District Data Breach Leads to Prison Time
- By Dian Schaffhauser
A Washington State man has been sentenced to 10 years in prison after pleading guilty to 31 counts of criminal activity, most related to a school district data breach. Christopher Berge, now 21, was a student at Mountain View High School in Evergreen Public Schools when he "shoulder surfed"--physically observed--a password used by a district employee.
Berge later used the password to gain access to the district's student information system, hosted by the Washington School Information Processing Cooperative (WSIPC). From there, he was able to gain access to the payroll data of another district in the state, Vancouver Public Schools. That data included bank account information, Social Security numbers, and birthdates of 5,000 current and former school district employees, according to documents posted on the Vancouver district's Web site.
Berge attempted to use those details to alter bank account information, create checks, and request and use credit cards. He also attempted to change payroll information within the system but was unsuccessful in those efforts. Berge was arrested in November 2009, according to local newspaper coverage, after attempting to use one of the fake checks at a local store.
The Vancouver district put fraud prevention and resolution services in place for those affected. The cost of those measures--$62,000--was subsequently reimbursed by the cooperative. WSIPC provides IT services to 290 districts and schools in Washington.
The superintendent of the Vancouver district, Steve Webb, asserted in a letter to the community that the district also suffered "damage to our reputation with the public and our employees. Hundreds of hours were spent investigating the extent of the compromised data and developing the plans and procedures to protect staff from further exposure to fraud.... District staff also spent countless hours working with financial institutions, answering employee questions, and preparing internal and external communications. It is impossible to measure lost productivity as employees worried about their financial security and worked to change bank account and payroll information."
Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at email@example.com.