school administrators.
The contractor Risk Solution International acknowledged that the breach was caused by "human error" on their part, which is said to be the cause of the data breach.

UPDATE: Loudoun County Public Schools administrators released a more detailed statement about the information made publicly available on the Internet due to errors committed by the contractor Risk Solutions International (RSI).
According to school officials, the investigation is continuing as to how the webpage, which was made accessible through online search engines without any password protection happened. The page included 1,286 links detailing information on 84 Loudoun schools. It is unknown how long the information was exposed or how many links were opened by unauthorized individuals.
Locker combinations were revealed for one school and only one parent contact information was revealed for fewer than 10 schools according to the spokesperson for the district. The statement also made clear that RSI's website was not hacked and that it never lost its password security. Instead, the breach occurred when RSI employees were doing technical testing on November 4th , December 19th and December 24th 2013. (1/9/2014)
Information Source:
Media
records from this breach used in our total: 0
Breach Total
853,478,157 RECORDS BREACHED
(Please see explanation about this total.)
from 4,575 DATA BREACHES made public since 2005


Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his current employer(s) or its clients. Read Full Disclosure

Comments

Popular posts from this blog

#Chromecast Add-Ons to Play Various Video File Formats

Free Professional Learning! Education On Air #googleedu

10 Steps to a Blended Learning Classroom #MIEexpert #MIE #tceamie1