Frequently Asked Questions - Data Accessed by Student
This information is presented as a resource for those affected by this incident and interested members of the public.
Published 12/11/13 | Updated 12/12/13
Contact: email@example.com. Questions & answers and additional info may be added based on inquiries received
What exactly happened? In the beginning of November 2013, Radnor Township School District officials discovered that a middle school student accessed an "open" folder on the school district's internal network. Within that folder, the student accessed a file that contained personal information of school district employees. The student subsequently showed or shared the file with a limited number of students.
How did this happen? Unfortunately, this incident can be attributed to human error. A district employee who was overseeing a data transfer process accidentally left the folder “open,” which made the file accessible to users of the RTSD internal network.
Why was the district transferring data? The school district was in the process of transferring data to a new financial software provider, which provides data for our business office. The folder containing the files was left "open" so that this provider could remotely retrieve the information to populate our new database. The file was accidentally left "open" after this transfer occurred in a way that allowed it to be viewed by other users logged into the district's internal network.
It is important to note that the general public cannot access the district's internal network. In this case, the student discovered the folder by browsing through the hundreds of icons which represent various network computers and folders.
When was the file opened? The student involved indicated that he/she was able to access the file at the end of the 2012-13 school year (May or June). This time frame makes sense because this is the last time the district transferred data to the new financial software company.
When did the district find out this happened? District officials learned about this incident on Nov. 4, 2013 when one of the students reported it to a staff member. We immediately began a thorough internal investigation, which included conducting interviews with students, discussing the matter with the parents of the students in question and obtaining additional information, among other steps.
What information was accessed? Much of the information in the file was data that is available through right-to-know requests and commercial sources. This includes names, addresses and phone numbers of approximately 2,000 current and former employees. However, the file also contained social security numbers and dates of birth. The students have assured us that the neither the social security numbers nor dates of birth were used in any way. In fact, interviews with students indicate the students had no interest in this information. No direct deposit or banking information was included in the file.
The district is very concerned this incident occurred and takes the security of our network and privacy of our employees very seriously. However, we do not believe the information was used in any way that poses any harm to our employees.
Who was involved? We know that one middle school student who accessed the file made one copy to a jump/flash drive. This occurred in May or June of 2013. That student emailed the information to three other students. We do not believe any information was used in any way. The students we have spoken to indicate that four or five other middle school students saw the file but did not copy it or use it in any way. Subsequently, another student accessed the file several weeks ago and then notified RTSD staff on Nov. 4, 2013 that the file was accessible on the internal network.
How many people are impacted? Approximately 2,000 current and former employees of the Radnor Township School District are impacted. This includes current teachers, administrators and other staff positions. On Nov. 25, 2013, after the district gathered facts to share, a letter from Superintendent Dr. Michael Kelly detailing the incident was sent to every current or former employee whose information was included in the file that was accessed by the student.
Was the information used for ID theft? There are no indications the information was used illegally. The district believes the students acted with no maliciousness. One curious middle school student found an “open” folder and copied a single file from that folder. We have no evidence that the information was used to harm anyone.
What can those affected do to further protect their credit? Again, based on our investigation, we have no reason to believe that any current or former employee is at risk of credit fraud as a result of this incident.
However, if you are concerned about your credit, credit experts recommend some basic steps that all consumers can take to help protect their credit health. First and foremost, credit experts recommend regular reviewing of your credit report for mistakes and to ensure no improper activity has taken place. Under federal law, you can receive a copy of your credit report free once a year from each of the three credit bureaus. The only way you can receive this government-mandated credit report free is through www.annualcreditreport.com. Do not contact the credit bureaus directly for your free annual credit report.
You can also place a free, 90-day fraud alert on your credit report that lets businesses know to take extra steps to confirm your identity before granting credit. You can contact any one of the major credit bureaus (www.equifax.com, www.experian.com and www.transunion.com) to place a fraud alert on your credit report. The bureau you contact is required to alert the other two bureaus. Both Equifax and Experian provide online forms to put an initial fraud alert on your credit report. You are also entitled to a free credit report with a fraud alert. Note that the fraud alert may prevent you from doing instant credit applications at retail stores.
Did the students commit a crime? Will they be charged? Law enforcement authorities were made aware of the incident shortly after we discovered the file was accessed. Our solicitor has been in contact with authorities more recently. We do not believe the students committed a crime. However, we believe that at least one student broke the district's Acceptable Use Policy related to accessing and using the network. Appropriate consequences will occur under the terms of the student code of conduct. As in all situations, student discipline matters are confidential.
How does the district know that no one else accessed the data? We have no way of knowing with 100 percent certainty that the file in question was not accessed by other network users (which includes administrators, teachers, and students), but have no evidence and no reason to believe it was shared in any way.
Will the RTSD staff member who left the file "open" face consequences? The district is following established policies in determining what action will be taken pertaining to the employee. This is a private personnel matter.
Did the students "hack" into the system? Absolutely not. There was no unlawful access to the district's internal network and no use of hacking software involved. This was an incident of human error that allowed internal network access to an “open” folder.
What has the school district done to ensure this will not happen again?
We take security very seriously and have taken/are taking many steps to avoid anything like this happening again.
The "open" folder was removed.
All unauthorized files have been destroyed.
A secure file transfer protocol will be used with any vendor or software company employed by the district.
Users can no longer “browse” the network.
New training on network security is being required and made available to update the skills of staff and to reinforce security policies and measures.
An independent security analysis will be performed to test for network and system vulnerabilities.
We have notified the three major credit reporting agencies (Equifax, Experion and TransUnion) that personal information of approximately 2,000 current and former employees was accessed.