A privacy breach at a school district in New Jersey exposed portions of 1,200 employees’ Social Security Numbers.
The breach occurred at Irvington Public Schools on 16 April when an “unknown source” sent out an email to an undetermined number of recipients. The email contained the names of current and former employees of the Irvington, New Jersey school district. It also included segments of their Social Security Numbers with some digits replaced by asterisks and dashes.
Superintendent Neely Hackett said she doesn’t know how many people ultimately received the email, which used the subject line “IBOE gave out your SS number.” (IBOE is short for “Irvington Board of Education.”) As she told NJ.com:
At this time, I do not know the exact number of people who received the email. To the best of my knowledge, the email was distributed to Irvington staff members using the district email address.
She went on to explain that the district, which enrolls approximately 7,000 students, “regrets this unfortunate disclosure” and intends to notify any former employees whom the breach might have affected.
Tracy Bowers, public safety director for Irvington, said detectives are currently investigating the incident to learn more about how the breach occurred.
As of this writing, it’s unclear how the unknown individual acquired the partial Social Security Numbers of more than a thousand school staff members and gained access to the school’s district email address. What is clear, however, is the need for schools everywhere to implement security measures that can help shield sensitive data from external attackers and malicious insiders. Specifically, they should consider using encryption, access controls and some of the other 20 critical security controls developed by the Center for Internet Security (CIS).