Stupid user trick No. 3: Soup of the day: Social Security numbers
Incident: Throw a bag of the finest steaks into a piranha-infested river, and you've got no right to complain when the fish make quick work of it.
In a sense, that's what happened when a 15-year-old freshman at Downingtown West High School stumbled upon, then copied files containing highly sensitive personal information -- including Social Security numbers -- of roughly 41,000 current and former students, families, and other town residents.
[ Afraid you might be a security sieve? Find out with our Network Security IQ Test ]
Similar because, as the district admits, the sensitive data was placed in a completely unprotected part of the school's computer network by a member of the district's IT staff. More than that, the admin had stored the files in a network segment to which students had access.
Whereas the student was charged with three felonies and one misdemeanor computer crime for copying information left nearly in plain view, the admin is considered guilty of nothing more than a brain-dead IT gaffe.
For what it's worth, the town's police determined that the student merely copied the data to a portable drive and gave only one copy to another student, who is cooperating with the police. That hasn't dampened the witch hunt, however, as several parents and residents are calling for the student to serve jail time.
Why the district was collecting the Social Security numbers of residents for the purpose of sending them newsletters, however, has not come under scrutiny. Nor has the lack of safeguards IT placed on that information.
So negligent was the IT handiwork that, according to school district spokeswoman Pat McGlone, the student "did not need to crack any passwords, evade any firewalls, or blow down any doors, so to speak. He just simply needed to be curious and bored," as Will Hobson wrote in the Philadelphia Inquirer.
And if boredom is all it takes for a teenager to expose 41,000 Social Security numbers, you know your approach to IT isn't smart.
Fallout: Fortunately for the student, cooler heads prevailed at the Chester County Deputy district attorney's office. The student won't face prison time. The district, on the other hand, has had to scramble to send out 16,600 letters to residents warning them about the potential for identity theft and has rushed to better secure its network and this sensitive data.
Moral: Maintaining a highly sensitive database requires encryption -- especially where bored teenagers are allowed to roam. In fact, keep your stored Social Security numbers off the cafeteria lunch menu portal altogether. Oh, and rather than just pillory a tech-savvy 15-year-old for taking advantage of an open door to sensitive personal data, lay equal blame on the IT worker, as well as the person in charge of collecting and protecting the database.
[ Stupid user trick No. 4: The tool and the toolbar ]