14 DAY TRIAL // More than 10,000 former workers and students of the Park Hill School District have been notified by officials that private information about them has been exposed to unauthorized persons.
Unlike most data breach incidents, this one did not involve bypassing the security of the systems storing the information. The personal details of more than 10,000 individuals were accessible online, by anyone, possibly because of the carelessness of a former employee.
According to district officials, a former employee took the data on a removable storage device before leaving the district.
The exact duration of the data exposure is unknown, but officials say that the incident happened between the months of February and April; this time interval is more than sufficient for someone with bad intentions to integrate the details into a database in order to use it at least in spam campaigns if not for more targeted attacks.
It seems that the officials were alerted by a district resident that notified them on April 1, and probably it took a while to shake off the April’s Fools feeling and realize the magnitude of the incident.
As soon as they caught news of the data leak, the Park Hill School District officials started an internal investigation to determine the individuals that could have been affected. They worked with digital forensics experts and analyzed more than 13,000 documents on the hard drive of the former employee's computer. The document review procedure was carried out manually.
If the information did not fall into the hands of cybercriminals by now, there are slim chances that it would because the former employee, the FBI, and Google collaborated to identify the details and prevent easy access to them. However, the risk that someone already grabbed it is still present.
On the bright side, the district officials have announced that there is no evidence that the information has been misused in any ways.
"While the district has no evidence of information theft or misuse, this week Park Hill sent letters to all individuals who might have been affected as a precaution. Those letters informed each person of the information about them in the documents and offered free identity monitoring services to help protect them from fraud," reads a news release from the district, cited by KMBC.com.
Incidents like this are not rare, and many educational organizations fail to secure access to sensitive information or to install monitoring utilities that would be able to log or alert system administrators of various actions regarding the personal details, such as file access or copying operations.