Sunday, December 3, 2017

Oops. Another 39 #Txed Schools Suffer Data Breach #cybersecurity

Do you have kids enrolled in a school district? It wouldn't hurt to ask that district, "How are you safeguarding my child's personally identifiable information (PII)?" A good follow-up would be, "How are you requiring third party solution providers protect my child's information?"
Note that the Security Notice about a Data Breach affecting THIRTY-NINE school districts appears in the "What's New?" section. Not exactly the best way to publicize the information, right?


The information should be in a school or district policy and procedure. Why? There are a great variety of data breaches every day. Some involve the school or district due to a mistake (e.g. "We sent someone we thought was the IRS staff records. Oops." or perhaps "We published decrypted student PII on one of our web servers by accident. Oops."
Image Source: Available online 12/4/2017


Texas Data Breach Affects THIRTY-NINE DISTRICTS
Officials say a Texas Department of Agriculture employee’s computer was attacked through malicious ransomware on Oct. 26, with the attack affecting more than 700 students. Personal information that may have been exposed includes names, Social Security numbers, home addresses, birth dates and personal phone numbers.
The Texas Department of Agriculture oversees school breakfast and lunch programs, which is why school districts were affected. (Source)
The Texas Department of Agriculture notified the following 39 districts:


"There’s not any evidence that we have that the information that might have been compromised was ever misused," they had the nerve to proclaim. Really?




Texas Dept of Ag's Incomplete Recommendations
Of course, in light of this, they recommend these actions to the students AND staff of the NINE school districts, again putting the burden of protection on the individuals rather than taking it on themselves. We need a better system:
  • Contact three major credit bureaus and 
  • Activate a fraud alert for the ransomware attack
My Recommendations for Next Steps to the Nine Affected Districts
Here are the steps (in order) I recommend staff and parents of students take immediately to mitigate the identity theft that is sure to follow.
  1. Setup an encrypted email (e.g. ProtonMail) for financial accounts. Don't just use your Yahoo/Gmail account. Keep that for common use, but rely on your encrypted account for financial transactions.
  2. Create an Online Social Security account. Create the account before the bad guys do. 
  3. Freeze your credit reports to prevent new accounts. It may prevent others from opening new accounts in your name (or your child's name) unless thieves have a special PIN#. These approaches aren't foolproof but they do help. Credit Freeze sites:
    1. Equifax Credit Freeze Site
    2. TransUnion ($10)
    3. Experian ($10)
  4.  Sign up for Identity Theft Alert: Fill out this form to notify the credit agencies of potential identity theft. 
  5. Check your credit frequently. Annual Credit Reports provides a free service, but you may need to pay to get that more often.
  6. Switch from debit cards to protected credit cards. Make a decision to NOT use your debit card or write print checks with your routing and account # on them.  
  7. File tax return early. If you don't do it, they will.
  8. Get alerts via your bank mobile app for all transactions. I love knowing when funds come out of my bank account. Even if it's my wife buying me a gift for my birthday.
  9. Add a password or pin# to all bank account transactions. It takes an instant, but without it, it may be difficult for folks to access your accounts. And, of course, change these. 
  10. Get more than one form of ID, such as passport, passport card, and driver's license. You never know when you will have to prove you are who you say you are.
  11. Setup 2-factor authentication (view overview) for all email, cloud storage, digital accounts.  Use secure passwords. You can use a free password manager (e.g. Keepass) or pay for one.
  12. Get anti-ransomware software for your computer.
  13. Use a Virtual Private Network (VPN) when working on public networks with your computer or phone. My favorite VPN for computers, including Chromebooks, is Private Internet Access ($40 annually). For mobile phones, you can use a free Opera VPN.
And, don't forget you need to protect your mobile phone. Read this fantastic article from Harvard Business Review.

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

No comments:

Genuine Leadership #4: Gratitude