A South Carolina School District's computer system was hacked and personal data including social security numbers of "hundreds" of district employees was STOLEN by the hackers who installed some "malicious software" on a computer in the employee benefits department. The incident was NOT discovered by the District staff, but by Federal investigators monitoring suspicious traffic on the internet.
Additionally, the SAME school district was found in 2006 to be selling many older student computers without wiping the hard drives clean, and buyers reported finding personal employee and student data on them. That problem resulted in the District being sued and settling out of court. (See the second article below.) THEN, see the THIRD article below that further discusses this recent event and says the IT department earlier used an internet student portal where a parent reported she could see student info of other students, and the portal was shut down for two weeks until security was "beefed up".
There are no details how the "malicious" program was installed on a benefits department computer, but clearly either anti-virus software was not working, or an employee somehow installed the program, probably without knowing it. One way is to use a memory card that may have received the malware and then it installed when the mem stick was installed on the computer. Or, the bad software may have been buried inside an email that was opened by an employee.
So, not only student data is at risk from poor IT security, but that of employees can also be stolen.
vj
==========================================
from
http://www.wspa.com/midatlantic/spa/news.apx.-content-articles-SPA-2007-12-20-0012.html
Greenville Co. School Employees' Personal Data Stolen
Thursday, Dec 20, 2007 - 05:50 PM Updated: 09:49 AM
A malicious computer program rips personal information from hundreds of Greenville County School District employees.
The district says the malicious software was designed to evade security and steal data from current and former employees. When the state employee insurance program was used the malicious program stole information including names, social security numbers and phone numbers.
The Greenville County School District was one of several government entities affected. People affected were sent a letter on December 14th. SLED and the US Secret Service are investigating.
Below is a copy of the letter sent to Greenville County School District employees:
Dear
Greenville County Schools was informed by the Chief Information Officer of the State of South Carolina (SC CIO) that the U.S. Department of Homeland Security has identified suspicious activity involving district data. Unknown to the School District or that employee, a malicious program had been electronically transmitted into a Benefits Department computer by an outside source. This malicious software was designed to evade security and steal data. An investigation has identified your personal information as part of the data theft.
Data theft occurs when a computer is compromised and this activity constitutes a criminal act. Data theft is commonly confused with Identity theft. Identify theft is the unauthorized use of personal identification information to commit fraud or other crimes. There is no indication at this time that an identity theft event has occurred.
Greenville County Schools is one of several government entities recently affected by the compromise of personal information reported to the SC CIO. Local law enforcement, the State Law Enforcement Division (SLED), and the US Secret Service are conducting an investigation.
State Employee Insurance Program (EIP) information is reviewed for verification and processing forms. When the Benefits Department computer was used to access state insurance information, the malicious software program captured your name, social security number, and telephone number.
We encourage you to take the following advice as presented in U.S. Department of Homeland Security publication for protecting your personal information:
1. Place a fraud alert on your credit bureau records and review your credit report for suspicious activity. Contact the toll-free fraud number of any of the three consumer reporting companies to place a fraud alert. The company you contact is required to contact the other two.
• Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA, 30374-0241
• Experian: 1-888-EXPERIAN (1-888-397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
• TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Once you place the fraud alert in your file, you are entitled to order free copies of your credit report, and, if you ask, only the last four digits of your SSN will appear on your credit report.
2. Be watchful. Carefully monitor personal information, bank statements, credit card statements, or any statements relating to recent financial transactions. If you notice unusual or suspicious activity or signs that your information is being misused, report it immediately to your financial institution, local law enforcement and the Federal Trade Commission (FTC) at www.ftc.gov.
3. You do not have to close your bank accounts or cancel your credit cards unless you find that your personal information has been used without your permission.
4. It is important that you take personal action and monitor your credit, because the information belongs to you. We do not have authorization to monitor your credit. If you identify a misuse of your information, immediately file a report with your financial institution, local law enforcement, FTC and contact our office at 355-1182. We will report the fraud to SLED and the US Secret Service.
5. Please refer to the enclosed “Questions and Answers” for more information.
We continue to work with state and federal law enforcement regarding this matter. You will be notified when additional information is available. If you have questions, please contact me at 355-1182.
Sincerely,
James S. McCutcheon
Director of Disbursement Services
--------------------------------------------------
Questions and Answers Regarding Data Theft Greenville County Schools December 14, 2007
How was the data compromised?
State Employee Insurance Program (EIP) information is reviewed for verification and processing forms by employees in our Benefits Department. The data theft occurred when a Benefits Department computer was used to access state insurance information.
What information was stolen?
