Confidential Report on Data Breach Inconclusive
The student data breach revealed last month has pitted a local school system against the state’s education department as parents and former students still struggle for answers and solutions.
Frederick County Public Schools and the Maryland State Department of Education butted heads over where the breach originated. FCPS pointed at MSDE, and MSDE responded in a statement to The Frederick Extra that there is no conclusive evidence of that allegation.
At this point, FCPS is not sharing data with MSDE until administrators are convinced the data will be secure.
“The Board of Education is seeking confirmation from MSDE that its current data system is secure prior to approving any future transmittal of FCPS data to them,” said Michael Doerrer, spokesman for Frederick County Public Schools.
Despite MSDE’s position that it is not at fault for the data breach, a forensic analysis reveals prior vulnerabilities in MSDE’s cybersecurity, and documented unauthorized access hits and misses in 2005, 2011 and 2012. The analysis also uncovered evidence of malware that wasn’t completely eradicated by an antiviral program.
The forensic report from the Computer Emergency Response Team, part of the Multi-State Information and Sharing Analysis Center, began Oct. 19 and was completed on Nov. 22. The final report was released to the Maryland State Department of Education on Dec. 2.
The Frederick Extra obtained a copy of the report from an anonymous source after MSDE denied a public information act request for the report. MSDE, via spokesman William Reinhard, said MSDE is barred from disclosing such information under State law, specifically, “A custodian shall deny inspection of the part of a public record that contains information about the security of an information system.”
The Frederick Extra is appealing that decision.
The student breach was reported to the state’s Chief Information Security Officer Oliver Pandian on Sept. 14. The personal data stolen includes names, dates of birth and social security numbers for at least 1,000 former Frederick County Public School students. The information was found for sale online, apparently on a Russian platform, and was believed to be part of a data breach from 2005 – 2006. The 1,000 names are believed to be just a sample, and the number could be as high as 20,000, including students outside of Frederick County.
Schools stopped collecting social security numbers from students this fall, said Michael Doerrer, spokesman for FCPS; “Social security numbers have been expunged from our logs.”
The Frederick County student information was part of a series of file transfers, and appears to have occurred during an upload of information from a Frederick County workstation, dedicated to MSDE file sharing.
The link between the students whose personal information was leaked appears to be that they transferred in or out of Frederick County schools, according to the report. The information is uploaded from FCPS to MSDE, and is identified by a code, along with a county identifying code.
In a previous interview, Doerrer said that “when it became apparent in September that the breach likely originated from MSDE, we reached out to them. We alerted MSDE because it contained a social security identifier code that was not an identifier for FCPS, but another one from another Maryland district.”
He does not know if FCPS contacted that district, he said, and would not give the name of the district.
From the executive summary of the CERT report:
“CERT has reason to believe that credentials for this system [two MSDE servers] were leaked, likely from a partner system, and that data was subsequently exfiltrated by unauthorized users. However, this activity did not appear to begin until after the date of the disclosure which was originally reported,” the report reads.
On May 11, 2011, evidence of a virus was identified on an MSDE server. An anti-viral program only removed part of the malware, but the virus did not actively appear until after the breach.
Frederick County systems showed no sign of malware on the in the timeframes associated with the breach, according to CERT. In the executive summary of the 15-page report, investigators say they cannot know for certain if a breach occurred at FCPS.
“While compromise of the [Frederick County] workstation does not appear to have occurred, CERT is unable to state whether or not a breach of the Frederick County servers or email system may be responsible for the disclosure,” the report reads. Analysts said in the report that reviewing any available additional data would be “worthwhile.”
“The largest percentage of data referenced in the original disclosure was found in evidence provided by Frederick County. … However, CERT is unable to state whether or not servers or mailboxes … referenced … may have been accessed,” the report reads. [Edited to protect identifiable information.]
The report recommends that MSDE make several changes to protect information, including access upgrades, updating operations, applications and software, and ensuring systems are strengthened according to industry-standard guidelines.
FCPS Superintendent Terri Alban would not comment on the findings in the report, citing instructions from MSDE. “We received a message from the MSDE that if we should receive any FOIA requests for the report, the Attorney General's office said it was not to be released because it was investigative and includes personally identifiable information,” Alban said in an email.
Based on its own internal investigation, FCPS concluded that “it does not appear that it did originate at FCPS,” FCPS spokesman Doerrer said in an earlier interview. But because the breach occurred so long ago, he said, it’s not possible to pinpoint where and how it happened.
