http://www.ecmpostreview.com/2006/October/12nbstsufoha.html By Patrick Tepoorten 10/12/06 The North Branch school district very recently discovered that a number of students were able to hack the personal identification numbers (PIN) of both staff and students, and have had access to meal and media center accounts, as well as protected media lab information, since last February. Now, high school students responsible for the security breach have been suspended, others may be disciplined, and the district is scrambling to assign new PIN numbers for students and staff. While the information the students had access to would be considered personal in nature, at no time did the students have access to protected private data like health records, grades, or financial information such as credit card numbers. That information is protected by separate systems that were in no way compromised by this breach of security, according to the district. The theft of PIN numbers was discovered roughly a week ago by a computer lab manager doing routine file clean-up on a school computer. The employee noticed an unusual file that was determined to be a complete list of students and staff with corresponding PIN numbers. Further investigation led to the discovery that the information had been accessed in February of this year. The file containing the PIN numbers was discovered by the students as part of a daily upload of information from the lunch room to a district on-line data base where information is stored. The file containing the PIN numbers was then saved to a different location by the students. It is not believed that the students in question qualify as computer savvy students that went looking for this information. According to district media relations coordinator Sara Thompson, the information appears to have fallen into the students' laps. Likely the primary reason the breach was not discovered sooner is that the students do not appear to have used the information for any purpose. There is no evidence that students used the PIN numbers to eat lunch or check out library books on anothers account, or accessed anyones media lab account, which serves as a network storage space for student assignments. To address the situation, the district sent a letter on Oct. 11 to parents in the district. The letter makes parents aware of the situation and that they will be issued a new PIN number by Oct. 23. Until then the data will continue to be accessible using existing PIN numbers. In order to increase the level of security and eliminate the risk of repeating existing PINs, the district will issue five-digit PINs instead of four. A flyer will be sent home with younger students as well, and the district is expected to address the situation in the Oct. 25 edition of School News, the weekly column published by the district in the Post Review. A second letter to parents will be sent later this month and is expected to include new PINs. As well as new PINs, the district is addressing weaknesses in its own security that allowed the breach to occur. While the most sensitive of district data was not compromised, the situation has caused a headache for staff. Thompson estimated the cost of making parents, students, and staff aware of the breach at approximately $3,000. The amount of hours dedicated to investigating the breach, which included multiple staff members, has not been tallied but is considered to be much higher. Additionally, staff and students will have to learn new PIN numbers, which is expected to create short-lived problems, especially in cafeterias. Due to policy, the district is not allowed to verify how many students were involved, when they were suspended, or for how long they were suspended. It is known that more than one student has been suspended and that policy 506 calls for a suspension of no longer than 10 days. It is also known that a number of the students involved have had their computer privileges revoked for the remainder of the school year. The district has no plans to pursue criminal charges against any of the students involved. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Oct 15 2006 - 22:58:21 PDT