March 27, 2018//Ellen Neveux
A Florida school superintendent recently disclosed the loss of the personal information of approximately 50,000 students and staff in the Leon County School District. The loss of data underscores the danger of insecure third-party vendors with access to sensitive or proprietary information.
The case is a classic example of the damage and liability that occurs when a third-party vendor does not have robust, or even adequate, network security. The vendor, Florida Virtual School (FLVS), is an educational services provider that lost school district data in two separate incidents, including:
The information provided on students included name, username, school identification number, medical, demographic, and other information. The staff member confidential information exposed included social security numbers, full contact information, email addresses, and more.
The threat of unsecured third-party networks
From the information available so far, it is not clear that the data exposed in this data breach has been sold.
As is the habit of the day, the third-party vendor, FLVS, is offering all impacted individuals one year of credit monitoring. Like the Equifax data breach or any incident where personal information is exposed or stolen, there is no expiration date on when a consumer or business can be guaranteed they will not suffer an identity, financial, or other crime as a result of the data loss.
From media reports, the first data loss occurred when the third-party vendor incorrectly configured a server, providing public access to tens of thousands of records. In the second incident, the vendor appears to have simply failed to secure the online data.
Responding to the exposure, Leon County School District superintendent Rocky Hanna said, “At the end of the day, Florida Virtual School left their server wide open for intruders to access. They are 100 percent responsible for this theft.”
For an enterprise of any kind working with third-party providers, a secure remote access platform eliminates the unwelcome surprise of shifty or absent security practices.
The lack of security policies at FLVS is shocking, but not uncommon. While FLVS may be liable, the real damage may never be known. If compliance and secure remote access are important to your business—talk to us at SecureLink.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.