“Sensitive, personally identifiable information” of more than 1.4 million students and more than 200,000 teachers was improperly stored by the Maryland State Department of Education, leaving them at risk of identity theft, according to a recent audit.
The review found that the department stored the names and Social Security numbers of students and teachers “in clear text,” even though Maryland’s information security policy calls for confidential data to be protected using encryption or some other “substantial” mitigating controls.
The personal information did not appear, as of June 2018, to be adequately protected by data-loss prevention software.
“Appropriate information system security controls need to exist to ensure that this information is safeguarded and not improperly disclosed,” said the audit, which was published earlier this month.
The report on deficiencies in the state network were released as governments and private entities are working to protect their computer networks and databases from bad actors. The state of Maryland reported earlier this month that hackers accessed the names and Social Security numbers of as many as 78,000 people from two older databases run by the state Department of Labor. The information, accessed in April, belonged to people who received unemployment benefits in 2012 or sought a general equivalency diploma in 2009, 2010 or 2014.
The July 2 audit of the education department found that the state did not have assurances that student data managed by third-party contractors was properly stored. The department also lacked a “complete information technology disaster recovery plan” or sufficient malware protection to provide “adequate assurance that its computers were properly protected,” according to the review...
I wonder if Real ID requires that the state encrypts all the personal documents presented, scanned and stored by the MVA. If not, there is going to be an identity theft crisis of biblical proportions!
ReplyDelete