Insider threats and data breaches

By: Tonya Mead, CFE, CHFI, PI, MBA, MA Educational Psychology

Data breaches exposing the personally identifiable information of k-12 students taking a  standardized assessment in English and math occurred in two states last week: New York and Mississippi. The data and technology systems utilized to administer, maintain, and compute the computerized assessment was procured by the states from Questar, the standardized exam vendor.

The confidential information of students attending five  New York public schools  and three schools in Mississippi were accessed during the New Year’s holidays.“The [hacked] data included some student names, identification numbers, grade levels and teachers’ names, but not student addresses, Social Security numbers, disability status or test scores,” reported, Questar. The company speculated that the perpetrator (hacker) gaining unauthorized access to the data  could have been a former employee. However, the Questar spokesperson, couldn’t “see any reason that anyone would do it [access the data].’ Mmmm, let’s g over over some of the reasons below.

Related Hacking Articles

Insider Threat

According to Security Intelligence, insiders (employees, vendors, contractors, former employee/vendors) account “for nearly 75 percent of security breach incidents.”  This is why InfoSecurity magazine reasons that employee education is the first line of defense against data breaches.

I too, recognize this threat in the education and human services space and have conducted presentations on the Need for Cybersecurity Training for Educators and Administrators at NIST (Federal Information Systems Security Educators Association), NICE and the National Association of State Directors of Educator Certification Programs.  Insiders are considered much more dangerous than the typical cyber criminal because they have ready access to “key applications, storage systems and touch points” says Security Intelligence.

Related Data Breach Articles

Human Error and Other Reasons

Human error resulting from the lack of training in data integrity,  information systems governance, cyber security and ethics is the main cause of insider breaches. However, we must not use this as an excuse for complacency. The more nefarious reasons why insiders would hack into systems are to wreak havoc, disrupt operations, cause a public relations snafu, obtain  employee roster information,  steal intellectual property,  or obtain national security secrets.

So there you have it.  Most computer hacking forensic investigators, certified ethical hackers and certified fraud examiners are aware of the damage a data breach can cause. We’re hoping that those elected, appointed, employed or hired as a vendor to serve the public will be cognizant of the threat as well.

Tonya J. Mead, CFE, CHFI, PI, MBA, MA, formerly a certified K-12 Administrator and School Psychologist is author of Fraud in Education: Beyond the Wrong Answer and president of Shared Knowledge, LLC If you like her work, please support her at Patreon.