The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Email Mistake at Chicago Schools Underscores Employee Negligence Problem

by Chris Brook on Wednesday June 27, 2018

Contact Us
Free Demo
Chat

An employee at Chicago Public Schools accidentally emailed sensitive personally identifiable information (PII) belonging to students to thousands of families earlier this month.

A staffer at Chicago Public Schools mistakenly emailed the sensitive personally identifiable information (PII) of students to almost 4,000 families earlier this month.

The error cost the employee their job, according to an email the school district sent to families 10 days ago.

The incident occurred when the employee was attempting to email families invited to submit supplemental applications to selective enrollment schools. The employee emailed more than 3,700 families and in one fell swoop, spilling information on students including their names, email addresses, phone numbers and student ID numbers.

CPS wouldn't say how many students were impacted by the breach but the district is comprised of roughly 660 schools and 396,000 students, which makes it the third largest school district in the United States.

“We sincerely apologize for this unintended disclosure and ask that you please delete the information in question,” Tony Howard, executive director of CPS’ Department of Education Policy and Procedures wrote in the email, “We are taking this matter very seriously, and a review of this incident is underway to determine how this breach occurred and ensure a similar matter does not occur again.”

It was only a few weeks ago the city of Chicago introduced a data protection ordinance (.PDF) that would require businesses to obtain opt in consent from residents to use their personal information and notify residents within 15 days of a breach. According to the ordinance organizations would also have to notify the City of Chicago regarding the timing, content and distribution of the notices to individuals and number of affected individuals. The ordinance isn’t in effect yet but it appears CPS would have been in compliance as the district only waited a few hours to disclose the breach.

 

Go Deeper

A Data-Centric Approach to Endpoint Security

It's the second data breach the Chicago Public Schools has suffered in the last two years. In November 2016 the school system was forced to tell 30,000 students after an employee improperly accessed a data system containing student information and distributed it to a charter school operator.

That incident involved a nosy employee but this month’s data loss incident can more or less be chalked up to a mistake. Regardless the breach still underscores the problem of employee negligence, one of the biggest driving factors behind breaches over the last several years.

According to the 2017 Cost of Data Breach Study, (.PDF) a report carried out by the Ponemon Institute and sponsored by IBM, 25 percent of the data breaches it parsed were due to negligent employees or contractors, a figure that translated to roughly $126M per capita. The report aggregated data from 419 companies from 11 countries worldwide, along with several in the Middle East and ASEAN region. Each organization experienced a data breach ranging between 2,600 to 100,000 records.

Data loss prevention software can prevent data from leaving organizations like leaks via email, be it the forwarding of confidential business files, or including sensitive data in outbound email like the fate CPS suffered. The breach likely could have been avoided by having a prompt displayed to the employee, warning him or her they were about to send sensitive data outside the company.

Tags: Data Breaches, Security News

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.