Tag Archive for Data breach

| February 19, 2013
No comments

School Kids’ Data at Risk – Part 2

School Kids' Data at RiskIn the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” author Gerry Smith writes about the growing risk of school kids data being stolen across the country.

Read Part One here:

States are collecting more student dataElizabeth Laird, of the Data Quality Campaign, an organization that encourages states to build student databases argues that students’ Social Security numbers are useful for education policy by creating “enhanced analytical opportunities” for evaluating school curriculum. “The more important conversation is not whether states are collecting Social Security numbers, but how they are ensuring the privacy, security, and confidentiality of all personally identifiable information,” Laird said in a statement to the Huff Post. “We can’t speak to how Social Security numbers are collected and stored at the local level,” she added.

The article cites one survey that concludes student PII is not stored very securely. Only half of K-12 schools use data encryption, according to a survey of IT employees at K-12 schools nationwide. 72% cited budget constraints as the primary barrier to improving their IT security, according to the survey by Panda Security (PDF). Collecting PII in central databases with lackluster security is asking or trouble, “This is making a much bigger honey pot for people with malevolent purposes to gain access to children’s information,” Joel Reidenberg, a professor at Fordham University School of Law. He told The ID Channel, “It’s a meltdown waiting to happen.”

Data encryptionSchool districts in 26 states now ask for students’ Social Security numbers. The Michigan Department of Education states (PDF), “A school district cannot mandate that parents disclose the social security number of their children.” Huff Post states that Texas is one of those states where education officials use PII to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.

Last year, the Texas agency asked eight school districts to send PII, including Social Security numbers, through the mail on unencrypted CDs for research purposes. The article reports that Laredo Independent School District learned the CD it sent got lost in the mail, exposing nearly 25,000 current and former high school students to identity theft, according to the Texas Tribune. Ratcliffe told The Huffington Post that the request came from an agency employee who operated “way outside” normal protocol.

Social Security numbers are useful fenhanced analytical opportunitiesIt was not the only school data breach in Texas.

Still, the Texas Education Agency has no plans to stop asking school districts for students’ Social Security numbers, Ratcliffe told the author. “We have so many databases that use them that it would require quite a bit of change to make that happen,” she said.

Texas has no plans to stop asking for students' Social Security numbersYet concerns over child identity theft have prompted at least five states — Nebraska, North Dakota, Washington, Maine and Wyoming. to create policies that restrict the collection and use of Social Security numbers in K-12 schools.

Jerry Coleman, director of school finance at the North Dakota Department of Public Instruction Coleman said in an interview, “To protect those Social Security numbers would be a hassle we don’t need,”

Parents can refuse to disclose their child's Social Security numberParents can refuse to disclose their child’s Social Security number, and the student would be assigned a different identifying number. Ratcliffe, of the Texas Education Agency, said most parents disclose their child’s number anyway.

But privacy experts say, in most cases, parents should keep that information to themselves. “When someone asks for your child’s Social Security number, say no,” said Aaron Titus, chief privacy officer for Identity Finder, which helps organizations protect sensitive data. “I have found about 90 percent of the time, when I push back a little bit, I get my way.”

Data breachData breaches leave people six times more likely to become victims of identity theft, according to a survey by Javelin Research. Schools warn parents to monitor their children’s credit after a data breach. The Huff Post says credit reports only turn up 1 percent of fraud on children’s credit histories because thieves pair children’s Social Security numbers with new names and birth dates, a study by Debix found.

More than 18,000 child identity theft complaints were reported to the Federal Trade Commission. But experts tell Huff Post that figures on child identity theft are likely much higher because the crime often goes undetected for years. ID Analytics estimates more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm’s identity protection service. When child identity theft victims turn 18, they find their credit has been destroyed, preventing them from taking out loans or renting apartments.

rb-

Social security card Consumers Unions points out that Michigan law restricts how Social Security numbers can be used. In Michigan, SSNs cannot be printed on ID cards, intentionally communicated to the public and/or publicly displayed or mailed within and envelope.

 

Related articles
Category: Security | Tags: , , , ,
| February 14, 2013
Comments Off

School Kids’ Data at Risk

School Kids' Data at RiskIn the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” author Gerry Smith writes about the growing risk of school kids data being stolen across the country. Data thieves want this information to commit identity theft. The author cites several recent cases:

Child identity theftThe article says these incidents highlight the growing risk of school kids’ vulnerability to identity theft. Across the country, schools have become conduits for children’s pristine Social Security numbers, which are increasingly falling into the hands of credit-hungry identity thieves. The frequent data breaches have prompted calls for schools to stop collecting sensitive student data and have angered parents like Art Staehling, whose 14-year-old daughter was among 18,000 Nashville students who had their Social Security numbers accidentally exposed online for three months in 2009.

