Saturday, March 08, 2014

Criminal Negligence

It's not too hard to find out where I teach, if you're so inclined to learn.  Over the years some commenters have named the school or the district; while I don't try to keep my employer a secret, I don't think I should make it as easy as possible for miscreants, for example, to know.  It's the same reason I don't identify where I live, either!

In this post, though, I identify my employer.  And I suggest they might be guilty of criminal negligence.  And no, I'm not being hyperbolic.  I'm being serious.

It all started last September.  A couple of teachers at our school started receiving bills for credit cards for which they didn't apply--yes, identity theft.  It took a lot of time to correct the issue but at least they weren't under any threat of having to pay the fraudulent bills, which totaled thousands of dollars.  The stores involved--and they were the same stores--didn't seem overly interested in catching the identity thiefs, merely in clearing up the accounts of these two teachers.

But then one of the teachers heard from a friend at another school.  The same thing had happened there.  That's too much of a coincidence.  Somehow, some information must have gotten out of the district.  These criminals were establishing credit using fake drivers licenses and social security cards--that had the SSNs of these teachers.

In about the 2nd week of October, we got more word that more teachers' identities had been stolen.  About the 2nd week of November, more.  This kept up.

Early on some of our teachers notified the district and told them what was going on. The most positive spin you could put on the district's reply was "dismissive".  My identity wasn't stolen but I was active in getting information about these identity thefts because I didn't want mine stolen, and if it was, I wanted to be able to react immediately.  So I received the email that the district sent out to those who notified them, and it was bad.  I wish I'd kept that email so I could quote it verbatim, but I didn't so we'll have to go with my best-shot-from-memory:
We don't have any evidence that there has been any leak of information from the district office.  It's possible that criminals have gone to our school web sites, gotten lists of teachers from there, and then gone to sites like spokeo.com (seriously, they idenfied this one site) and gotten personal information from there.
Occam's Razor says that isn't what happened, especially since sites like spokeo and Intellius and the like require payment.  And I doubt those sites provide social security numbers, which the thieves had, even behind the paywall!  But that was the district's story, and they were going to stick with it.  They continued to stick with the "spokeo"* excuse and would not budge.  To be so cavalier, in the face of mounting evidence each month, about the potential loss of sensitive information about employees is more than just shameful.  It's negligent.

In the perfect world of the lefties, this is exactly the kind of situation that a union should be good for.  However, our local union was seemingly useless.  Yes, they asked members to notify them if their identities got stolen, but none of us has seen any evidence that the union pushed the district at all to find out why or how more and more teachers--and I've heard only of teachers--kept getting fraudulent credit card bills about 2 weeks after payday.

From both the union and the district, the messaged seemed to be "nothing to see here, please move along."

I cannot find any news links, but here's what I've heard--fairly recently, a woman went into a very-high-end bike store and tried to buy about $5000 of new bikes and equipment on new credit.  She apparently knew nothing about bikes.  The store employee recognized this as having happened recently at another store, where it was a case of identity theft, and the employee notified the police.  When the police showed up, two men in the parking lot darted and the woman was caught.

This led to a search of a house located within the boundaries of my school district.  A search of computer files there led over 350 miles away, to Southern California:
FBI agents who executed two search warrants -- one in the Sacramento area and another in Southern California -- have identified about 23,000 compromised American Express accounts, according to a criminal complaint filed in federal court Thursday.

The complaint suggests Mihran Melkonyan and Rouslan Akhmerov conspired to defraud American Express by establishing a fraudulent business, obtaining victim AmEx credit card information, and using the illegally obtained credit card details to bill American Express...

At an address in Southern California, among other things, the FBI found 50 academic reports from the San Juan Unified School District, the complaint said.
"Academic" reports?    You can probably guess what I'm thinking about whether or not these were "academic reports".

*Incidentally, I tried to pull myself up on spokeo.com.  I typed in my name and city, and what information they show for free--remember, it's a pay site--was wrong about me.  They even had me living on the wrong street, unless there's another Darren Miller in my area on that street.

