The private records for 2,841 Chinook School Division students were available publicly for over 36 hours during an accidental data breach last year.
Details of the data breach were disclosed in a recent investigation report published by the office of the Saskatchewan Information and Privacy Commissioner (SIPC).
The findings of the investigation report by Commissioner Ron Kruzeniski were released on Aug. 11 and the Chinook School Division posted a formal statement about the report on the division website, Sept. 9.
The school division indicated in an e-mailed response to a Prairie Post enquiry that it has no further comment on the matter.
The data breach occurred on Jan. 28, 2020 when a GitHub code repository, which is an online cloud-based programming tool, was accidentally set to public instead of private. The 2,841 student records were publicly available for 36 hours and 44 minutes.
The data for each student in these records include student name, identification number, telephone numbers, school code, grade, and parent e-mail address.
The breach was discovered by an outside organization, which is not named in the SIPC report. This organization performed a routine deep web internet crawl on Jan. 29, 2020 to look for any online references to the organization’s domain. It found the work e-mail addresses of two school division parents employed by this organization.
The Chinook School Division reported the privacy breach to the office of the SIPC on Feb. 4, 2020. In response, the SIPC determined it had jurisdiction to investigate this matter under the terms of the Local Authority Freedom of Information and Protection of Privacy Act.
It decided to conduct a formal investigation and to issue a report due to the number of affected individuals related to this data breach.
The SIPC reviewed information supplied by the school division during the investigation. The school division provided its internal investigation report to the SIPC and also responded to enquiries from the office of Commissioner Kruzeniski to clarify details of the breach and procedures followed after the breach was discovered.
The school division determined the data was accessed three times during the 36 hours when it was publicly available.
The outside organization’s bot accessed the information when it carried out an internet crawl. Thereafter, the outside organization’s information technology staff member took a screen shot of the domain related data and shared it with the company’s internal privacy officer. The information was then also viewed by the school division’s information technology staff member after the breach was discovered.
The outside organization told the school division it only inspected the data online through its own GitHub account and no data was downloaded or stored in any way.
The school division notified relevant employees of the breach of privacy. The two parents whose e-mail addresses were found by the outside organization’s security scan were also notified of the incident.
The SIPC report found the school division properly contained the breach after it was discovered. However, Commissioner Kruzeniski noted in the report that the school division did not provide proper notification of the breach and it should have taken steps to notify all 2,841 students and their parents of this breach.
“Notifying all affected individuals of the details of this breach, the steps taken to contain the breach and how the School Division responded to mitigate the risk from happening in the future would have been the more appropriate response in this matter,” the report stated.
The SIPC investigation also found the school division failed to meet its duty to protect data by not having the appropriate checks and balances in place to ensure this information would not be publicly available.
The report noted the school division worked quickly to contain and shut down the breach after it was discovered, and it appropriately investigated the breach.
The school division provided the SIPC with information about steps taken to prevent future data breaches. It purchased a version of GitHub with a private setting, the information technology manager reviewed privacy policies and procedures with staff, and staff reviewed the procedure for securing data through the use of GitHub and other online services.
Commissioner Kruzeniski indicated in the report that the school division should do more to ensure there are no future data breaches.
“Although these are good first steps, the School Division should take further steps to mitigate this risk,” the report stated. “The School Division should be thoroughly reviewing these applications prior to using them for its own business purposes.”
The Sept. 9 statement by the Chinook School Division indicated the purpose of the announcement was to carry out the recommendations of the SIPC report and it was therefore notifying parents, caregivers and staff of the breach and the steps taken afterwards.
The statement noted that the school division continues to monitor the database and the data is still secure. Software evaluation processes have been enhanced to ensure data will remain protected in the future.
“We apologize if the release of the SIPC report caused anyone alarm or concern,” the statement concluded.