Student data stolen from FCPS
Student data about Frederick County Public School students, including name, date of birth, and social security number, was discovered on a foreign server several months ago, according to multiple sources.
Personal data from more than 1,000 students was discovered on foreign servers. That type of information is commonly sold. Buying children’s personal data is becoming more popular as the theft may not be uncovered for several years.
The data breach is believed to have occurred between 2004 and 2006, according to sources, and was discovered several months ago. FCPS, per state law, is obligated to notify those students and will be sending letters to those involved, according to sources.
FCPS computer security came under fire in a state audit report released in April 2015. The audit, conducted by the state’s Department of Legislative Services, began in 2014 and reviewed financial management practices, and included several recommendations to tighten its cyber security, including access, account and password controls over “critical applications, servers and a database.”
The audit report stated that “FCPS provided over 11,000 active user accounts unnecessary, read and modification access to clear text (that is, unencrypted) files maintained on a web server that contained sensitive personal information (for example names and social security numbers) of numerous individuals. This sensitive personal information is commonly sought for use in identity theft and therefore should be protected by appropriate information system security controls. A similar condition was commented upon in our preceding audit report regarding unnecessary or inappropriate access privileges and capabilities.”
FCPS’s director of technology Derek Root told Board of Education members at its Apr. 22, 2015 meeting that he took exception to the wording of the audit. “This is what happens when you have CPAs doing a technical audit. They don’t fully understand technology,” Root said.
Board member Colleen Cusimano, who works in information technology, fired back at Root that the auditors were “senior level” with backgrounds in information technology.
Root said at the 2015 meeting that many of the issues in the audit stemmed from an outdated software system, and could be, or had been, easily resolved.
But Cusimano was not convinced. “The most troubling thing is that I went through a lot of state reports, and nobody else in the state says that 11,000 users without access can find personally identifying information. I am seeking to feel some confidence about what that risk was and that we have addressed it,” she said at the 2015 meeting.
Root left FCPS in July 2016 and is now Chief Technology Officer at Washington County Public Schools.
Look for updates as this story as details continue to emerge.
