Internal errors blamed for Franklin employees Social Security scare

July 19, 2007

By Melissa Griffy Seeton, GateHouse Media

http://www.timesreporter.com/index.php?ID=70390



The Social Security numbers of 1,800 present and former Jackson Local Schools' employees were at risk of public access on a county-maintained Web site.

The personal data is now secure, school officials said Wednesday, and foul play is not suspected.

"We do not believe it was a hacker or anything sinister. We feel confident this was not the result of criminal activity, but an internal error," said Larry Morgan, superintendent of Stark County Schools and chairman of the Stark-Portage Area Regional Computer Consortium, also known as SPARCC.

The consortium is one of 23 information technology centers across the state that provides record-keeping and fiscal and data-processing capabilities for school districts. The Social Security numbers were accessible on the SPARCC Web site, which keeps data for 28 school districts and two educational service centers in Stark and Portage counties.

Jackson schools is the only district with information compromised.

The discovery was made when Jackson Local Superintendent Cheryl Haschak got a call from a concerned county resident.

"He was doing a search, and he said he thought he had access to information that should not be made available to him," Haschak said. Morgan acknowledged the initial thought was "Why just Jackson?"

That was July 2. Since then, Jackson officials have been working with the county office, a security firm and the Stark County Sheriff's Department.

When investigated further, it appears, internally the files were somehow left unsecure - either by human error or a glitch in the software provided by the Ohio Department of Education.

"Unfortunately, there is so much people can access right now," Haschak said. "Technology can be a good thing, but it can be detrimental. Certainly, this is unsettling, but it wasn.t something purposefully done."

Those employees affected worked in the district from 2001 to 2005. The district stopped using Social Security numbers as personal identifiers after 2005 when Jackson High students hacked into the school's computer system, gaining access to teachers. Social Security numbers, home addresses and student grades.

Those present and former Jackson employees impacted will get a letter in the mail in the next few days. The notices are expected to be mailed today.

Although Morgan said they do not know if the Social Security numbers of the 1,800 affected were accessed - there was the potential - and, as result, the major credit reporting bureaus have been informed because of the potential of identity theft.

"We have no evidence anyone has it (Social Security numbers), but we know they could have it," Morgan said. "There is a possibility, although we don't think it happened."

The consortium has implemented additional layers of security on its Web site including increased monitoring to detect unauthorized attempts to access its servers. The security firm, which reviewed the incident, also is auditing SPARCC's network and servers.

Morgan's goal is to remove all Social Security numbers from the SPARCC system.

Last year, Ohio University became at least the third college to announce unauthorized access was gained to confidential information.

In 2005, two computers were stolen from Kent State University offices. The computers contained the names and Social Security numbers of practically every student and instructor since 2002, and every graduate since 1988.

That same year, Web site security was breached at Stark State College of Technology. Students couldn.t access their own personal information - such as their grades or student loans - instead the personal information of another student was shown, including Social Security numbers. College officials said the incident was not the result of a hacker, but a software glitch.


main page ATTRITION feedback