“They left the gate wide open,” Staehling told The Huffington Post. “It’s clumsiness. There’s no excuse for it. If schools want that information, there should be some sort of penalty paid if they don’t guard it with their lives. I haven’t found a reason why they honestly need it.”

Socail security numberSchools collect students’ Social Security numbers as part of a campaign to more precisely track their progress. But privacy experts told Huff Post there are less risky ways to identify students, accusing schools of needlessly exposing children to identity theft by gathering their Social Security numbers in central databases with lackluster security.

The push for collecting student data began under the federal No Child Left Behind Act. Financial incentives in the 2009 stimulus package, including Race to the Top‘s $250 million in competitive grants drove schools to collect student social security number, according to Reidenberg.

Electronic school recordsThe U.S. Department of Education has warned schools not to use students’ Social Security numbers in their databases. The Huff Post says the Feds urge schools to create other unique identifiers. Social Security numbers are “the single most misused piece of information by criminals perpetrating identity thefts,” according to a technical brief issued last fall by the National Center for Education Statistics.

Despite the warnings, the collection and use of students’ Social Security numbers in K-12 schools remains “widespread.” An audit last year by Patrick O’Carroll, the Social Security Administration‘s inspector general found students’ Social Security numbers printed on transcripts, tests and athletic education forms. According to the article, The audit concluded that schools were using the numbers “as a matter of convenience.” O’Carroll found there have been at least 40 data breaches of confidential student information at K-12 schools since 2005.

“We believe the unnecessary collection and use of Social Security numbers is a significant vulnerability for this young population,” O’Carroll wrote. “Each time a student provides his or her Social Security number, the potential for a dishonest individual to unlawfully gain access to, and misuse, the number increases.”

Read Part 2 here:

rb-

Consumers Unions points out that Michigan law restricts how Social Security numbers can be used. In Michigan, SSNs cannot be printed on ID cards, intentionally communicated to the public and/or publicly displayed or mailed within an envelope.

 

Related articles

 

Category: Security | Tags: , , , , , , , ,
| July 31, 2012
Comments Off

Mommy Hacker

HackerzTime Magazine reports that a Pennsylvania woman faces six felony charges for hacking the computer system at her kids schools. Catherine Venusto, 45, hacked into the Northwestern Lehigh School District computer system and altered the grades of her two children, ABC News reports. Venusto had worked at the district as an administrative office secretary from 2008 through April, 2011. A year before she quit, Venusto, of New Tripoli, PA ad been accused of changing her daughter’s failing grade to a medical exception. And in February, 2012, she was accused of changing her son’s 98 to a 99.

Data integrityMs. Venusto was arraigned on three counts of unlawful use of a computer and three counts of computer trespassing and altering data. All six of those charges are third degree felonies. Pennsylvania State police say Venusto admitted changing the grades, saying she thought her actions were unethical but not illegal.

When ABCNews.com attempted to contact Ms. Venusto at her current job as an event coördinator at Lehigh University, a school employee said her employment ended Wednesday.Venusto’s lawyer, Thomas Carroll, declined to comment.

School grades“I’m concerned on numerous levels,” said Jennifer Holman, Northwestern Lehigh School District’s assistant superintendent. “When we say systems, there were three difference systems violated…There were 10 different users that at some point had their email violated.”

Assistant superintendent Holman told ABCNews.com that she first realized something was wrong when a teacher asked why superintendent Mary Ann Wright was in that teacher’s online grade book. Once Wright explained she was never in the grade book, administrators and state police began looking for whoever used Wright’s username and password without permission.

Bad passwordsPA State police discovered Venusto used Wright’s username and password 110 times to access the district’s online grading system, according to the District Attorney’s office. Venusto also allegedly accessed nine other faculty members’ email accounts without permission, and accessed the human resources “H-drive” to view “thousands of files associated with district policy, contract information, employee reports and personnel issues.”

Superintendent Wright released a statement on Wednesday in anticipation of Venusto’s arraignment.

“We deeply regret this incident and that this unauthorized accessMommy hacker occurred, and we sincerely regret any inconvenience this may cause,” Wright wrote. “We are doing everything we can to prevent this from happening again, and new security procedures are in place to better assure that our systems are protected from such attempts.”

