Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Does Using "Certified" Software Products Improve Compliance? | Main | Many New U.S. State and Federal Privacy Bills Introduced, and Some New State Data Protection Laws Signed »

The Need to Build Security In: Poor Implementation of Indianapolis Public Schools Website Allows Viewing of PII For 7000+ Students and Teachers

Today Monsters and Critics reported, "Indianapolis Public Schools exposes thousands to risk of identity theft."

Apparently the Indianapolis Public Schools (IPS) website "that allows teachers to post reviews, student-writing samples, grades, and other confidential material to the IPS network" was implemented and configured without much attention to security.

"“On May 16 IPS was approached by the Indianapolis Star and told that it is possible to access confidential information kept in IPS Online, including Social Security numbers, by using the Google search engine. The content at risk was uploaded to the My Content and My Files areas,” said the school system in a press release. After the reporter from the Star News informed IPS of the exposure, the school system moved to correct the issue and fix the leak."

Google still had copies of many of the PII records in its cache.

Yes, once information is available on the Internet it will pretty much live on infinitely with all the search engine caching and mirrored sites that exist, much to the delight of the criminals, fraudsters and ne'er-do-wells that enjoy using it for their own vices and money-making activities.

"Many of the exposed teachers and parents of the students expressed privacy concerns. The information currently cached gives way to the possible situation that it was downloaded before the reporter located the flaw. This places students at risk for identity theft and could make them vulnerable to various types of predators. There is also the chance that the district could face a state or federal inquiry if parents file complaints. IPS could also face lawsuits if any of the information was misused. That would cause more financial havoc on the already poorly funded public school system."

This points out some of the many negative impacts to organizations for a privacy breach.

One more example to add to your files for why it is a necessity to building information security and privacy into every application and system, from project envisioning and at every step through to retirement.

I've talked about this many times before, and cover this in a 2-day seminar which I will be giving next in June, but it is worth repeating. In fact, I think I will again...

It is a necessity to build information security and privacy into every application and system, from project envisioning and at every step along the way through to retirement.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on May 18, 2007 7:32 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/413

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.