[BreachExchange] Maryland says confidential data must be encrypted. For 1.4 million students, it wasn’t.

Destry Winant destry at riskbasedsecurity.com
Wed Jul 17 09:03:42 EDT 2019


https://www.washingtonpost.com/local/md-politics/maryland-says-confidential-data-must-be-encrypted-for-14m-students-it-wasnt/2019/07/16/88f246e6-a7d8-11e9-86dd-d7f0e60391e9_story.html?utm_term=.795ed7857b09

“Sensitive, personally identifiable information” of more than 1.4
million students and more than 200,000 teachers was improperly stored
by the Maryland State Department of Education, leaving them at risk of
identity theft, according to a recent audit.

The review found that the department stored the names and Social
Security numbers of students and teachers “in clear text,” even though
Maryland’s information security policy calls for confidential data to
be protected using encryption or other “substantial” mitigating
controls.

As of June 2018, the personal information did not appear to be
adequately protected by data-loss prevention software.

“Appropriate information system security controls need to exist to
ensure that this information is safeguarded and not improperly
disclosed,” said the audit, which was published this month.

The report on deficiencies in the state network was released as
governments and private entities are working to protect their computer
networks and databases. Maryland reported this month that hackers had
gained access to the names and Social Security numbers of as many as
78,000 people fromtwo older databases run by the state Labor
Department. The information, accessed in April, belonged to people who
received unemployment benefits in 2012 or sought general equivalency
diplomas in 2009, 2010 or 2014.

The audit of the Education Department, released this month, found that
the state did not have assurances that student data that was managed
by third-party contractors was properly stored. The department also
lacked a “complete information technology disaster recovery plan” or
sufficient malware protection to provide “adequate assurance that its
computers were properly protected,” according to the review.

The Office of Legislative Audits, which conducted the review from June
2014 to December 2017, identified 15 servers that were using an
outdated operating system that had not been supported by the developer
since 2015.

“Updates have not been provided for this software to address newly
discovered software vulnerabilities,” auditors wrote.

As of July 3, 2018, according to the audit, 249 of 483 computers in
the department were using outdated software, including some that was
last updated in 2010.

An Education Department spokeswoman could not immediately be reached
for comment.

In a written response to the audit, State Superintendent of Schools
Karen B. Salmon largely agreed with its findings. She told auditors
that most of the recommendations dealing with the computer network and
database would be implemented by the end of September.

The department plans to review its automated applications and identify
those that contain personal information for students and teachers. It
said it will determine what information needs to be retained and
delete the rest.

Salmon said the Education Department’s information technology
division, along with the state Department of Information Technology,
will use an approved encryption method “or implement substantial
mitigating controls” on systems that contain personal information.


More information about the BreachExchange mailing list