21 February 2008

Info on 28,000 school children stolen from school board

This story takes on a whole different character when one of the children involved is yours.

Well, likely yours since four days after the theft, the school authorities have still not notified parents.

It takes on a whole different character when the story breaks four days after the incident.

It takes on another character altogether when the school board's first priority was everything but notifying parents.

"We have notified all authorities and school administrators and have also taken immediate action with our landlord at Atlantic Place to strengthen our physical security measures.”

As of this writing - 10:30 PM, four days after the theft - there has been no contact from the school board concerning my child.  There was no notification from his school.  Our family learned of this incident from news media.

And let's get this clear:  like all other recent thefts of personal information from provincial government computers (including people hired as consultants) this is an extremely serious matter. 

The delays in public notification as well as the bland assurances that all is well are not only unacceptable, they are entirely unsubstantiated by the facts of the matter. Sure there is concern, but evidently there was no sufficient concern prior to these series of thefts for government officials to double check their various information security and physical security policies.

Eastern School District's news release stated the following:

Eastern School District has consulted with the Offices of the Information and Privacy Commissioner and MCP Commission. The stolen computers are password protected, thus limiting access to information. Additionally, the Eastern School District has been advised by the MCP Commission that access to individual medical records is not at risk.

Try a google search for "Windows password recovery".  You'll get a million or more hits for tips and software to help recover passwords from software like the software most likely used by the school board to manage bus schedules. The data in this instance was not encrypted. 

Limited access to information?

In a pig's eye.

Ask the people whose medical records were exposed to the Internet as a result of lax security policies at the workers compensation agency.

There are serious questions now about the physical security at school board offices since they obviously failed.

Since neither the school board officials nor police know who stole the laptops, they have no basis on which to provide an assessment of the likely personal security threat resulting from this incident. They can make a guess, develop a theory, but until the thieves are apprehended we simply have no idea what possibly will happen to the information.

Access to individual medical records may not be a risk, but armed with a prescription pad, a child's personal data and an MCP number, a druggie thief may be able to obtain prescriptions for a number of different drugs.

Of course, we have no way of knowing at this point what other information was on the computers since school board officials either aren't sure or they haven't disclosed it.