UPDATED: August 14 16, 2017
Data breaches happen. Some argue they are even inevitable. Given that K-12 school districts – along with state and local governments – are increasingly relying on online tools and services to conduct business and provide services, there is no reason to believe that the K-12 education sector is or will be immune to these larger and concerning IT trends.
Yet, as bad as a data breach can be, when breaches happen it is how organizations – including schools and school vendors – respond to and communicate about them that will be remembered. While it is understandable for an organization that has suffered an unauthorized data breach to want to minimize communications about what happened and why, including even deflecting any responsibility they may have had in the disclosure of sensitive information, this is often bad advice. Indeed, experts are increasingly counseling organizations on best practices in data breach response, including encouraging organizations to train for and practice those responses.
Done well, a data breach response can help organizations to shore up cyber security policies and practices and to increase the trust that stakeholders and customers have in an organization as a steward of sensitive information. Done less well, a data breach becomes an ongoing news story that can capture the public’s attention for weeks or more, leading to speculation about what actually happened and why. An organization’s tarnished reputation can suffer even more harm, making it very difficult to re-earn the trust of stakeholders – and rightfully so.
Which brings us to Texas…and specifically the Texas Association of School Boards.
On May 22, 2017, the Texas Association of School Boards (TASB), a private, nonprofit membership organization which claims all 1,030 Texas school districts as members, discovered that they had inadvertently posted the names and social security numbers of Texas school employees publicly on the internet.
More than two months since the breach was first discovered and more than one month since TASB publicly acknowledged the breach, media are still writing original stories about the breach. Why?
Because there remain fundamental questions about what happened and why. For instance:
How many current and former Texas school employees were affected by this breach?
We don’t know.
Who was responsible for the breach and how was it discovered?
We don’t know.
For how long was Texas school employee data publicly posted online?
We don’t know.
Have all affected current and former Texas school employee’s been notified of the breach?
We don’t know.
As of date August 12 16, 2017, news reports (including the dates they were published, the districts involved, and the numbers of employees affected by the TASB breach) are known to include:
- CCISD: employee information inadvertently made visible online (June 21)
- Corpus Christi ISD (6,100 affected)
- Texas Association of School Boards suffers security breach (June 26)
- Laredo ISD (‘some’ affected)
- 14 Valley School District Employees’ Identities Possibly at Risk (July 3)
- Edcouch-Elsa ISD (‘varying degrees’ affected)
- La Joya ISD (‘varying degrees’ affected)
- Laredo ISD (‘varying degrees’ affected)
- Los Fresnos CISD (‘varying degrees’ affected)
- Mission CISD (‘varying degrees’ affected)
- Monte Alto ISD (‘varying degrees’ affected)
- Progreso ISD (‘varying degrees’ affected)
- Rio Grande City CISD (‘varying degrees’ affected)
- Lyford CISD (‘varying degrees’ affected)
- McAllen ISD (‘varying degrees’ affected)
- San Perlita ISD (‘varying degrees’ affected)
- South Texas ISD (‘varying degrees’ affected)
- United ISD (‘varying degrees’ affected)
- Weslaco ISD (‘varying degrees’ affected)
- Data breach exposes teachers’ Social Security numbers (July 5)
- Victoria ISD (all school district employees)
- Calhoun County ISD (‘varying degrees’ affected)
- Goliad ISD (‘varying degrees’ affected)
- Hallettsville ISD (‘varying degrees’ affected)
- Shiner ISD (‘varying degrees’ affected)
- Data breach exposes Killeen school district employees online (July 7)
- Killeen ISD (unspecified affected)
- Ector County ISD Affected by Data Breach (July 12)
- Ector County ISD (unspecified affected)
- Leander teacher ‘unhappy and nervous’ her personal info was posted online (July 13)
- Leander ISD (18 former employees)
- Round Rock ISD (‘a number of our current and former employees’ affected)
- Alief ISD (unspecified affected)
- Security breach exposes school district employee data (August 7)
- San Benito CISD (unspecified affected)
- Fort Worth ISD (“over 14,000” affected)**
- Local teacher info shared in data breach (August 8)
- Beaumont ISD (unspecified affected)
- Bridge City ISD (unspecified affected)
- Port Arthur ISD (unspecified affected)
- Kountze ISD (unspecified affected)
- West Orange-Cove CISD (unspecified affected)
- Glitch may have compromised personal information of some area teachers (August 8)
- Midway ISD (“all of our employees” from the 2016-17 school years)
- Temple ISD (unspecified affected)
- Robinson ISD (unspecified affected)
- TASB Security Breach affecting GRISD Staff and Substitutes (August 8)**
- Glen Rose ISD (“many” affected)**
- Security breach of Texas teachers’ social security numbers discovered (August 15)**
- Pflugerville ISD (“many” affected)**
** Updated since original blog post of August 12.
Across the 10 12 news stories/reports, an unspecified number of current and/or former employees of 36 38 different Texas school districts are now known to have been affected by this breach. Given that TASB serves all 1,030 Texas school districts and that the breach involved current and former school district employees, the potential magnitude of this breach could be very large – and much larger than reported to date. And, every new article seems to include new information about the parties affected by the breach…which is pretty much the opposite of how experts counsel organizations to respond.
This should be a cautionary tale to others in the K-12 education sector who suffer a data breach. It certainly is not a good news story about TASB or for Texas educators, but hopefully others will be able to benefit from the lessons learned about this incident and the response.
At least, that is my hope and the reason for this post.