Data Breach in Tennessee Uncovered a Year after It Happened
- By Dian Schaffhauser
A school district in Tennessee found itself scrambling to communicate with the parents of several thousand students after one student discovered that a security incident had occurred nearly a year earlier, but had never been reported to the district.
In August 2007, according to the Williamson County Schools, assessment specialist Chris Nugent mistakenly uploaded personal student information from district databases to a personal website as part of work on a dissertation comparing student test results. Once placed on the website, the information wasn't labeled as student data nor was it accessible from any site menu. It consisted of the names, dates of birth, test data, and social security numbers for students who took a second grade state achievement test and those who took the ACT during the 2006-2007 school year--about 5,300 people. A second set of data on about 11,000 students included names, test data, and birth dates, but not SSNs.
Shortly after the posting, however, the information was discovered by the Liberty Coalition, a non-profit group advocating for privacy rights, which notified Nugent of the exposure of the information. He removed it immediately, pulled down the website, and notified search engines to clear their caches, a process that took about a month.
What he didn't do, however, was notify the district. Since there wasn't information tying the personal data to Williamson County Schools, the Liberty Coalition didn't know to inform the district.
On June 26, 2008 a student from the school discovered that personal data had been posted to Nugent's website through SSNBreach.org, a Liberty Coalition service that maintains a database of reported identity breaches. That student's parents notified the district administrators, who began to try to figure out whose personal data had been disclosed and where they lived.
By July 9, the district had begun contacting the parents of affected students and to develop a program for providing theft identity monitoring and fraud resolution services. Nugent, the employee, has resigned.
According to an FAQ, the district doesn't believe that the information was accessed by anybody other than the Liberty Coalition, but doesn't rule out that possibility. " We believe that this incident occurred due to an unfortunate error in judgment on the part of the district's employee," the FAQ states, "and there was no intent to disclose or to harm any children."
Get daily news from THE Journal's RSS News Feed
About the author: Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at email@example.com.
Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at firstname.lastname@example.org.
Dian Schaffhauser is a senior contributing editor for 1105 Media's education publications THE Journal and Campus Technology. She can be reached at email@example.com or on Twitter @schaffhauser.