[BreachExchange] Mahtomedi Middle School student breaches district data

Destry Winant destry at riskbasedsecurity.com
Thu Dec 7 01:04:00 EST 2017 

http://www.presspubs.com/white_bear/news/article_6f7d6712-daa8-11e7-879a-9b732f23cd48.html

A Mahtomedi Middle School student breached student data earlier this
fall when a teacher was logged into a computer.

The student accessed 3,300 student ID numbers, 215 test scores, 11
individualized education plan (IEP) sheets and 18 other student
education plans, said Patrick Crothers, technology coordinator. The
breach extended beyond the middle school to students in all grades.
The student was not able to change any data. He showed the data to one
other student and is no longer in possession of the data.

Other student data, such as Social Security numbers, addresses and
grades were not breached, Crothers said. That data is not in the
district's internal system.

Student ID numbers are used at the middle school and high school to
log into the learning management system, Crothers said. Students have
changed their passwords. Student IDs are also used at the school
library and the district is still investigating the best way to
address that breach. Student IDs used to be used as passwords for the
district's network and Google apps but the district had students
change their passwords at the beginning of the school year.

The district began a review of its technological security, policies
and procedures with a consultant last spring, Crothers said. The
district is adding password protection for staff, he noted. The staff
has been warned to make sure their computers are locked when not
attending them.

“It has been a good educational experience for our staff to remember
exactly how much information they hold and how to secure their own
desktops in their own classrooms,” said Principal Mike Neubeck.

Students were reminded they have a responsibility to notify staff if
they know something is being used incorrectly, he added. The student
who breached the data was also reminded to use his computer talents in
a correct way.

“The student has a lot of knowledge regarding computers,” Neubeck
said. “We reminded him it is his responsibility to make sure he is
doing the right thing.”

Students who had information breached were notified by letter, said
Monica Davis, communications coordinator. The district is putting
together a complete investigation report, which is expected to be
completed by the end of December.

More information about the BreachExchange mailing list