23 February 2008

Letter on student personal info leak contains misleading information

A draft letter Eastern School District plans to send parents of 28,000 children affected by a leaked of personal information contains at least one major factual error and includes misleading information.

The letter states:  "The computers are password protected, thus limiting the potential for unauthorized users to access this information."

Computer security experts have already said publicly that the passwords would provide a minor, temporary inconvenience to anyone wanting to find out what was behind the password.

As well, the letter repeats the contents of the news release issued earlier in the week by referring to the relatively low risk of someone using a student's personal information to access a student's medical file.

That really isn't the threat.  The potential exists for fraud against the medical care commission based on identity theft or of fraudulent prescriptions being passed in a student's name. The possibility of accessing a particular student's medical records remains relatively low.

The letter also refers to laptops being stolen for the hardware value, yet school district officials do not know who stole the computers in this case.  They are speculating.

The letter likely won't reach parents until Monday - eight days after the theft -  and four days after the letter was posted to the Internet by the school district.  It contains no new information and merely repeats the contents of the news release.

There's no explanation as to why it took the school district officials so long to cut and paste a letter to parents that contains nothing more than what had already been sent to hundreds of thousands of people unaffected by the incident, via the release.

In a release earlier this week, the district said it notified provincial government officials and the police about the theft and would begin notifying parents - at the end of the process - now that a news release had been issued and individuals and organizations, some of them not directly affected, had already been advised of the incident.

-srbp-