Audit wraps up after data breach
Two parents accessed confidential student information during glitch but no one else did, school busing agency STSCO says
The agency that co-ordinates busing for schools in the Peterborough area has had a security audit after it accidentally allowed public access to a database of student contact and busing information through social media, in early February.
“I want to assure the public this was taken very, very seriously,” said Joel Sloggett, CAO of Student Transportation Services of Central Ontario (STSCO).
There’s an update for the public on the STSCO website that says an outside firm was hired to do a thorough review of STSCO’s data security processes.
That review is now done, states the update, and STSCO was found to be at “moderate risk” of unauthorized access to its internal network.
With the help of the local school boards, states the update, STSCO is now working to implement a series of short, medium and long-term recommendations.
“These recommendations include enhancing software and technology, improving internal processes with respect to password protections and conducting regular internal and external security assessments,” states the update.
On Feb. 7, the personal information of five students — including addresses and dates of birth — was breached after a posting was made to the agency’s Facebook and Twitter accounts.
The posts were meant to inform parents of a potential school bus driver strike in Bowmanville, Sloggett said at the time; the attachment was intended to give parents further information.
But instead a link to a training document containing the dates of birth, addresses and bus routes of all 26,000 kids using STSCO services was posted — and there was no password protection.
None of the five students live in Peterborough, Sloggett said in February — STSCO
oversees school bus transportation for 26,000 Catholic and public board students in the area.
Sloggett said the five files were accessed by two people — both of them parents — who realized the link to the database was likely posted in error.
The two parents had both looked at their own children’s files and both reported it to STSCO within an hour of the posting.
The first parent had clicked on their own child’s records before shutting down the database and reporting the error to STSCO, and the other clicked on their two children’s records and then clicked on two more students at random to check whether any record in the database could be breached.
Then that parent shut down the database and reported it to a school official, who immediately got in touch with STSCO.
Sloggett said the site was taken down within an hour and 45 minutes of the link being attached in error to the Twitter and Facebook postings.
On Tuesday, Sloggett told The Examiner the audit was done with great care. “The one thing we would like to emphasize is how seriously this was taken – by us and by the school boards,” he said. “A lot of people put their attention to this.”