Florida Department of Education Warns Teacher Preparation Participants of Error in Data Safety

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.wctv.tv/news/floridanews/headlines/Florida-Department-of-Education-Warns-Teacher-Preparation-Participants-of-Error-in-Data-Safety--212633711.htmlTallahassee,
Fla., June 21, 2013 – Personal information of teacher preparation
program participants was exposed on the Internet during a transfer of
data between servers housed at Florida State University, the entity
performing work under contract with the Florida Department of
Education.

During the transfer in late May, FSU’s Florida Center for Interactive
Media moved the data to a new server, but failed to enact security
measures to restrict access to only authorized individuals.

For a period of 14 days, personal information of about 47,000
preparation program participants was publically accessible. DOE was
made aware of the failure to properly secure the data on June 11 and
immediately worked with university officials to close the access,
clear all cached data files, and run security checks to ensure the
information was only accessible by authorized users.

An initial investigation indicates the personal information may have
been accessed 23 times via Google, which may have included
unauthorized access. There is no indication the data has been used
inappropriately. The university and the department are notifying
through all possible means any individuals whose information may have
been exposed.

“This is unacceptable. All Floridians deserve our unceasing protection
of their personal information and must have confidence that it will
never be exposed for the potential of illegal use,” said Commissioner
of Education Tony Bennett. “I have ordered a top to bottom review of
the security of every database and our staff is expediting the
transfer of all confidential information into servers directly
monitored and secured by the department.”

"The university takes the protection of personal information very
seriously and took immediate action to remedy the situation,” said Liz
Maryanski, FSU’s vice president for university relations. “We are
working closely with the Department of Education to notify those
affected and will continue to assist."

In addition to contacting those that may have been affected, the
department will have staff available Monday to assist anyone who may
have been impacted. That number is 866-507-1109 and will be in
operation Monday afternoon. The cost of ID protection will be provided
for those affected.

While the incident is being investigated, program participants who
suspect their Social Security number or other personal information may
have been misused or that they may be the victim of identity theft
should contact the Federal Trade Commission at www.ftc.gov/idtheft or
call 1-877-ID-THEFT (1-888-438-4338). Affected persons may also call
their local sheriff's office and file a police report of identity
theft, keeping a copy of the police report.

To protect themselves from the possibility of identity theft,
individuals are encouraged to place a free fraud alert on their credit
files. A fraud alert notifies creditors to contact individuals before
opening new accounts in their name. Call any one of the three major
credit reporting agencies at the numbers below to place a fraud alert
and receive letters from the agencies with instructions on how to
receive a free copy of their credit report.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.