Email Breaches Expose Over 37,000 People's Data at California Colleges

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

California's College of the Desert and Riverside Community College District (RCCD) both recently acknowledged that employee error had resulted in the potential exposure of personal data by email.

On May 30, 2014, an email containing RCCD student records was sent to an incorrect email address by mistake. The error was discovered on June 2, 2014, and it was determined that the email held the names, addresses, phone numbers, email addresses, birthdates, student identification numbers, enrolled classes and Social Security numbers of RCCD students who were enrolled in classes for the spring semester of 2014.

The Press Enterprise reports that a total of 35,212 RCCD students are affected.

"At this time we don't know if the external email account is active, but be assured that we are implementing safeguards to help prevent anyone from using your data," RCCD interim chancellor Irving G. Hendrick wrote in the notification letter [PDF].

All those affected are being offered one free year of access to Experian's ProtectMyID Alert service or, for minors, one free year of access to Experian's Family Secure service.

In response to the breach, RCCD says it's enhancing its security measures, reviewing its policies and procedures regarding student data, and clarifying best practices for secure data handling. According to the Press Enterprise, RCCD's breach response will cost a total of $290,000.

And on June 5, 2014, a College of the Desert employee, without authorization, sent an email with an attached spreadsheet to approximately 78 fellow employees. The spreadsheet held current and retired employees' names, Social Security numbers, birthdates, gender, zip codes, positions at the college, employment anniversary dates, employee ID numbers, health insurance benefit plan choices, health insurance subscriber ID numbers and health insurance premium costs.

The Desert Sun reports that approximately 1,900 current and retired employees are affected.

An attempt was made to recall the email less than an hour after it was sent, though the email still appears to have been delivered to approximately 50 people. While the college was unable to determine how many people may have viewed the attachment, the email was removed from all recipients' inboxes within 24 hours.

"All recipients have been directed not to open, print, or save the contents of the message, including its attachment, and they have also been instructed to delete the message with its attachment," the college stated in its notification letter [PDF], dated June 8, 2014. "Those email recipients will again be reminded not to disclose any information contained in the email. These measures appear to have been partially successful at limiting the disclosure of your personal information to unintended recipients."

It's all too easy to send an email to the wrong person, or to include an attachment by mistake -- and simple errors like those can result in significant (and costly) data breaches.

In September of 2013, a Georgia Department of Labor employee mistakenly emailed a spreadsheet containing 4,457 people's personal data to 1,000 people; in October of 2013, information on all 1,182 prisoners at the UK's HM Prison Cardiff was mistakenly emailed to three inmates' families; and in March of 2014, a third party vendor sent an email containing other customers' loan statements to an undisclosed number of NCO Financial Systems customers.

At Derbycon last last fall, Blackrock Consulting president Bill Gardner and Securicon senior security consultant Valerie Thomas offered several tips on improving security awareness training for employees in order to avoid such mistakes, from ensuring that training is a continuing process to providing specific examples of threats. "You want to build a culture around awareness," Gardner said at the time.

Still, a recent Enterprise Management Associates (EMA) survey found that more than 56 percent of employees don't receive any such training at all. "The potential cost of employees making poor security choices due to lack of awareness and understanding may go unrecognized until it becomes an actual cost of breach reparations," EMA stated in its report.

In RCCD's case, that actual cost is $290,000.