The Canyons School District officials in Utah have announced the loss of a USB jump drive that contained the information of 6,000 employees. The lost information includes addresses, phone numbers, DoBs, and Social Security numbers. It has not been mentioned whether the jump drive’s contents were protected via data encryption, although the assumption is that it hasn’t been.
New School District
Canyons School District (CDS) is a new district in the state of Utah. Originally part of the Jordan School District, CDS broke off on their own and was scheduled to go live this month. Work, however, is still in progress, with technical staff still installing computers and phones; installing wiring; etc.
Perhaps then, it’s no wonder that a data breach occurred. What’s weird, though, is that the data breach did not directly involve the IT department. The breach was caused when the jump drive containing the information was lost by a “district-level worker [who] was using it to transfer data for apparently ‘legitimate,’ job-related purposes.”
They had to do this, it’s implied, because “Jordan [School District], unbeknownst to us, wiped clean the server … which put us at a tremendous disadvantage.” I say that it’s implied because the quote could have been taken out of context; but as it stand right now, that’s what it implies.
Who’s To Blame?
I’m not too crazy about that last quote. Of course Jordan wiped the servers. To begin with, there’s no reason why Jordan ought to send the servers as-is to CDS. That would be an automatic data breach, even if the servers weren’t lost or stolen.
Why, you ask? Because Jordan’s servers probably contain employee and student information for the Jordan School District, which is of no business whatsoever to CDS.
So, laying the blame on Jordan, by stating that the information wouldn’t be on a USB jump drive–which subsequently got lost–if the servers hadn’t been wiped, is disingenuous. Jordan seems to have done everything by the book.
The truth of the matter is that the jump drive should have been encrypted (again, assuming it wasn’t). An easy to install encryption software product like AlertBoot full disk encryption would have ensured that the all of the contents in the jump drive would have been protected.
Heck, even just protecting the file or files that contained the personal data with file encryption software would have been enough to pretty much eliminate any risks of the data’s misuse.
Which raises a question: Who should have encrypted that data?
Who’s To Blame, Really?
While the data was lost by a CDS’s employee (at least, I’m assuming as much. they put out the press release; they’re the ones conducting an investigation), the information that was lost affects employees at Jordan, including those that are not being transferred over to CDS.
How’d the employee gain that information?
I’m entering speculative territory here, but it must have come from someone over at the Jordan School District. And it doesn’t make sense. They won’t send a server unless the data on it is wiped, but they’ll give out the same data for some guy to save it on his USB jump drive?
Someone dropped the ball here (obviously), but it’s questionable who’s to blame. If I were in Jordan’s shoes, I wouldn’t have given out the data unless it was encrypted. Did they?
Related Articles and Sites: