According to a couple of sources, Chesapeake Public Schools in Virginia is notifying employees about a potential data breach. Per their announcement, nearly 11,000 people could be affected by the theft of a laptop computer. It appears that laptop encryption software was not used to protect the contents. Password protection, however, was used.
Assuming that the thieves (or thief) manage to work past the password protection, they will have access to names, Social Security numbers, and bank account numbers for past and present employees of CPS.
Password Protection: Useless
This is one of those data breach stories that doesn’t get too much coverage nowadays – either because the theft of unencrypted laptops doesn’t happen too often (relatively speaking) or because it gets buried by much more sensational breaches, such as Yahoo’s admission earlier this year that hundreds of millions of accounts were hacked a couple of years ago.
I would like to imagine the dearth of such stories on the former reason. After all, it’s been a while since the alarm has been raised regarding the lack of encryption on laptops that store sensitive data; this blog alone has spent 10 years on it, as have other sites including news outlets. It would be nice to know that ten or more years is enough time for information to diffuse throughout society and become general knowledge. You know, to become what they refer to as “common sense.” (And if the controversy revolving around the FBI and iPhones is any indication, it has become common sense.)
Here’s a factoid that hasn’t reached such status: password protection is anything but. Just a simple online search will provide more than a handful of ways for overcoming or bypassing password protection on computers running the Windows operating system.
And if the thieves manage to do it on the CPS laptop… well, it’s not going to be pretty.
Tax Season is Upon Us
What could a thief do with names, SSNs, and bank account info for 10,000-plus people? How much damage could he cause? Plenty.
One of the ways that the above info gets used around this time of the year is in the IRS tax refund scam. Since nobody likes to file their taxes early, and most will wait until April is near, enterprising criminals have beaten real people to the punch by filing fake tax returns, routing the IRS checks to addresses they control (such as postal mail boxes) and cashing them.
The IRS does what it can to prevent checks from being sent to scammers, but ultimately, they can’t know for sure that a fraudulent tax return was filed unless the actual SSN holder (or his/her accountant) calls to complain – which, again, tends to happen closer towards April.
Indeed, this could be one big reason why there are no signs of the data being misused so far. It’s just a little too soon to do anything with it.