Third-party vendor exposes data on 50,000 in Florida school district

A Florida school superintendent recently disclosed the loss of the personal information of approximately 50,000 students and staff in the Leon County School District.  The loss of data underscores the danger of insecure third-party vendors with access to sensitive or proprietary information.

The case is a classic example of the damage and liability that occurs when a third-party vendor does not have robust, or even adequate, network security.  The vendor, Florida Virtual School (FLVS), is an educational services provider that lost school district data in two separate incidents, including:

• In 2013, the Leon County School District gave an electronic service provider, UCompass, access to data on district personnel and students.  FLVS later purchased UCompass and acquired the data, storing it on an insecure server. In February 2018, an unauthorized intruder accessed the insecure server and posted his findings on an online forum.  The school was alerted by an associate at Databreaches.net, who noticed the forum comment.
• From May 2016 through February 2018, FLVS provided online educational services to users throughout the Leon County School District.  In February 2018, FLVS alerted the school district that personal data transmitted during that time had been publicly available.

The information provided on students included name, username, school identification number, medical, demographic, and other information.  The staff member confidential information exposed included social security numbers, full contact information, email addresses, and more.

The threat of unsecured third-party networks

From the information available so far, it is not clear that the data exposed in this data breach has been sold.

As is the habit of the day, the third-party vendor, FLVS, is offering all impacted individuals one year of credit monitoring.  Like the Equifax data breach or any incident where personal information is exposed or stolen, there is no expiration date on when a consumer or business can be guaranteed they will not suffer an identity, financial, or other crime as a result of the data loss.

From media reports, the first data loss occurred when the third-party vendor incorrectly configured a server, providing public access to tens of thousands of records.  In the second incident, the vendor appears to have simply failed to secure the online data.

Responding to the exposure, Leon County School District superintendent Rocky Hanna said, “At the end of the day, Florida Virtual School left their server wide open for intruders to access. They are 100 percent responsible for this theft.”

For an enterprise of any kind working with third-party providers, a secure remote access platform eliminates the unwelcome surprise of shifty or absent security practices.

The lack of security policies at FLVS is shocking, but not uncommon.  While FLVS may be liable, the real damage may never be known. If compliance and secure remote access are important to your business—talk to us at SecureLink.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.