Va. education department: Personal data of 100,000 students is missing
A flash drive containing personal information for about 100,000 former adult education students has been lost, and now the Virginia Department of Education is trying to notify all those affected.
The DOE is mailing letters to 77,577 former adult education students for whom the department has addresses.
Education department employees are also trying to notify another 25,693 former adult education students whose addresses are not known. They are asking that people who do not receive a letter, but who finished an adult education course between April 1, 2007, and June 30, 2009, or who passed a high school equivalency test between January 1, 2001, and June 30, 2009, call the department at 877-347-5224 for more information.
The flash drive, which contains names, social security numbers and other personal information for students, went missing after a Sept. 21 meeting at the state education department offices, according to department spokesman Charles Pyle.
The letters, which were mailed Monday, advise people of the loss and steps they can take to protect from identity theft.
The flash drive went missing after a meeting between representatives from Virginia Tech's Center for Assessment, Evaluation and Educational Programming and staff from the state's adult education office.
The state contracts with Tech's center for federally mandated research.
During that meeting, the flash drive was handed over by an employee of the adult education office to a representative of the center, according to Pyle.
"Contrary to department policy, the data on the flash drive were not encrypted," he said.
The Tech employee informed the adult education office Sept. 22 that the flash drive was lost and that efforts to find it were unsuccessful.
"Protecting the privacy of students is a solemn obligation, and the Virginia Department of Education has policies and secure systems to safeguard data and prevent the loss or misuse of personal information," Superintendent of Public Instruction Patricia I. Wright wrote in a news release today. "However, no policy or system is immune from human error."
Wright stressed that the department has no information to indicate that the device has been found or that any of the information on it has been accessed.
If you believe you are one of the students affected, contact staff writer Olympia Meola at (804) 649-6812 or .
Advertisement
Reader Reactions
Not only can encryption be done on laptops, but also on flash drives as I use it always so if the drive is lost no one else can gain access. This type of laziness an carelessness with critical information should be punished so that people will follow the rules and protect peoples privacy.
Encryption software can be installed on laptops that render the data on them inaccessible to anyone but the owner/user and administrators of the network that they are configured to connect to. So if they are stolen, the thief only gets the physical laptop itself, which is bad enough, but not the contents of the hard disk. Placing sensitive, confidential data on removable media is entirely unacceptable!
Every day we hear about data being stolen from laptops, flash drives, cd’s. No sensitive data should ever be on these devices. The data should be on secure servers accessible only to those authorized. Those responsible should immediately be fired.
All that personal data on a flash drive and this is Virginias education department? Anybody that would do this needs to be terminated right away. You would think that the education department of Virginia would have better sense,but I guess not.
Her attempt [Dr. Wright] to excuse it as a human error is irresponsible, unconscionable, and indicative of her lack of understanding or focus on the critical need for information security.
Excellent point.
“Having been a certified information systems security professional when I retired, sensitive data should NEVER reside on unencrypted, easily portable flash drives. It should always reside on secure servers, connected by a secure network, to which only authorized persons can gain access and only for authorized purposes.“
Agreed. As an aside from the state level issue at hand - all too often you hear about executives losing personal or client information because their laptop was stolen. If data is kept as Question_Gvt has suggested on a secure server behind a firewall - the data is still accessible to the executive with their laptop via a VPN connection - then if the laptop is stolen, the worst the company is out is $1500 (or maybe less) for a new laptop.
I strongly urge everyone involved to initiate a class action suit against the DOE. The only way to stop these data breaches is to start making those responsible pay a heavy price for their failure to protect it. There must be strict accountability.
As a follow-up, Please note that Dr. Wright, State Superintendent of Public Instruction, attributes the incident to “human error”. There was no error, but a clear, wanton disregard for information security including violation of State policy. Her attempt to excuse it as a human error is irresponsible, unconscionable, and indicative of her lack of understanding or focus on the critical need for information security.
From what little is reported, it certainly appears that information security policies and practices are weak, not effectively implemented, and they were completely disregarded in this case.
Having been a certified information systems security professional when I retired, sensitive data should NEVER reside on unencrypted, easily portable flash drives. It should always reside on secure servers, connected by a secure network, to which only authorized persons can gain access and only for authorized purposes.
Those responsible for the apparent breach of security and violation of security policy should be summarily terminated for cause.
The correct procedure would have been for those having authority and legitimate need to gain access to the data to do so by reading data from the secure server by means of a computer authorized for use on a secured network after the requesting user’s identify and authenticity had been established.
Yet another example of why its a bad idea to trust third-party organizations with your personal data.
Post a Comment(Requires free registration)
- Please avoid offensive, vulgar, or hateful language.
- Respect others.
- Use the "Flag Comment" link when necessary.
- See the Terms and Conditions for details.
Advertisement