The malicious software program allowed the theft of data that contained names, social security numbers, and telephone numbers of some district employees. It did NOT include credit card numbers or other personal financial information.
Do I need to take action now?
Yes. Please refer to items #1 – 4 in the letter enclosed with this Q & A sheet.
Why did this happen to me?
This is a random crime. We have no reason to believe that any specific individual was targeted.
How can the district prevent this from happening in the future?
New malicious software programs are constantly being written and implemented worldwide. The District’s Technology Department is continually upgrading our system with the most current antivirus software available to protect our school district. We monitor the development of new viruses and provide protection for our system as soon as new viruses are detected.
How did The U.S. Department of Home Land Security detect this incident?
The U.S. Department of Homeland Security continually monitors “.gov” internet traffic for possible criminal and terrorist activity. The Benefits Department accesses a “.gov” website to manage benefits information.
Have my State insurance benefits been affected?
No.
===============================================
Here is the report on the earlier screw up where the District sold used computers still containing personal data:
from: About.com Identity Theft section at:
http://idtheft.about.com/od/2006/p/Green_Breach.htm
Who Affected:
Affected in this data breach were approximately 100,000 past and present students and approximately 1,000 employees of the Greenville County School District in South Carolina.
Type of Information Compromised:
The personally identifiable information (PII) in this breach consisted of names, Social Security numbers, dates of birth, and addresses.
How the Breach Occurred:
This breach occurred because GCSD failed to remove sensitive data from computer systems prior to the disposing or selling of them at auctions. Two area businessmen purchased several systems from GCSD at auctions between 1999 and March of 2006 and noticed that many still had data on them that should had been removed prior to the sale. They notified GCSD over a year ago, but GCSD ignored them and did nothing about it. The pair have now decided to go public. Apparently more systems were purchased that contained sensitive information such as names, Social Security numbers, dates of birth, and addresses.
Potential Impact:
As with any data breach the impact is not always understood immediately. A variety of factors, including whether or not the data itself was the target of the breach, weigh heavily on the type of impact a breach will likely have. In this particular case we know that the data was not targeted, but rather was breached incidental to the machines being purchased at an auction.
Even still, this type of information is sensitive and certainly can contribute to identity theft and other crimes of fraud. Add to the problem that no one really knows how many other people purchased systems from the school district at these auctions; you quickly understand that this breach must be taken seriously. Therefore, I rate the potential impact of this incident as MEDIUM.
How Greenville School District is Dealing with the Breach:
How an organization deals with a breach many times has a direct relationship to the impact to those affected. Let's take a look at some key areas.
# Discovery. This incident was reported to GCSD, yet they did nothing about it. Perhaps now that it is public, they will take safeguarding such information seriously. For Discovery Greenville County School District deservers an F.
# Reporting and Notification. The reporting and notification process didn’t originate from the School District but from two men who purchased computers with sensitive personal information of students. The school district itself would have never known if it wasn’t for the two men. And even more disturbing is that GCSD ignored warning about the matter. For Reporting and Notification Greenville School District will receive an F.
# Information Dissemination. Most organizations will continually update a page on their website in an effort to keep the public and those affected informed. GCSD does provide some good information on their web site . However, they do not provide a number for people to call with questions nor is it clear if they have notified all affected. Therefore I give GCSD a C+ for Information Dissemination.
# Additional Assistance. Many times organizations will provide additional assistance to those that have been affected by the breach. They may offer identity theft seminars, free credit monitoring services, and more. It does not appear as though GCSD is offering any such assistance to those affected. Therefore, GCSD receives an F for Additional Assistance.
How the Data Breach Could Have Been Prevented:
Organizations that store or process Personal Identifiable Information (PII) have the responsibility to protect that information. As my colleague Brian Koerner often evangelizes--if they are going to collect it, then they must protect it! This problem should have been prevented by following simple best practices. Perhaps the surest method is the destruction of computer hard drives or devices that can store personal information. But in the event that the systems were to be sold, ensuring hard drives are properly cleansed with Department of Defense (DoD) compliant software is essential.
The school district says that in May of 2005 security procedures were in place to prevent this type of activity and the proper destruction of computer hard drives, yet it still occurred. It is unclear if the school district had the proper security precautions in place or they simply were not being followed. Regardless, the fact that they were warned about it yet it continued to happen is only testament that they are not taking protecting sensitive information seriously enough. Such personal information in the wrong hands can lead to identity theft and other crimes of fraud.
