Data Breach Update
Parents of students whose personal information was stolen and posted for sale online are still looking for answers.
Flemming Paschal’s daughter is one of the students whose personal information is up for sale on a foreign website. Paschal said she’s been grilling school administrators about the need for schools to collect sensitive information for years.
“I guess I am sadly not surprised,” Paschal said. “It’s what I have said, FCPS is reactive and not proactive. And here’s proof of that now. I cannot be the only one who was concerned about protecting information.”
Paschal said FCPS should have been more proactive in protecting social security numbers, or not collecting them at all. This fall FCPS stopped asking for social security numbers, and have scrubbed their student records of the numbers, according to FCPS spokesman Michael Doerrer.
The Maryland State Department of Education began asking for student social security numbers in 2011, according to previous news reports. MSDE mandated that county schools were required to ask, but participation from parents was voluntary.
According to a story in the Sept. 6, 2011 edition of Westminster Patch, requesting the numbers was part of the federal “Race to the Top Initiative,” which tracks the numbers of students who go on to college, employment, military and training schools. Maryland received a four-year $250 million Race to the Top grant in 2010.
MSDE has not yet responded to the question of why it asked for student social security numbers.
Frederick County Public Schools promised letters to the 1,000 students whose names, dates of birth and social security numbers were stolen, but finding those students, most in their early 20’s now, is a challenge. FCPS enlisted Kroll to assist in locating the students. Kroll is a global cybersecurity company offering a variety of security related services, including assistance in dealing with a data breach.
From a recent Kroll webinar, “How to advise your clients, company and board after a major breach": “Getting to the truth of how the breach occurred is not an easy task. Failing to communicate that to your stakeholders and clients can prove far more disastrous.”
In the meantime, FCPS and MSDE appear pitted against each other about the source of the original leaks that reportedly happened in 2005-2006. A recently completed report on the leak could possibly explain how the state and county allowed potentially thousands of names to wind up for sale on a foreign server. But MSDE is not releasing the report, and has advised FCPS to keep it close, too, said FCPS Superintendent Theresa Alban.
MSDE denied The Frederick Extra’s public information act request for the report because it would “violate state law.” Specifically, the law that precludes the state from releasing a “public record that contains information about the security of an information system.”
The Frederick Extra is appealing that decision.
While FCPS attempts to assist those 1,000 affected by the leak, there’s a real fear that up to 20,000 names may have been stolen, both in and out of Frederick County. FCPS just posted a helpful page on its site to answer frequently asked questions about the investigation and what those affected can do to protect themselves: http://www.fcps.org/About-the-Data-Breach.cfm.
Doerrer said that “when it became apparent in September that the breach likely originated from MSDE, we reached out to them. We alerted MSDE because it contained a social security identifier code that was not an identifier for FCPS, but another one from another Maryland district.”
He does not know if FCPS contacted that district, he said, and would not give the name of the district.
MSDE responded in a statement earlier in the week that the results of the report are "inconclusive" as to where the breach originated, and said that FCPS' version of events ran "counter to the facts."
As for those affected and waiting for guidance, FCPS said in a Dec. 18 statement that students will receive credit monitoring, identity consultation and restoration services. The address collection is underway this week, and letters are going out, said Doerrer in an interview.
If FCPS will be offering just one year of monitoring, parent Kristen Kellan Michael isn’t impressed. “I don’t think one year is long enough,” she said.
Her twin boys, now 23, are just starting out in their adult lives and have this cloud over their heads. Young adults, Michael said, can’t recognize the magnitude of the impact identity theft could have on them, Michael said. “What some of these young adults need to hear is the potential things that could happen to them, not just their credit score,” she said.
“You think you are keeping everything safe when you lock it in a safe, like social security numbers and birth certificates,” Michael said. “And now it’s all out on the street anyway.”
For students and parents looking for guidance, author and cybersecurity expert Ken Buckler is offering his free online publication at http://www.kenbuckler.com
For parents of younger children, a Maryland law passed in 2013 allows you to freeze your child’s social security number. For more information, visit http://kidsafemaryland.org/for-parents/.
