Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Education Security

Personal Data About Millions of Children Stolen from Schools, Leaked onto the Darkweb (nbcnews.com) 32

Long-time Slashdot reader phalse phace quotes NBC News: Most don't have bank passwords. Few have credit scores yet. And still, parts of the internet are awash in the personal information of millions of schoolchildren.

The ongoing wave of ransomware attacks has cost companies and institutions billions of dollars and exposed personal information about everyone from hospital patients to police officers. It's also swept up school districts, meaning files from thousands of schools are currently visible on those hackers' sites.

NBC News collected and analyzed school files from those sites and found they're littered with personal information of children. In 2021, ransomware gangs published data from more than 1,200 American K-12 schools, according to a tally provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity company Emsisoft.

Some schools contacted about the leaks appeared unaware of the problem. And even after schools are able to resume operations following an attack, parents have little recourse when their children's information is leaked. Some of the data is personal, like medical conditions or family financial statuses. Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.

This discussion has been archived. No new comments can be posted.

Personal Data About Millions of Children Stolen from Schools, Leaked onto the Darkweb

Comments Filter:
  • Oh wait... Never mind.
  • Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.

    Why would a school need a social security number?

    • free / reduced lunch? other low income stuff?

    • I'm old enough to remember when they used to post class schedules in the cafeteria (this was around 1996) with student ID numbers, birth dates, and SSNs. Even back then I complained. I was told I was paranoid. Your tax dollars at work.
      • by jmccue ( 834797 )

        I remember when SSN was not a requirement for School and just about all kids did not have one.

        The gov should have strictly enforced the clause "not to be used for identification purposes", just about everyone was using it for an ID Number in the early 80s.

        BTW, you are on my lawn.

        • I attended grades 1-3 in two different states with no SSN. At some point, in California, we were encouraged to open savings accounts through some school tie-in with Bank of America, and possibly related to this, I was issued a Social Security card around the same time that I was trying to learn cursive handwriting. My signature on the card is a silly mess. In the punched card era I ran student accounting for a public school district. We used our own shorter number as the student ID key, and did not carr
    • Re:Er (Score:4, Informative)

      by quonset ( 4839537 ) on Sunday September 12, 2021 @12:12PM (#61788333)

      Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.

      Why would a school need a social security number?

      To correctly identify the kid claiming to be Ben Bova is really Ben Bova. Also, it might be possible (not sure) to verify the kid is really from the school district and not from somewhere else.

      Where a particular school district is known for its quality education [npr.org], people who don't live in that district will try to find ways to get their kid to go to those schools [avvo.com]. For example, they may have the kid live with a grandparent who is in the district, but not the kid's legal guardian [indianalegalservices.org]. Someone who lives near the border of the district might try to get their kid into the district, hoping the school won't look too closely where the kid lives. Depending on your state, school districts are funded by the taxes of people from the district itself. If someone who isn't in the district attempts to have their kid go to schools in the district, they aren't paying for their kid's schooling.

      • by PPH ( 736903 )

        To correctly identify the kid claiming to be Ben Bova is really Ben Bova.

        Social security numbers are not supposed to be used for authenticating identity. They may have some use in keeping unique instances of children named Ben Bova sorted out. And since federal financial aid to schools based on daily attendance is involved, might as well use that number which will identify you for the remainder of your life.

      • Other pieces of data, such as Social Security numbers or birthdays, are permanent indicators of who they are, and their theft can set up a child for a lifetime of potential identity theft.

        Why would a school need a social security number?

        To correctly identify the kid claiming to be Ben Bova is really Ben Bova. Also, it might be possible (not sure) to verify the kid is really from the school district and not from somewhere else.

        Where a particular school district is known for its quality education [npr.org], people who don't live in that district will try to find ways to get their kid to go to those schools [avvo.com]. For example, they may have the kid live with a grandparent who is in the district, but not the kid's legal guardian [indianalegalservices.org]. Someone who lives near the border of the district might try to get their kid into the district, hoping the school won't look too closely where the kid lives. Depending on your state, school districts are funded by the taxes of people from the district itself. If someone who isn't in the district attempts to have their kid go to schools in the district, they aren't paying for their kid's schooling.

        lol you must not work with any schools in the last decade or two.

        If you say that you are a migrant farm family or something, you don't even need a birth certificate.

        Though I suppose an American kid might need to show some docs.

        • you must not work with any schools in the last decade or two.

          I suppose it's better than pretending you have any actual information on the topic you're bloviating about.

