Spotsy schools respond to online breach

By PAMELA GOULD

Spotsylvania County school officials yesterday increased the number of people they say may have had been affected by a breach of the system’s tax data, saying as many as 4,289 people may have had their personal information compromised last month.

The division started mailing letters to employees on Thursday to tell them about the problem, which was discovered Dec. 23 when an employee was able to access her W–2 form online via a Google search. The form, which is produced at year’s end for preparing tax returns, contains the employee’s name, address, Social Security number, earnings and taxes paid. The forms available on the Internet were those sent to employees online in 2009 and 2010.

The division has 3,000 current full-time employees, but forms were also available for some employees who have since retired or left the division, Daniels said.

As of yesterday afternoon, about two dozen people had contacted the division’s administrative offices with questions and concerns, she said.

Spotsylvania Education Association President Peter Pfotenhauer said school officials didn’t inform him of the breach until 13 days after it occurred.

And by the time Superintendent Shelley K. Redinger and two assistant superintendents told him about it Thursday, Pfotenhauer already had learned about the situation from a Free Lance–Star reporter.

Pfotenhauer said school officials told him they delayed notifying employees in an attempt to first complete their investigation of the breach, to be sure they had done everything possible to prevent a recurrence and to prevent panic among employees.

He said they also noted that the problem was discovered innocently by an employee seeking her own information, not by someone intent on harm, such as a hacker.

Pfotenhauer said his concern about the delay in notification was tempered by the fact that the breach was not the result of hacking. He also noted that while early notification is always good, with employees on vacation for the holidays he doubted that many would have read an email before returning to work on Tuesday.

School officials told him they chose to send notification by regular mail because they viewed it as more official.

“They said a letter seemed more official and formal. It’s debatable whether you want to be more official or timely,” Pfotenhauer said.

The division also sent email notifications Thursday night after learning that The Free Lance–Star planned to publish the story. Daniels said the goal was for employees to find out from the division rather than the media.

School Board members Amanda Blalock and Dawn Shelley said yesterday that they were disappointed that it took school administrators so long to tell employees about the problem.

“I’m sure they did what they had to do, but it would have been nice to see them get the information to employees earlier than what was done,” said Shelley, who until Dec. 20 was a teacher within the division.

Blalock also said she was surprised the division hadn’t used email as its first means of communication to speed the process.

“I really hate that happened for all the employees exposed,” she said, adding that she remained uncertain about how it occurred.

Other School Board members could not be reached for comment yesterday.

Blalock said she spoke to Redinger yesterday and hopes the problem is resolved.

“I trust that Dr. Redinger and her staff have taken all the necessary precautions to make sure it doesn’t happen again,” Blalock said.

According to Redinger’s letter, the division’s Technology Department acted as soon as the employee notified them of the issue on Dec. 23.

That day, despite the fact that staff members were off duty for the holidays, the following steps were taken:

Technology staff shut down the internal system known as Employee Self Serve, cutting off access to the information.

They worked with Google administrators to disable the search option that had allowed access.

They corrected the problem that had allowed access, and determined that only the Google search engine had provided access.

They hired an independent security company to audit the division’s Web-based systems in an effort to ensure that the problem does not happen again. That will cost $5,875 annually, and will include analysis of all the division’s systems, Daniels said.

The auditor is expected to visit the school division early next week.

The division notified the state Attorney General’s Office and the three credit bureaus, providing a list of people who may have been impacted.

Redinger is encouraging employees whose information might have been compromised to closely monitor their bank accounts and credit reports and to take immediate action if anything looks amiss.

However, the division has no evidence anyone has suffered harm as a result of the problem, and believes it has been corrected, points that Redinger stressed in ending her letter.

“Please be assured that this issue has been resolved and your personal information is secure,” Redinger said.

Pamela Gould: 540/735-1972

pgould@freelancestar.com

SAFETY STEPS

Spotsylvania school employees whose personal information may have been accessed online are encouraged by the division to closely monitor bank account activity and credit reports and notify those companies

if anything appears amiss.

Contact numbers for the credit rating agencies are:

Equifax: 800/525-6285

Experian: 888/397-3742

Trans Union: 800/680-7289

Permalink: http://news.fredericksburg.com/newsdesk/2012/01/06/spotsy-schools-respond-to-online-breach/