Security OOPS! PII For School Employees Accidentally Mailed by School’s Contractor

On November 27 the Chicago Tribune reported:

“A printing contractor for the Chicago Public Schools said Sunday that it mistakenly mailed a list of names, Social Security numbers and home addresses of nearly 1,740 former school employees as part of a packet of health-insurance information to them.”

Oops! Another privacy breach resulting from a combination of human error and actions by an outsourced vendor.

But wait…was the primary error really caused by All Printing & Graphics Inc., the contractor?
The report indicates the Chicago Public Schools sent them the information to “print, stuff and mail” within an email message. Why did the school system send the 125-page list of current and former school employee personally identifiable information (PII) in the email in the first place? Was it to provide the mailing addresses? If so, then why didn’t they send a file with only the mailing addresses, and not Social Security numbers as well?
There are not enough details to really determine why such sensitive information was sent to the print vendor. It also doesn’t indicate whether or not the PII was encrypted in the email, but lack of reference to encryption within the article, and the common mispractice of most companies still not encrypting PII within emails, leads me to believe that the school system likely sent clear text highly sensitive PII attached to an email; quite a large vulnerability.
The recipients of the large PII listing are understandably concerned. Some have indicated that they have been diligently shredding and disposing of their PII over the past few years in an effort to protect their privacy and protect against identity theft only to find that a trusted organization (their current or former employer) had made the PII available to up to 1,740 people, basically undermining, in many of their reported views, all their work to protect their own privacy.

“Vaughn said school officials plan to send out a follow-up letter Monday that will formally apologize for the mistake, thank recipients who might have already shredded the list and instruct those who have not to mail it back in a postage-paid envelope. The letter will also include information about credit-card and identity-theft protection, Vaughn said.”

The school system is ultimately responsible for the error. It seems reasonable they should offer credit monitoring to the involved individuals; it will be interesting to see if they do.

“A retired administrator at Hearst Elementary School whose name appears on the list said she was especially disturbed to find the packet lying on her doorstep instead of inside her mail slot.”

Yes, information sent via USPS is vulnerable to the unsecured delivery methods chosen by the mail carriers. This is another opportunity for PII to be confiscated and used inappropriately and for crime. I recently discussed a USPS mail incident that demonstrates how mail can be targeted for theft.
The Chicago Teachers Union is considering legal action in response to this breach.
This incident reinforces the need to have several different information security and privacy controls in place, such as:
* Do not send clear text PII in or attached to email messages. Strongly encrypt data passing through public networks (as well as on mobile storage devices).
* Send outsourced vendors and business partners only the minimum amount of PII necessary to perform the activity for which they are contracted.
* Include detailed information security requirements within outsourced business partner and vendor agreements.
* Perform due diligence and ongoing follow-up to ensure business partners and vendors have a comprehensive information security program that they enforce.
* Document and test a privacy breach incident response plan to most efficiently, effectively and consistently handle breaches when they occur.
* Perform ongoing training and awareness to personnel, business partners and vendors to ensure all who handle or otherwise have access to PII know and understand how to properlly safeguard the PII.

Tags: , , , , , ,

Leave a Reply