I should have taken this as an omen. Yesterday as I approached my car, I took out my keys and my little thumb drive fell out of my pocket. I couldn’t help but wonder what would have happened if I had not seen it fall and if I had sensitive school data on that drive. I try not to keep any data like that on something that I’m likely to lose, but it might happen. I immediately went home to double-check the drive, just to make sure. I also made a mental note to bring up the issue of data security when I meet with principals this week.
All of this happened before I saw the headline on this morning’s Greenville News. It seems that the Greenville School District has sold computers with sensitive student data. According to the article, two men had purchased computers at auction, and the computers had student names, addresses, and even Social Security numbers. There was also private information about some employees. The men went public through their attorney, David Gantt…
The buyers, who spoke to The News through an attorney to retain their anonymity, said they unintentionally purchased sensitive information at about 12 auctions that the school district held between 1999 and March of this year.
They came forward finally because the school district repeatedly ignored their warnings that such information was being sold, Gantt said.
My gut reaction was that someone in Greenville was about to lose their job. Lonnie Luce former Director of Technology for the district and current deputy superintendent seemed to have been caught off-guard by some of the questions about the case…
“I remember that they at least had addresses and names on all of our students who were in that logistical system and they had certain other information that should have been kept confidential.”
Of Social Security numbers, he said, “There were some. I don’t remember how many.”
However, this story bears closer inspection. Located on down in the article was a line I missed on my first two readings…
Luce said the men tried to sell the district software that would clean computers before they are sold. He said he didn’t buy from them and that they agreed to destroy the data they had.
Gantt said the WH Group offered to sell the district a data security product but didn’t agree to destroy the information they had.
So, this makes me wonder how, exactly, the district was warned by these two gentlemen. Was it a kind-hearted, public service type warning to the district, or was it a warning couched in a sales pitch? If the latter, then their going to the Greenville News seems less altruistic and more sour grapes that the district didn’t purchase their product.
I have seen vendor practices that border on blackmail. A group will attempt to hack your network to demonstrate the need for network security services. Vendors often use fear and the sway of public opinion to force consideration of their products. I won’t say that this happened in this case, but the circumstances sure are fishy.
Regardless of the intent of WH Group, the data should never have gotten into the wild. Now that this has gone public in a big way, I’m afraid my original assumption will be correct, and that someone will lose a job. However, I can say this. Should the WH Group ever approach my district, I’ll consider ANY alternative other than theirs, and I’ll document the hell out of everything we’ve done.