Fraud Alert
During the meeting on May 30th, the district provided information that residents can use to obtain credit fraud alert notification.  A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling just one of the three nationwide credit reporting companies. As soon as that company processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file.

To place either an initial fraud alert or extended fraud alert, you will be required to provide appropriate proof of your identity, which may include your Social Security number.

Initial Fraud Alert
An initial fraud alert stays in your file for at least 90 days.To obtain the free 90 day fraud alert, call any one of the three major credit reporting agencies and follow the simple instructions. 

 * Equifax: 1-800-525-6285;  www.equifax.com
 * Experian: 1-888-397-3742; www.experian.com  
 * TransUnion: 1-800-680-7289; www.transunion.com

Extended Fraud Alert
 An extended alert stays in your file for seven years.  Call one of the above credit reporting agencies to request an extended alert.  If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state or local law enforcement agency.
 
The Computer Breach report filed by the district with the credit agencies is Case No. 805290684.
The police Investigation Report (#20080522M6835(D))can be downloaded by clicking here.

 In order to protect your identity, you must submit a written request to remove the fraud alert from your credit file. Please send your request to: TransUnion, P.O. Box 6790, Fullerton, CA 92834.
For more detailed information about the identity theft report, visit www.consumer.gov/idtheft.

The District continues to investigate the May 9th computer breach by a 15 year old student.  Plans are continuing for the May 29th Cyber Information Forum.  Dr. Sandra Griffin, Superintendent and Buck Jones, Director of Technology will join Dr. Robert D’Ovidio, Special Agent John Toney and Detective Roy Calarese on the panel.  Please join us and bring your questions and concerns to this forum.   

We stress again that both the police and district administrators believe that all involved in this breach were students, and that the conduct of these students was motivated by an irresponsible interest in determining whether they could infiltrate the network and circumvent the safeguards.  That being said, it is imperative that we communicate to our community and staff the district’s commitment to reinforce our network’s security system.

What have we done?

Prior to 2006, Social Security numbers had been used by the district as key indicators in our resident data base.  The file the student accessed was a copy of a report that had been issued in 2005.  (He did not access our secured database)  Social Security numbers are no longer used by the district and our new database does not include this information.  Once the police investigation is completed the report the student copied will be destroyed.    

In December 2007, a 16 year old student used illegal hacking and password retrieval software to open an encrypted file he had illegally downloaded. That student was arrested and has been charged with a felony. Following that investigation, the technology department requested school board authorization for a complete overhaul of the active directory file structures dealing with login, password security and folder access permissions. The district has hired CommSolutions for this process and has arranged for Canon Business Solutions to begin virtualizing the district’s datacenter. This process will increase the district’s ability to better manage and monitor the 70 plus district servers.

When it became known recently that students have successfully circumvented “Websense”, the district’s internet filtering software and downloaded games to a server file, the district responded with the selection of a more powerful filtering software program.

Dr. Sandra Griffin has also authorized the immediate implementation of the following security enhancements:
*  The District’s Central Office server will be segregated from the network.
*  All permissions will be removed from the District’s central office server. Authorization to access   these staff and community files will be limited.
*  All generic log-in permissions will be eliminated. Generic permissions were often used by community members attending district workshops.
*  A full time network security specialist has been reassigned to oversee file privileges.
*  The process of logging incidents, and response to those incidents, is being reviewed and updated.
*  More frequent and intensified security audits of the network and files will be implemented.

The district will host a Cyber Safety Informational Presentation on Thursday, May 29th at the Lionville Middle School at 7:30 PM. A Cyber Safety expert, Secret Service Agent, Chester County Detective and other professionals will be present to provide the community with answers to cyber security concerns. This workshop is the latest in a series of programs the district has sponsored, and will continue to sponsor, on computer safety and responsibility.

The District and the Downingtown Police Department are continuing their investigation into the unauthorized use of a district computer by a 15 year old student.  The Downingtown Police issued a press release on May 21st announcing the arrest of this student.  The anouncement states that the 15 year old 9th grade student has been charged with the following:

Theft by Unlawful Taking on Dispostion (Misdemeanor)
Computer Theft (Felony)
Unlawful Duplication (Felony)
Computer Trespass (Felony)

The student has been released into the custody of his parents and is awaiting action in Chester County Juvenile Court.

The police continue to stress that it is their belief that the student did not use the information he retrieved for any malicious means.  To quote from their press release:

“Our investigation at this point does not indicate that the personal information breached was sold or otherwise mass distributed.”

1) We have received new information from police that indicates the student has informed them that he did not share taxpayer information with several students as had been reported. It is the Police Department’s understanding that the student “bragged” about having the information but apparently tried to share it with only one other student. The students home computer and flash drive have been confiscated and are undergoing forensic examination by the Chester County Detectives Computer Crime Unit to determine if the files were provided to any other student.  The police note that the second student who may have received part of the copied files, has had his computer confiscated as well. All three items are undergoing the same forensic examination by the Chester County Detectives Computer Crime Unit. The second student is cooperating with police and has not been charged.

 2) The District will hold a Cyber Information Session for the community in the Lionville Middle School cafeteria on Thursday, May 29^th at 7:30 PM to help answer many of the questions we are hearing on our hotline and by email from this blog. The session will feature cyber experts who will discuss cyber safety, responsibilities, legalities, security options and more.

 Invited to the meeting:

Rob D’Ovidio, Ph.D. Assistant Professor at Drexel University
Department of Culture and Communication.
Computer crime, computer forensics, criminal justice technologies, surveillance and privacy, intellectual property theft, and criminological theory.     

