Tuesday, October 28, 2008

Junior -- Actually, Sophomore -- Black Hatter Arrested

A recent report from up Schenectady way highlights the danger that "black hat" hackers face when they advise their targets of system security problems. It also shows the difficult position that victims are put in when those hackers happen to be minor students.

According to a notice posted on the website of the Shenendehowa Central School district in Clifton Park, New York, the principal of the local high school received an email from an anonymous "student" advising him that the sender had accessed a file on the school district's computer system that included detailed personal information about present and former district employees. The district IS department was alerted, and they "discovered that two high school students had accessed the file from an internal computer using their student password. Due to a configuration error, this file was not completely secured from student password access after being moved to a new server."

In other words, the database was left unsecured and all the student had to do to access it was log in to the system as a student and go poking around.

Of course, in the fine tradition of egg-faced officials everywhere, it is the student who discovered the problem and not the IT person who caused it who will pay for the error. The student was identified (he did log on as a student, albeit according to the school district he used another student's login -- probably not a good idea if you're trying to look innocent, that), arrested, and charged with three felonies. (The second student was not charged; perhaps he was merely kibitzing.)

This has caused a minor uproar in the tech community, which generally considers that the student was more or less doing his civic duty and deserves a ribbon, not a record. Perhaps. But consider the other side of the coin -- sensitive information about present and former employees was available to anyone logged in to the system, and was viewed by at least one person -- the student -- who did not have a right to see it. That's all that it takes to confirm a security breach.

The district from that point forward had a legal obligation to notify the affected employees that the security of their personal information had been compromised (according to news reports, it did provide the notice). It also has an obligation, under New York state law, to notify the state's Office of Cyber Security, Attorney General, and Consumer Protection Board. A good summary of New York state laws and regulations relating to information security can be found here.

The point to be taken from this incident is that when personal information is compromised, the consequences must by law extend beyond simply the affected entity. Should the student be facing three felony charges for what he did? Perhaps not. Should the authorities have been notified? Absolutely.

No comments:

Post a Comment