Education Week recently published a story about a data breach at Mount Pleasant Independent School District in Texas in which private and personally identifying information about 915 employees of the school district, including their Social Security Numbers, was put at risk by an attack from computer hackers.
The story went like this:
- Mount Pleasant Independent School District is informed of its likely data breach by another school system, which had experienced something similar and found references to the Mount Pleasant district during its investigation.
- Mount Pleasant district technology director tests school system’s technology infrastructure and determines that hackers had retrieved district data, but not through district computer systems.
- Superintendent alerts district employees via email.
- School leaders work with the media to inform the public.
- District determines private employee information was likely taken by hackers through a third-party district vendor, possibly a health-care provider. Breach only affected former district employees.
- District cooperates with investigation by FBI and U.S. Department of Homeland Security officials.
- Even though the breach affected only former employees, the district provides all current employees with credit-monitoring services for one year, at a cost of about $36,000. (Such services were not offered to former employees, because they were too difficult to track down.)
- District technology director provides guidance to other Texas school systems on how to prevent and handle a data breach.
Voxitatis reported last year that there were four basic threats to the privacy of data stored online, including data about school records and possibly personally identifying information about minor students:
- criminals, such as in the Target or Home Depot breaches
- incompetent I/T staff, such as in the University of Maryland breach
- whistle blowers, as in Edward Snowden (see also #1)
- educators who don’t appreciate computer security, ubiquitously
For schools, unless and until these people are eliminated from the path of any student data, the public should never warm up to allowing companies to store students’ personal data, such as test scores or how well Johnny is learning fractions or what types of dolls Susie plays with, on their computer systems or in their data warehouses.
It could be something as simple and innocent as an employee of the school district clicking on a phishing link that looks interesting. It could happen on social media, from a vendor’s website, or just about anywhere. There is no way for online data to be 100 percent safe from any of the four classes of data breach root causes identified above.
The only way to guarantee student or other private data won’t fall into the wrong hands is not to put it online. That is not possible, so education is the next best thing schools can do—education about the best ways to keep data secure and away from criminals, incompetent staff members, people who have a different agenda from that of the schools, and educators who are unaware of the evil lurking on the Internet.