Personal Data Compromised for 4k in San Juan School District

4000 San Juan Unified School District employees were notified that their social security number had been exposed on the internet.   The data leakage was discovered when an employee googled their own name and found a page with the name and social security numbers on a church website.

After investigation, it was found that an employee in HR copied the file to a USB drive to work on it on a home computer.   Then later they copied the file inadvertantly to an unrelated website where the individual did volunteer work.

As a result of this incident, USB devices are now banned from the school system.

Source: SacBee and posts from a victim

What lessons can be learned from this?
I think most people would think the initial response of the school district isn’t good enough.   While they did notify employees as required under California law (Civ. Code 1798.82 and 1798.29), there is no mention of providing credit monitoring services.

The school system reportedly requires the use of Social Security Number on internal forms.   If they are using SSNs in lieu of employee numbers that needs to change.   Where it is necessary to use SSN on forms (possibly healthcard and payroll enrollment) such forms should be transmitted and stored securely.

In this case the employee was taking the file to work at home.  It sounds like the work was to be done on a personal home computer.   There needs to be a strong wall between work and home computers. 

Should the data have been available to copy to the drive in the first place?    Do you know where your sensitive data is to keep it from being moved in a similar fashion?   Data Loss Prevention is rather expensive to use merely to watch for SSN.

Encrypting data written to the USB drive would have helped in the even the USB device was lost.   But would it have helped in this case?   Perhaps the user would have thought about what files were being copied.

Policies need to exist regarding care of sensitive data, home computer use, and USB devices.   As  far as we know this wasn’t a malicious act.   People in sensitive roles need to be trained to handle data correctly.