Human Error Puts Identities in Virginia and Kentucky at Risk

Simple human blunders were at the heart of two data leaks--one in Virginia and the other Kentucky--in October.

The Virginia Department of Education sent out more than 77,000 letters in October to people whose personal data were stored on a flash drive that was lost in transit. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009. That included information on 77,577 former adult education students whose addresses were part of the data, as well as 25,693 former adult education students whose addresses were unknown to the department. The data consisted of names, birth dates, and, in many cases, Social Security numbers.

As explained in a letter from Superintendent of Public Instruction Patricia Wright to those whose information is at risk, the department was transferring the data via flash drive as part of a contract with Virginia Tech for research related to federal reporting requirements. Although the contract "includes a restricted-use data agreement and an affidavit of non-disclosure," Wright said, "no policy or system is immune from human error. Information stored on a flash drive was lost in Richmond in September 2009 after being given to a representative of Virginia Tech's Center for Assessment, Evaluation and Educational Programming for the purpose of conducting federally mandated research.

"We have no evidence that any of the information has been misused or that it is in the possession of any person as a result of this incident," the letter stated.

It suggested standard actions to mitigate the potential for identity theft:

  • To monitor account statements and credit reports for unusual activity;
  • To request a free credit report annually from each of the three major credit agencies;
  • To call the local police or sheriff's office and file a report of identity theft if suspicious activity is found on a credit report; and
  • To place a "fraud alert" on a credit file by contacting one of three major credit reporting agencies so that creditors will contact the individual before opening or changing an account.

Human error was also the cause of a smaller information breach in Shepherdsville, KY when a Bullitt County Public Schools employee accidentally sent an e-mail message to 1,829 school district staff members that included the names and Social Security numbers of 676 district employees. The employees were identified as not having completed the district's 2010 open-enrollment process for insurance, and the e-mail was intended as a reminder to complete the process.

Twelve minutes after sending the e-mail, the employee attempted to recall it. The recall process worked on 737 of the messages, according to the district. The IT organization removed 1,089 of the remaining messages from recipients' mail boxes. That left three messages remaining. Those recipients were contacted and instructed to delete the mail and to send verification of having done so. "Thus, all 1,829 electronic mail messages have been accounted for," the district stated in an explanatory document on its Web site.

However, the district said it will be sending individual notices to each individual to alert them about the potential for their personal information to be accessed. "The Bullitt County School System and Public Employee Health Insurance Program believe that they have taken immediate steps to mitigate any real or perceived damages to the affected Bullitt County School System employees," a letter to employees said. However, the district added, it "takes these types of situations very seriously and will do all that it can to ameliorate any negative ramifications from this occurrence, as well as prevent similar occurrences from happening in the future."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • blue AI cloud connected to circuit lines, a server stack, and a shield with a padlock icon

    Report: AI Security Controls Lag Behind Adoption of AI Cloud Services

    According to a recent report from cybersecurity firm Wiz, nearly nine out of 10 organizations are already using AI services in the cloud — but fewer than one in seven have implemented AI-specific security controls.

  • stacks of glowing digital documents with circuit patterns and data streams

    Mistral AI Intros Advanced AI-Powered OCR

    French AI startup Mistral AI has announced Mistral OCR, an advanced optical character recognition (OCR) API designed to convert printed and scanned documents into digital files with "unprecedented accuracy."

  • robot waving

    Copilot Updates Aim to Personalize AI

    Microsoft has introduced a range of updates to its Copilot platform, marking a new phase in its effort to deliver what it calls a "true AI companion" that adapts to individual users' needs, preferences and routines.

  • teenager interacts with a chatbot on a computer screen

    Character.AI Rolls Out New Parental Insights Feature Amid Safety Concerns

    Chatbot platform Character.AI has introduced a new Parental Insights feature aimed at giving parents a window into their children's activity on the platform. The feature allows users under 18 to share a weekly report of their chatbot interactions directly with a parent's e-mail address.