In response to reports that the personal data of around 820,000 current and former New York City public school students was compromised in the hack of a widely-used online grading and attendance system earlier this year according to the US Dept. of Education, cyber security experts reacted below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Cybercriminals do not care whose data they steal, mainly if it contains names, birthdays and other personally identifiable information (PII). In this case, it becomes a potential jackpot for them to acquire with the expectation that they will sell the data for a large sum of money.
Organizations need to request that companies provide a level of cybersecurity certification relating to the product or service to ensure a high level of compliance when it comes to security. However, we also say that compliance does not equal security, and therefore additional questionnaires are a good practice to verify that the vendor is actually doing what they have written in their policies.![\"\"](\"https://ci3.googleusercontent.com/proxy/B8C9T26LYpd_Or9m89wjGWvj4x7UGphK5o8orhJ0PgcT70dOx4AaVFsKzX4yeZ45Qj_VUotV6CHJWft7CfNSSPpTiBGEzH5jQ-q4Ij4DiaY-PKW1dF7dz8k3R0kf96tWcVsqV5-JvNeLYnXmbdfOmReRcXKKRpQt5bsohfAdaZ4duir9lhEVggpzCyzTN0kU-x89Pygn-OcduIngyTX0BPrPX-bZnydzusDFx4pPriV-Ki6xCrwH7MQKVBxnw4-skCnLqWDRArEqGvDDz9sLEWs2FKVgqRjHuDAiPGHDtjVc18rg73kDirrdRc_dc5n_J5nkvfBjEWKa-zu4BLYjSI9W7ot-u1OuBRfjG01OxKvNlfuphRSy0oAzMZ0eMPpc0O_59Q4W0VLy1_56uodszCsDAIONw1TDcvjzCOEGnMg42aruxgccQcjBYVeqdMuphqps0ggue72ocBPP7_erSY0-3v6x-nrQcuha47YVQdHAXNE57QE0eEHPfeW3X-Yu4ZfuiZrnPeiW0AU7d8xHnZ4BOM0Dus0ipvHyvLKlZyAc-UhBn8BJkyBLILV6oC9mcm7_oKqcaMSMWH9TrdvhkMla57AS0uVy1HT37aPvs2XQKsnVZA=s0-d-e1-ft#https://u7061146.ct.sendgrid.net/wf/open?upn=CwffFhHzH-2F8AytMf4pRK8PqLSPZ8NCqxlAclJe3h8Vsy0MdHwJqp5xwJH41tlwXzBeKrQMWiCt6eTu4dpsuA9EFO0TpfZe7eEIr5gfPVUCjYIjfnB76XpwyQlNOz4F-2FvDd8Oi7oCbpVwO50Mddg-2Bbi-2Fn1-2FyVXbBKonD0Hg-2FYLZtF0ucuxDdkh7ehWlysHM-2FFgD3TZZb3o4AjwLkhsYAHoT72T2qScbo9Ygh-2B-2BK2Ro8Uo4DIC2AamrLdPJAjfKVIPmMjsVPkGttTS8WdtAEdNTLRjkLXO-2F8vFvpqg2QbMNt0EU65UTfal3EakCHzFh0kvM9V8e2v5UWrpqCciFnRjOl0YJc2aJDUnzHlhXHZyUvBUHl65ptcyS5DOiSaBUUL6\")
Responses by breached organizations similar to Illuminate’s “…no evidence of any fraudulent or illegal activity related to this incident.” need to be called out on the limitations of the claimant to know if any such activities have occurred. It’s unlikely that an organization that suffers a breach will be in a position to know whether the information stolen from them was used to perform fraudulent activities such as credit card or benefit fraud. They just don’t have the visibility into those systems. They’d have to rely on victim self-reporting on an individual basis, something almost impossible to do when the victims themselves haven’t been notified their information was stolen for months. Far too many times, statements like this carry the reassuring implication that victims aren’t being targeted at all when the reality is that the breached organization is in no position to know with any reasonable amount of certainty.
A few other things that stand out to me are the apparent failure of Illuminate to follow their own cybersecurity protocols of encrypting all student information. It isn’t clear from the disclosures why this happened, but it’s possible that there was a primary location in the Illuminate platform where the data was encrypted, but there existed secondary copies in staging environments or backups that were unencrypted. It’s critical that all organizations understand all places that sensitive data may reside and take the appropriate steps to secure it. Failure to do so can not only expose the information to compromise, but also open the organization to legal liability.
This incident also highlights just how important it is for organizations to understand their operational dependencies and the potential business impact if those dependencies are rendered unusable. In this case, the security incident caused significant disruption of the school system’s ability to deliver service to their students. Understanding these risks and forming a strategy for business continuity is needed to maintain operational resiliency whether a failure comes from a cybersecurity incident, a natural disaster, or even a simple mistake.