A representative from a Law Enforcement agency and a business technology expert will also be invited to attend to discuss this issue and to answer questions.   

The district continues to cooperate fully with the Downingtown Police Department. Should more information be learned, it will be placed on this website immediately.

May 19, 2008

Re:          District Responds to Data Security Breach by Student

Dear Resident:

This notice is to advise you that there has been an unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of your personal information which the Downingtown Area School District (”the District”) maintains as part of a database of personal information. 

The District learned on Friday, May 9, 2008 that a student gained unauthorized access to District network resource from a classroom computer and copied files that included personal information and Social Security numbers of school employees and community members. The student shared this information with several other students.  The involved students have been identified and the information obtained has been recovered. Corrective measures to enhance security on the district’s network have been taken and current network security processes are under review.  The District is cooperating with law enforcement authorities to prevent any further unauthorized disclosure of the information.

The student retrieved information from a portion of the District’s computer network that stores files containing employee and salary information as well as certain files that contained resident tax-payer data. Your personal information including your name, address and social security number in an unencrypted and un-redacted form were among those accessed.    

The District believes that all involved in this breach were students, and that the conduct of these students was motivated by an irresponsible interest in determining whether they could infiltrate the network and circumvent the safeguards.  The District does not believe that the purpose of the breach was identity theft or to use any information acquired.

We are providing you this notice so that you can take measures to contact the credit reporting agencies and monitor any unusual activity in your account.  If you require any additional information, please refer to the District’s website at www.dasd.org which will periodically carry updates regarding this situation.  We have also initiated a District hotline (610-450-4362).  We invite you to call with any questions or concerns and we will respond as soon as possible.

Under Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, contact www.annualcreditreport.com or one of the following:

Equifax
P.O. Box 740256
Atlanta, Georgia 30374
www.equifax.com

Experian
P.O. Box 9532
Allen, Texas 75013
www.experian.com

TransUnion
P.O. Box 6790
Fullerton, CA 92834

www.transunion.com
You can also visit these other sites for more information:

Federal Trade Commission Credit Repair information - http://www.ftc.gov/bcp/conline/pubs/credit/repair.htm

Federal Trade Commission Identity Theft Center - http://www.consumer.gov/idtheft/

 Sincerely,

Sandra Griffin, Ed.D.
Superintendent

For Immediate Release:

DATE: May 19, 2008
CONTACT: Pat McGlone
SUBJECT: Update on security breach

District personnel spent the weekend investigating files that had been accessed by the unauthorized use of a computer by a 15 year old student.  The investigation determined that the files were from the year 2005 and included the names and social security numbers of district residents and the w-2 forms of the teachers from one of our schools.  On Monday, the district sent a letter to those district residents whose personal information was contained in those 2005 files.  The staff involved was notified by email on Friday. 

The breach occurred in the high school during the student’s study hall, a time when students are authorized to use the school’s computer for studying and research. Though the investigation is not yet complete, it is believed that the student gained unauthorized entry into data files.  He downloaded the information to a flash drive and copied the files to his home computer.  The student and his parents have been interviewed and his personal computer has been surrendered and is in police custody for forensic examination.

In December 2007, another DASD student circumvented the security of the district’s computer network by using unauthorized software.  That student was arrested and has been charged.  The district responded to this incident by researching and putting together a plan to overhaul the active directory file structures dealing with login, password security and folder access permissions.  The second security breach will require complete additional security revamping.

The District believes that the conduct of these students was motivated by an irresponsible interest in determining whether they could infiltrate the network and circumvent the safeguards.  The District does not believe that the purpose of either breach was identity theft or the use any information acquired.

The District has been working closely with the Downingtown police department and will continue to provide updates to the community as information is made available.

For Immediate Release:

DATE: May 16, 2008
CONTACT: Pat McGlone
SUBJECT: District Responds to Data Security Breach by Student

The Downingtown Area School District learned on Friday, May 9, 2008, that a student had overridden the security of a classroom computer and copied files that included personal information and Social Security numbers of school employees and community members. He shared this information with several other students.  The involved students have been identified and the information obtained has been recovered. Corrective measures to enhance security on the district’s network have been taken and current network security processes are under review. 

The District is currently conducting a thorough investigation and is cooperating with law enforcement authorities to determine the full extent of the breach and to prevent any further unauthorized disclosure of the information. The students retrieved information from a portion of the District’s computer network that stores files containing employee and salary information as well as certain files that contained resident tax-payer data.

The District believes that all involved in this breach were students, and that the conduct of these students was motivated by an irresponsible interest in determining whether they could infiltrate the network and circumvent the safeguards.  The District does not believe that the purpose of the breach was identity theft or the use any information acquired.

While not all staff members are affected by this breech, Dr. Sandra Griffin notified all employees by email of the situation and advised them to follow up by checking with a credit check provider. “Please know that we take the security of personal data seriously and we are currently in the process of updating our network security practices,” wrote Dr. Griffin in her email. 

Individual staff members who are directly affected by the breach are being notified by a separate letter. The District is also in the process of sending letters home to community members whose information was accessed by the students. 

In response, the District has: 

• Tightened up folder security by confirming all folder permissions
• Separated network servers to ensure that students have access only to student servers
• Reconfirmed the integrity of the district’s firewall protection to prevent unauthorized outside users
• Removed all access to folders that had been breached.
• Continued to remind teachers and administrators to keep individual district passwords private.
• Begun a Board authorized complete overhaul of the active directory file structures dealing with login, password security and folder access permissions.