BreachExchange mailing list archives
Maryland says confidential data must be encrypted. For 1.4 million students, it wasn’t.
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 17 Jul 2019 08:03:42 -0500
https://www.washingtonpost.com/local/md-politics/maryland-says-confidential-data-must-be-encrypted-for-14m-students-it-wasnt/2019/07/16/88f246e6-a7d8-11e9-86dd-d7f0e60391e9_story.html?utm_term=.795ed7857b09 “Sensitive, personally identifiable information” of more than 1.4 million students and more than 200,000 teachers was improperly stored by the Maryland State Department of Education, leaving them at risk of identity theft, according to a recent audit. The review found that the department stored the names and Social Security numbers of students and teachers “in clear text,” even though Maryland’s information security policy calls for confidential data to be protected using encryption or other “substantial” mitigating controls. As of June 2018, the personal information did not appear to be adequately protected by data-loss prevention software. “Appropriate information system security controls need to exist to ensure that this information is safeguarded and not improperly disclosed,” said the audit, which was published this month. The report on deficiencies in the state network was released as governments and private entities are working to protect their computer networks and databases. Maryland reported this month that hackers had gained access to the names and Social Security numbers of as many as 78,000 people fromtwo older databases run by the state Labor Department. The information, accessed in April, belonged to people who received unemployment benefits in 2012 or sought general equivalency diplomas in 2009, 2010 or 2014. The audit of the Education Department, released this month, found that the state did not have assurances that student data that was managed by third-party contractors was properly stored. The department also lacked a “complete information technology disaster recovery plan” or sufficient malware protection to provide “adequate assurance that its computers were properly protected,” according to the review. The Office of Legislative Audits, which conducted the review from June 2014 to December 2017, identified 15 servers that were using an outdated operating system that had not been supported by the developer since 2015. “Updates have not been provided for this software to address newly discovered software vulnerabilities,” auditors wrote. As of July 3, 2018, according to the audit, 249 of 483 computers in the department were using outdated software, including some that was last updated in 2010. An Education Department spokeswoman could not immediately be reached for comment. In a written response to the audit, State Superintendent of Schools Karen B. Salmon largely agreed with its findings. She told auditors that most of the recommendations dealing with the computer network and database would be implemented by the end of September. The department plans to review its automated applications and identify those that contain personal information for students and teachers. It said it will determine what information needs to be retained and delete the rest. Salmon said the Education Department’s information technology division, along with the state Department of Information Technology, will use an approved encryption method “or implement substantial mitigating controls” on systems that contain personal information. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Maryland says confidential data must be encrypted. For 1.4 million students, it wasn’t. Destry Winant (Jul 17)