Personal Data About Millions of Children Stolen from Schools, Leaked onto the Darkweb (nbcnews.com) 32
Long-time Slashdot reader phalse phace quotes NBC News: Most don't have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren.
The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It's also swept up school districts, meaning files from thousands of schools are currently visible on those hackers' sites.
NBC News collected and analyzed school files from those sites and found they're littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children's information is leaked. Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It's also swept up school districts, meaning files from thousands of schools are currently visible on those hackers' sites.
NBC News collected and analyzed school files from those sites and found they're littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.
Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children's information is leaked. Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Think of the children. (Score:1)
Re: (Score:3)
I remember when they first started requiring SSNs for children declared as dependents for tax purposes. Millions of children disappeared that year.
Er (Score:1)
Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Why would a school need a social security number?
free / reduced lunch? other low income stuff? (Score:3)
free / reduced lunch? other low income stuff?
Re: (Score:1)
Re: (Score:2)
I remember when SSN was not a requirement for School and just about all kids did not have one.
The gov should have strictly enforced the clause "not to be used for identification purposes", just about everyone was using it for an ID Number in the early 80s.
BTW, you are on my lawn.
Re: (Score:2)
Re:Er (Score:4, Informative)
Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Why would a school need a social security number?
To correctly identify the kid claiming to be Ben Bova is really Ben Bova. Also, it might be possible (not sure) to verify the kid is really from the school district and not from somewhere else.
Where a particular school district is known for its quality education [npr.org], people who don't live in that district will try to find ways to get their kid to go to those schools [avvo.com]. For example, they may have the kid live with a grandparent who is in the district, but not the kid's legal guardian [indianalegalservices.org]. Someone who lives near the border of the district might try to get their kid into the district, hoping the school won't look too closely where the kid lives. Depending on your state, school districts are funded by the taxes of people from the district itself. If someone who isn't in the district attempts to have their kid go to schools in the district, they aren't paying for their kid's schooling.
Re: (Score:3)
To correctly identify the kid claiming to be Ben Bova is really Ben Bova.
Social security numbers are not supposed to be used for authenticating identity. They may have some use in keeping unique instances of children named Ben Bova sorted out. And since federal financial aid to schools based on daily attendance is involved, might as well use that number which will identify you for the remainder of your life.
Re: (Score:1)
Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.
Why would a school need a social security number?
To correctly identify the kid claiming to be Ben Bova is really Ben Bova. Also, it might be possible (not sure) to verify the kid is really from the school district and not from somewhere else.
Where a particular school district is known for its quality education [npr.org], people who don't live in that district will try to find ways to get their kid to go to those schools [avvo.com]. For example, they may have the kid live with a grandparent who is in the district, but not the kid's legal guardian [indianalegalservices.org]. Someone who lives near the border of the district might try to get their kid into the district, hoping the school won't look too closely where the kid lives. Depending on your state, school districts are funded by the taxes of people from the district itself. If someone who isn't in the district attempts to have their kid go to schools in the district, they aren't paying for their kid's schooling.
lol you must not work with any schools in the last decade or two.
If you say that you are a migrant farm family or something, you don't even need a birth certificate.
Though I suppose an American kid might need to show some docs.
Re: (Score:2)
you must not work with any schools in the last decade or two.
I suppose it's better than pretending you have any actual information on the topic you're bloviating about.
Your Truthiness is showing. You might want to have that looked at.
Re: Er (Score:1)
Sad bastards (Score:2)
You've got to be a really sad little fucking scumbag to do this as a hacker. And the authorities who turn a blind eye, sad fuckers too.
Old school hacking now looks tame by comparison and hopefully won't attract the stupid long sentences just for accessing servers out of interest and not to blackmail or extort schools and hospitals.
Re: (Score:3)
Old school hacking now looks tame by comparison and hopefully won't attract the stupid long sentences just for accessing servers out of interest and not to blackmail or extort schools and hospitals.
These seem to be the type that do get prosecuted. The large corporate data breaches which compromise the information of millions at a time, when properly investigated, revel a significant corporate liability. We can't have that.
Re: (Score:2)
You make it sound like it's humans making decisions to target schools. By and large, it's probably entirely automated- malware that scoops up everything it can.
Re: Sad bastards (Score:2)
Yes, but they extort as much as they can by looking at who's data they have, that's a human decision.
What exactly is the data? (Score:1)
With the understanding that this kind of intrusion should not happen and is creepy as all hell, I have to wonder just how valuable any of the leaked data is.
Other than the fact that the child exists, what exactly is so valuable about this data? Attendance records? Grades? Times sent to the principal's office? The parent's sex tapes? Who cares? I am pretty sure there are no social-security or credit card numbers there. Or passwords to log into the family bank accounts or stock portfolio.
Yes fi
Re: (Score:3)
It's alluded to in TFS, and TFA sez...
"In February, just a few months after Toledo Public Schools in Ohio was hit by ransomware hackers who published students’ names and Social Security numbers online, a parent told Toledo’s WTVG-TV that someone who had that information had started trying to take out a credit card and a car loan in his elementary school-aged son’s name."
Re: (Score:2)
Also, all those "security" questions asking "what was the street you first lived on" are compromised. But, it may be moot. School children love passing around "harmless" questionnaires. I happened to see one that my son did. Favorite color, first dog, etc. I explained to him that he was exposing confidential personal info that can be used against him in the future.
Re: (Score:1)
Re: (Score:2)
Personal entropy is actually a powerful and useful tool for authentication.
The problem, as in just about every security tool, is in the implementation.
Choosing a large enough set of potential questions is a challenge. Figuring out questions that solicit answers that are likely to be repeated on a per-byte level is difficult. Choosing knowledge or experiences that are unique and unlikely to come up even intimate conversations, but are still memorable, is fiendish, especially when they should be unique to eac
Re: (Score:2)
I am pretty sure there are no social-security or credit card numbers there.
Read the goddamn summary, will you?
There is no such thing as Identity Theft (Score:5, Interesting)
The sooner we legally force the understanding that there is no such thing as identity theft, the sooner this crap will stop.
The person who "stole your identity" and took out a new credit card did NOT steal anything from you. No need for you to be involved at all. He committed fraud against a bank. That would be between the bank and the fraudster. Any attempt to get you to pay the bill is a second act of fraud committed by the bank against you and should be treated as such. As soon as you say "that wasn't me", it's done. They can either present evidence that it was ACTUALLY you, not just someone who knew a bit of public information about you or they can STFU. Reporting it to a credit agency when such proof is not available is an act of libel. A credit agency that reports adverse information associated with you better be able to show that it was ACTUALLY you or it is also libel.
Re: (Score:2)
Good luck getting the laws to read and be interpreted that way.
Re: (Score:2)
The laws DO read like that. The (huge) problem is interpretation and implementation.
It's compounded by an entire system of credit (too much credit IMHO) built upon willful ignorance.
Re: (Score:1)
Re: (Score:2)
Exactly. The technology needed to stop all of that has existed for decades now, yet it's not even offered as an option.
Microsoft Windows strikes again .. (Score:1)
Social credit (Score:2)
Job-boards such as Seek are demanding a driver's licence with every application. This allows employers to check your age, immigration status and domestic education results. It also provides enough private information (address, full name) to trawl credit-history and court reports for details about you.
Re: (Score:2)
It's not just job boards too. :(
If millions of children were stolen (Score:2)
If millions of children were stolen from schools, we need to know about it.