The court set bail at $30,000, but Venusto will not have to pay it unless she does not appear in court for her preliminary hearing. Venusto could face a maximum of 42 years in prison or a $90,000 fine, according to District Attorney’s office spokeswoman Debbie Garlicki, who said the maximum penalty on each count is seven years or a $15,000.

rb-

Deputy Barney FifeThe mommy hacker’s defense is “I thought it was immoral but not illegal”. I will mention in passing the declining parenting standards which is creating a bunch of narcissistic and self-absorbed generation that has no conscious to what right and wrong is. 

The Administration and IT department both bear blame for this intrusion. Some easy to implement best practices could have shut the mommy hacker down quicker. They should have required regular password changes. They could have broken the bank and installed an intrusion protection systems. Those of us who work in K-12 understand that security is only important after an incident.

 

Category: Security | Tags: , , , ,
| July 19, 2012
Comments Off

Cyber Insurance

Floyd’s of Burbank Insurance policyJohn Moccia with Innovation Guard wrote good primer on what happens when a firm needs to buy cyber insurnace in a thread at Internet Evolution. The author writes that loss control/security precautions are built in to the process of acquiring cyber insurance. There are firms like NetDiligence that partner with insurers. Apparently when you buy a cyber insurance policy, the coverage is contingent upon a successful security audit performed by NetDiligence (penetration testing, ethical hack, etc).

Cyber insuranceThe article goes on to state that when a company outsources their technologies, such as with a co-hosting facility where their actual servers reside, the insurer will seek information on the Colo firm’s security protocols, protection and redundancy. In the end those companies with better procedures/protections in place will get better rates…..those with worse or no security will get higher rates – or not be afforded coverage at all.

There are first and third-party implications to Cyber insurance according to Mr. Moccia. First party = your losses….such as the cost to notify the thousands or tens of thousands of people who’s info has been compromised. Third Party = losses of others where they would seek restitution from you. A class action claim for failure to secure confidential data – defense costs, settlements, etc. This whole area is still evolving. Some insurers offer just third-party, others offer both. They have different approaches to the way they offer the coverages, too. For example while one insurer may offer you up to $250K for breach notification costs, another provides coverage for up to 2 million affected people with no specific dollar amount.

Coverage can incorporated on some insurer’s policies to address the acts of “rogue” employees/insiders.

Read the fine printThe author points out that the insurance industry  is a very old industry. It is also one that is slow to adapt it’s ways of doing business. Insurers package their policies the way they want to sell them, as opposed to the way people/businesses want to buy them. For example, the types of claims that we are discussing here are relevant and likely for any kind of company today. General Liability claims are very uncommon and unlikely (at least for vanilla office based companies, like Tech businesses and professional service co’s)….and traditional business interruption coverage doesn’t address these cyber issues. Yet, these coverages are part of the standard policy that all businesses carry. In order to get the total protection that a business needs, it has to buy several policies, usually from multiple insurers. The first progressive insurer that is willing to incorporate coverage for these modern exposures (even if they just dip their toe in the water….offer $10K or some other nominal amount!), as part of what is their standard commercial policy, will have a huge advantage on the rest of the market.

rb-

I sure that many SMB organizations have holes in the coverages when it comes to their cyber-insurance and I really doubt that they can pass the security audit. Many of the organizations I deal with have very low security postures, conversations about password polices, document retention and user account life-cycle are a big deal, even when my counter-part has come from industry to industry to education.

Related articles
Category: Business | Tags: , , , , ,
| June 14, 2012
2 comments

Got Cyber Insurance?

Cyber insurance Network World says that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible.

Circuit courtThe ruling that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro (IM) had purchased from American Guarantee.

“After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

PushbackThe resulting complexity is a major source of push-back by potential buyers, according to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection. “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Mr. Ponemon told Network World. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.

Types of cyber coverage now available include:

  • Data breechData breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring and credit restoration services for the victims, and other crisis management services, Ken Goldstein, vice president at the Chubb Group, an insurance vendor told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts.” he says.
  • Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.
  • Cyber extortion coverage: For cases where a hacCyber extortion coverageker steals data from the policy holder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Goldstein says.
  • Virus liability: Pays in cases where the policy holder is sued by someone who claims to have gotten a virus from the policy holder’s system.
  • Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policy holder. Such coverage should also cover copyright claims and domain name disputes, Haase says.
  • Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.
  • Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.
  • Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

rb-

Seems that interest is growing in cyber insurance. I wrote about cyber insurance here.

Related articles
Category: Business | Tags: , , , ,
« Older Entries  

Switch to our mobile site