          Your Truthiness is showing. You might want to have that looked at.

  • You've got to be a really sad little fucking scumbag to do this as a hacker. And the authorities who turn a blind eye, sad fuckers too.

    Old school hacking now looks tame by comparison and hopefully won't attract the stupid long sentences just for accessing servers out of interest and not to blackmail or extort schools and hospitals.

    • Old school hacking now looks tame by comparison and hopefully won't attract the stupid long sentences just for accessing servers out of interest and not to blackmail or extort schools and hospitals.

      These seem to be the type that do get prosecuted. The large corporate data breaches which compromise the information of millions at a time, when properly investigated, revel a significant corporate liability. We can't have that.

    • You make it sound like it's humans making decisions to target schools. By and large, it's probably entirely automated- malware that scoops up everything it can.

  • With the understanding that this kind of intrusion should not happen and is creepy as all hell, I have to wonder just how valuable any of the leaked data is.

    Other than the fact that the child exists, what exactly is so valuable about this data? Attendance records? Grades? Times sent to the principal's office? The parent's sex tapes? Who cares? I am pretty sure there are no social-security or credit card numbers there. Or passwords to log into the family bank accounts or stock portfolio.

    Yes fi

    • It's alluded to in TFS, and TFA sez...

      "In February, just a few months after Toledo Public Schools in Ohio was hit by ransomware hackers who published students’ names and Social Security numbers online, a parent told Toledo’s WTVG-TV that someone who had that information had started trying to take out a credit card and a car loan in his elementary school-aged son’s name."

      • Also, all those "security" questions asking "what was the street you first lived on" are compromised. But, it may be moot. School children love passing around "harmless" questionnaires. I happened to see one that my son did. Favorite color, first dog, etc. I explained to him that he was exposing confidential personal info that can be used against him in the future.

        • Those "security" questions are so unbelievably stupid. In fact, any site that asks that kind of crap and uses it for authentication should be held liable. Then you have the not uncommon situation where you have to pick four "security" questions and the remaining options don't apply to you, so you have to pick something at random and answer "fuck you and the Tesla you drove in on" or something.
          • Personal entropy is actually a powerful and useful tool for authentication.

            The problem, as in just about every security tool, is in the implementation.

            Choosing a large enough set of potential questions is a challenge. Figuring out questions that solicit answers that are likely to be repeated on a per-byte level is difficult. Choosing knowledge or experiences that are unique and unlikely to come up even intimate conversations, but are still memorable, is fiendish, especially when they should be unique to eac

    • I am pretty sure there are no social-security or credit card numbers there.

      Read the goddamn summary, will you?

  • by sjames ( 1099 ) on Sunday September 12, 2021 @02:41PM (#61788827) Homepage Journal

    The sooner we legally force the understanding that there is no such thing as identity theft, the sooner this crap will stop.

    The person who "stole your identity" and took out a new credit card did NOT steal anything from you. No need for you to be involved at all. He committed fraud against a bank. That would be between the bank and the fraudster. Any attempt to get you to pay the bill is a second act of fraud committed by the bank against you and should be treated as such. As soon as you say "that wasn't me", it's done. They can either present evidence that it was ACTUALLY you, not just someone who knew a bit of public information about you or they can STFU. Reporting it to a credit agency when such proof is not available is an act of libel. A credit agency that reports adverse information associated with you better be able to show that it was ACTUALLY you or it is also libel.

    • by HiThere ( 15173 )

      Good luck getting the laws to read and be interpreted that way.

      • by sjames ( 1099 )

        The laws DO read like that. The (huge) problem is interpretation and implementation.

        It's compounded by an entire system of credit (too much credit IMHO) built upon willful ignorance.

    • I agree with this 100%. Also, here in 2021, we still have the trivial-to-copy magnetic stripes in heavy use in the USA. I'm always hearing the stupid news story about being on the lookout for these devices. This is willful negligence shared between the retailers, credit card companies, and banks. It has nothing to do with the holder of the card.
      • by sjames ( 1099 )

        Exactly. The technology needed to stop all of that has existed for decades now, yet it's not even offered as an option.

  • Microsoft Windows strikes again ..
  • ... such as Social Security numbers ...

    Job-boards such as Seek are demanding a driver's licence with every application. This allows employers to check your age, immigration status and domestic education results. It also provides enough private information (address, full name) to trawl credit-history and court reports for details about you.

  • If millions of children were stolen from schools, we need to know about it.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...