As an information security professional, I always look for ways to be of assistance to others about the security and privacy of the data entrusted to them. This post is about exercising such an opportunity and in a small way, helping make a difference.
On July 29th, as I was following up on a story that flashed across my Twitter stream about 30 certified employees of a school district finding themselves victims of ID theft, I found something that should not have been there.
While looking for more information about the school district, I used a targeted Google search; it was a simple one, looking for pages containing the word 'certified.' While there were many search results, one in particular caught my eye: an Excel spreadsheet that appeared to contain Personally Identifiable Information (PII) including names, addresses, phone numbers, and
social security numbers . Worse, it had been indexed by a major search engine, which meant that its contents had been cached for easier viewing, even after the file would be removed.
I placed a called to the school district right away and left a voicemail for the CIO. Within 20 minutes someone from the office had called me back. I shared with them what I had found and advised on short-term steps they should take to mitigate the problem.
While it may be tempting to lay blame for failing to properly safeguard sensitive data, this is not the purpose of this blog post. Instead, I wanted to share with the information security community and students that we can make a difference, even outside of business hours. In this case, I helped the school district identify one data leak. Was that spreadsheet the one used by fraudsters? It is simply too early to tell; the investigation is ongoing.
If you see something that is out of place, or poses a potential security/privacy risk, tell someone. It could help prevent 30 more people from becoming victims of ID theft.Link: School District's Teachers Targeted In Identity Theft Scam | 4029tv.comLink: Fayetteville Public Schools :: Administration
