An unfortunate computer user mistake led to one school administrator resigning from her job and more than 1,000 people having very personal information inadvertently shared with dozens of people. Last December, a Montana high school assistant principal attached what she thought were meeting notes in an email to around thirty parents, but the attachment actually contained identifying data, medical records, discipline records, and even mental health data on more than one thousand current and former students of that school.
As in any data breach, one of the first steps is to figure out how the information leak happened. The Missoula County Public School District hired a forensic investigation firm to sort through the issue and make a determination. From what investigators pieced together, after collecting several school computers and conducting a search, the culprit was nothing more than an accidental “cut and paste”-type issue. The administrator may have thought she was cutting and pasting (or dragging and dropping, in other computer parlance) the meeting notes she’d typed up, but the resulting attachment was access to a file that school officials use throughout the work day.
Unfortunately, in this era of record-setting numbers of data breaches and high-tech cybercrimes that can cost billions of dollars, it is easy to forget that sometimes a simple user error can have the same result as a large-scale data breach. This is why CEO phishing is such an effective, costly, and growing form of data breach; more than 120 companies have been the victim of a CEO phishing attack in the first five months of 2016 alone, all due to an employee making a costly mistake. Over the last few years, other large-scale and widely publicized retail data breaches have occurred due to employee errors like clicking on scam links in emails, downloading harmful content over the company’s wi-fi, or failing to implement effective antivirus software.
Accidental data breaches, like the one that which occurred at Hellgate High School, often result in mixed emotions. On the one hand, it was an accident, pure and simple. However, at the same time, regardless of the intention, potentially damaging and confidential information was shared with people who had no right to it. That is why the aftermath of an incident like this one involves figuring out how to prevent this type of mistake in the future. It should also serve as a reminder to all citizens to be careful about what information they share with outsiders. Even without any malicious intent, your Social Security number, your medical profile, even your mental health status could end up in the wrong hands, so make sure that everyone you trust with that information is going to safeguard it, and actually needs it in the first place.
Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.