Data breaches are becoming more common and more expensive. In fact, the average cost of a corporate data breach increased by 15% in recent years to $3.5 million. While we often hear of cyberattacks occurring in the business sector, a breach that targets our education system is a bit more rare — and its costs are even more mysterious and difficult to quantify.
In a breach traced back to 2010, hackers targeted the Frederick County Public School system. All told, approximately 1,000 names, birth dates, and Social Security numbers of former students were stolen and posted online. As of earlier this month, that information was still available on at least one website.
Since Frederick County schools are public, the damage could be wide-ranging. To put it in perspective, the average private high school is less than half the size of the typical public school; the more students there are, the more victims a hacker has to choose from.
The breach has been a real source of controversy in the area, as blame continues to shift and information continues to be withheld. The Maryland State Department of Education investigated the matter in December, but was unable to determine when or how the breach occurred.
“There is no evidence that the breach occurred at the Maryland State Department of Education or, more specifically, that Stata Data systems were breached,” the department said in an email to a Fox Baltimore.
However, Frederick County School District officials say otherwise. District spokesman Michael Doerrer feels that “it’s likely” that the breach can be traced back to the MSDE.
Furthermore, the local school board has raised huge concerns about how the breach was handled, as well as the role the district played in the breach and how it will handle future security threats.
Frederick County Board of Education member Colleen Cusimano said that the administration made it extremely difficult for her to obtain pertinent information regarding the data breach and that she only received answers after putting immense pressure on the powers that be. Cusimano, an information technology veteran of 16 years, said that she has voiced her concern about the school’s system security countless times in the past. She is especially troubled that Superintendent Terry Alban is not doing more to improve the system.
Alban said in an interview with The Frederick News-Post that the school board wants to improve cybersecurity and may hire an outside security consultant to evaluate the system. When asked about the current state of the system’s security, she said, “I believe we have done our best to keep our system secure.”
Not so, says Cusimano. She alleges that not only are Alban and other officials minimizing the district’s role in the breach, but that they failed in reporting the breach to the board. Even after the board was brought up to speed, Cusimano’s questions regarding the attack went initially unanswered.
A former student was the one to first contact the school district at the end of August. But school district officials waited until after an investigation concluded in December before informing any of the students affected by the data breach. The victims all reportedly attended Frederick County schools between November 2005 and November 2006.
Cusimano says that the results of the investigation are totally inconclusive. While she and other board members were able to obtain a copy of the report on the breach — which was developed by an agency that works with the U.s. Department of Homeland Security — both the state and the school district have denied both the media and the general public access to the information it contains.
That’s because the report is bound to contain sensitive information regarding the breach: namely, how it occurred.
“The Maryland General Assembly chose to bar disclosure of this information, likely because the members did not want to provide a how-to manual on breaching Maryland’s information systems,” said William H. Fields, a state assistant attorney general who works on behalf of the state education department.
The school district will offer two years of free credit and identity monitoring to the victims of the breach who attended Frederick County schools between the November 2005 and November 2006 time frame. In addition, Delegate David E. Vogt III, R-District 4, says he intends to file legislation which will force the school system to offer five years of free credit monitoring.