From: InfoSec News (alertsinfosecnews.org)
Date: Mon Oct 16 2006 - 00:38:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.ecmpostreview.com/2006/October/12nbstsufoha.html

By Patrick Tepoorten
10/12/06

The North Branch school district very recently discovered that a number
of students were able to hack the personal identification numbers (PIN)
of both staff and students, and have had access to meal and media center
accounts, as well as protected media lab information, since last
February. Now, high school students responsible for the security breach
have been suspended, others may be disciplined, and the district is
scrambling to assign new PIN numbers for students and staff.

While the information the students had access to would be considered
personal in nature, at no time did the students have access to protected
private data like health records, grades, or financial information such
as credit card numbers. That information is protected by separate
systems that were in no way compromised by this breach of security,
according to the district.

The theft of PIN numbers was discovered roughly a week ago by a computer
lab manager doing routine file clean-up on a school computer. The
employee noticed an unusual file that was determined to be a complete
list of students and staff with corresponding PIN numbers. Further
investigation led to the discovery that the information had been
accessed in February of this year.

The file containing the PIN numbers was discovered by the students as
part of a daily upload of information from the lunch room to a district
on-line data base where information is stored.

The file containing the PIN numbers was then saved to a different
location by the students. It is not believed that the students in
question qualify as computer savvy students that went looking for this
information. According to district media relations coordinator Sara
Thompson, the information appears to have fallen into the students'
laps.

Likely the primary reason the breach was not discovered sooner is that
the students do not appear to have used the information for any purpose.
There is no evidence that students used the PIN numbers to eat lunch or
check out library books on anothers account, or accessed anyones media
lab account, which serves as a network storage space for student
assignments.

To address the situation, the district sent a letter on Oct. 11 to
parents in the district. The letter makes parents aware of the situation
and that they will be issued a new PIN number by Oct. 23. Until then the
data will continue to be accessible using existing PIN numbers. In order
to increase the level of security and eliminate the risk of repeating
existing PINs, the district will issue five-digit PINs instead of four.

A flyer will be sent home with younger students as well, and the
district is expected to address the situation in the Oct. 25 edition of
School News, the weekly column published by the district in the Post
Review. A second letter to parents will be sent later this month and is
expected to include new PINs.

As well as new PINs, the district is addressing weaknesses in its own
security that allowed the breach to occur.

While the most sensitive of district data was not compromised, the
situation has caused a headache for staff. Thompson estimated the cost
of making parents, students, and staff aware of the breach at
approximately $3,000.

The amount of hours dedicated to investigating the breach, which
included multiple staff members, has not been tallied but is considered
to be much higher.

Additionally, staff and students will have to learn new PIN numbers,
which is expected to create short-lived problems, especially in
cafeterias.

Due to policy, the district is not allowed to verify how many students
were involved, when they were suspended, or for how long they were
suspended. It is known that more than one student has been suspended and
that policy 506 calls for a suspension of no longer than 10 days. It is
also known that a number of the students involved have had their
computer privileges revoked for the remainder of the school year.

The district has no plans to pursue criminal charges against any of the
students involved.

_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]