Update, 3/10/14:  More information is on the district's web site today:
It’s unclear whether the documents in question relate to student, parent, employee or vendor personal information.

The matter was first brought to the attention of the District on March 6 when contacted by KCRA 3. In response the District is: 

  • Reaching out to the FBI and requesting additional information to identify the specific documents in question so the District can notify those impacted and determine how the documents might have made their way to the Southern California home; 
  • Reviewing the criminal report provided by KCRA 3 and checking all names, addresses and phone numbers for connections with students, parents, employees, or vendors; 
  • Notifying our community of the reported breach via messages on our Web site, employee intranet and upcoming e-newsletters. 
  • Committing to keeping our community informed of any developments and notifying those whose information may have been contained in the documents as that information is known.
If "[t]he matter" being referred to is just the documents in Southern California, it's probably true that the district didn't know about this until March 6th.  However, further on in the linked piece they discuss identity theft, and it's absolutely not true that the district was in the dark about that subject before March 6th (I wish I'd kept their dismissive email saying thieves could get our personal information, presumably even SSNs, from spokeo.com).  As I've said, we at my site were questioning the district back in the early fall about potential identity thefts.  They did less than nothing.

If it turns out that employee information has left the district, and they repeatedly denied that it had and refused to accept even the possibility, then heads should roll.

Update #2, 3/12/14:  Here's a snip from the email I mentioned:
Please be assured that the District shares your concern regarding identity theft and we have spoken to Bob Erickson from Safe Schools to facilitate the Sac County sheriff¹s office opening an investigation to look for links.

We know of no breaches of security within our employee database.  When speaking to Bob Erickson, he indicates that  once a list of employees is known (this comes from our external website so that parents can contact teachers),  ID thieves can go to a simple website such as spokeo.com and find out tremendous amounts of personal information.  Please keep in mind that the District is not the only organization that holds personalinformation.
It's not us, it's the evil spokeo!  Will spokeo, which doesn't even have my address correct, provide my social security number?  Because all the false credit that was established was done by criminals who had teachers' social security numbers.

I think things are going to get a lot hotter at the district office before they cool down over this topic.

6 comments:

maxutils said...

You're right ... that SHOULD be a union issue. Were formal grievances filed? This isn't a left or right issue, it's a "Is the district protecting employee records issue." That might be difficult to prove, one way or another ... but it certainly walks like a duck.

Auntie Ann said...

hmmm...how much info does the union have? Is there any reason they would have SSN#s? If this was just teachers, and not other school staff, that makes me wonder: could the leak have been from the union office?

KauaiMark said...

The district must be reading the Obama playbook on "deflecting blame"...

"...it was the video that caused Benghazi"

Mr. W said...

I have been saying that our district has been selling our email addresses because if all the spam we get. muh higher than any other email address I have. plus they are all educational related.

we have tried to flag them as spam, but they always come in. To me that is the districts doing.

clearly your district had a breach, but like a typical district refuses to acknowledge they might be wrong.

Ellen K said...

This is a huge issue and ironically while on vacation in New Orleans last weekend, I had to deal with it personally. My Citi card was used to buy a very expensive camera using my son's name as the contact. Before it could be shipped to what was our home address, the purchaser then changed the order and the delivery address after ordering a far more expensive camera. Luckily the store owner thought this odd and called Citi who had their fraud claims agent call me. Three days later with old accounts closed and new ones opened I have had to go through the credit agencies to put a credit watch on all accounts. The spookiest part of this is that they used my son's name. The police detective I talked with said that teachers, police, firefighters and other government employees are especially susceptible to exploitation because so much of our information is on databases. What is shocking is how loyalty cards for stores like Krogers or Macy's or Kohl's are often sold as outright information for legitimate and possibly unauthorized use. All I can say is minimize your cards, keep check on them daily and know who you are dealing with. I am pretty sure my card went through a skimmer at the Krogers where I buy gas. It's simply a crapshoot on not whether you will get hit by this, but when.

Linda said...

Either union or district employee - neither the district nor the union wants to pursue it, because they'd have to justify NOT firing the employee.