Articlle written by Identity Theft Guide Brian Koerner and Data Breach Guest Author -- Christian Mayoros, CISSP
=============================================
Follow up article on the Dec. 2007 theft of school district employee data in Greenville, South Carolina
from
http://greenvilleonline.com/apps/pbcs.dll/article?AID=/20071221/NEWS01/71221034/-1/rss
School district only confirmed victim of 'cyber attack'
Hundreds of Social Security numbers, other personal data were stolen
Published: Friday, December 21, 2007 - 7:14 pm
By Rudolph Bell
STAFF WRITER
[email protected]
Related clicks:
Personal school data stolen, official says (12/21/07)
Investigators are still at work, but so far it appears that the Greenville County school district was the only government entity affected by a cyber attack where hundreds of Social Security numbers and other personal data were stolen, a state official said today.
Michael Sponhour, spokesman for the State Budget and Control Board, said the "only confirmed government-owned computer infection is the Greenville County schools," although the computers of 16 private citizens may have been infected as well. The Budget and Control Board oversees the Division of the State Chief Information Officer, which reported the data theft to the county school system.
Sponhour’s statement contradicts those of the county school system, which maintains that other government agencies were also attacked, or at least targeted.
In a Dec. 14 letter to about 500 employees whose personal information was stolen, the school district said it was "one of several government entities recently affected by the compromise of personal information." In a statement Thursday, the school system said it "understood" numerous government agencies in South Carolina had been "targeted."
Advertisement
Today, Susan Clark, school district spokeswoman, said the district stands by its statement. She declined to comment beyond the statement and letter, and some questions about the data theft remained unanswered, including the exact time period when it occurred.
Spokespersons for the U.S. Secret Service and the South Carolina Law Enforcement Division in Columbia declined comment, except to confirm their agencies were investigating the matter. Jim Bryant, South Carolina’s chief information officer, referred questions to Sponhour. Clark and Sponhour said they didn’t know exactly when the cyber attacked occurred.
In its statement Thursday, the school district said it had not realized that "a malicious program was electronically transmitted into a Benefits Department computer by an outside source. This malicious software was designed to evade security and steal data."
In the letter to employees, the school district said the malicious software captured names, Social Security numbers and telephone numbers when the Benefits Department computer was used to access information in the State Employee Insurance Program. Clark told The Greenville News on Thursday that about 500 school district employees were affected.
The school district also said -- and Sponhour confirmed -- that the data theft came to light when the U.S. Department of Homeland Security identified suspicious activity involving school district data and notified the state’s Chief Information Officer division, which in turn notified the school district.
The school district said in its letter to employees that the Department of Homeland Security continually monitors ".gov" Internet traffic for possible criminal and terrorist activity and that the school district’s Benefits Department accesses a ".gov" Web site to manage benefits information. A spokesperson for the Department of Homeland Security said he had no information about the incident on today.
The school district said there was no evidence of identify theft, the unauthorized use of personal information to commit fraud.
The cyber attack is the latest in a series of incidents involving the unauthorized dispersion of personal information held by the school district.
# In May, a parent reported that she could view student information through the school district’s Parent Portal, an Internet gateway for parents to find information about their child’s progress in school. The school district closed the portal for about two weeks and said it beefed up data security before re-opening it.
# Two lawsuits were filed after local businessmen reported finding thousands of student and employee Social Security numbers on computer hard drives bought at school district auctions. The lawsuits were settled earlier this year.
====================================
Here is another report on the 2006 incident of selling computers with personal data on them, and some info on the lawsuits:
from Christopher Dawson's blog on ZDnet.com
http://education.zdnet.com/?p=701
December 11th, 2006
Sloppy school district auctions PCs with student data
Posted by ZDNet Editor @ 1:06 pm
In another example of how schools fail to take extra precautions to avoid security breaches, a Greenville, NC, school has auctioned off old school computers which contained the Social Security numbers of more than 59,000 Greenville County students, reports The Greenville News.
The school is in negotiation with the owners of a company called the WH Group who bought the used computers. "The issue is now with our legal counsel," district spokesman Oby Lyles said in an email to The Greenville News.
Sen. David Thomas who is working on the negotiations, said the an independent computer expert would document everything on the computer. "When they begin looking at what's in the computer, the computer expert will be there," he said.
The computer had a spreadsheet that contained the names, social-security numbers and addresses of students from an unspecified year. The file were zipped but required no special software or knowledge to open, Thomas said.
That information had been deleted but was easily retrieved using a standard undelete program, he said.
Thomas, an attorney, threatened a class-action lawsuit against the district over the issue, if the district doesn't send letters to all students warning them that their private information may have been compromised and take other measures to ensure no more security breaches occur.
"We're not trying to throw rocks at anybody," he said. "Just since there is a security breach, the victims of the breach, in this case the students, need to be specifically informed."
