County Public Schools provided an update late Wednesday about the security
breach related to one of the school system’s contractors, indicating that
social security and financial information could not have been obtained by
outsiders. However, names, addresses and birth dates could have been accessed.
It’s not known whether any – or how many – unauthorized people accessed the information, according to the update.
The school system robo-called and emailed parents and faculty Tuesday about the breach with a message from Superintendent Edgar Hatrick. An update came via the same method Wednesday, along with an update on the school system’s website.
According to the update, LCPS continues to investigate the errors made by contractor Risk Solutions International (RSI) on its website. The information involved included data contained in an emergency management plan website maintained by RSI for LCPS. The school system asserted in its initial announcement Tuesday that the information has since been secured.
The school system released the following answers to some of the most frequently asked questions about the incident:
How Much Information Was Exposed?
were 1,286 links with information on all 84 LCPS schools contained on the
website. RSI has informed LCPS it cannot determine how many of these links were
LCPS Department of Technology Services staff went through each link to determine its exact content.
Some of these links
contained directory information about students and staff.
Directory information is described as:
- Student’s name;
- Telephone number;
- Date and place of birth;
- Dates of attendance;
- Student schedules.
The following information was not included on the RSI website:
- Social Security numbers;
- Driver’s license numbers;
- Financial accounts;
- Credit card information;
- Student and staff identification photos;
- Student grades;
- Student socio-economic status.
Was RSI’s Website Hacked?
The website was not forcibly entered. The website never lost its password security.
RSI employees engaged in technical testing on November 4, 2013, December 19, 2013, and December 24, 2013. Security protocols were not followed and the data was exposed. The exact date of the incident has not been determined nor has the length of time the information was exposed.
LCPS was notified of the incident at approximately 2:45 p.m. on January 2, 2014, and immediately contacted RSI requesting a system shutdown.
Documents opened during the incident were cached (stored) by the web-hosting services through which they were accessed. RSI worked with service-engine providers to remove the cached documents. As of 7 a.m. January 8th, the cached documents had been removed. Since the cached data was removed, LCPS staff has not been able to replicate the search that originally exposed the data. (The data is no longer available.)
Why Does LCPS Use the Emergency Management Plan System?
The website was designed for emergency purposes.
Access to the website containing the emergency management plan is password-protected with select LCPS administrative personnel given access to this information.
The emergency management plan was built through a U.S. Department of Education Readiness and Emergency Management for Schools (REMS) grant. RSI is a vendor approved by the U.S. Department of Education to provide school districts with emergency management plans. LCPS first began working with RSI in 2008. RSI has helped approximately 160 school districts in 23 states develop emergency management plans.
Many of the links on the emergency management plan website contained pre-configured templates available for numerous emergency situations. Not all of these templates were utilized by LCPS.