Student Data Breach Investigation and Resource Guide
Letters from Kroll (the firm that's providing identity/credit monitoring to all those impacted by the data breach) were mailed on December 29. If you were impacted by the data breach and have not received a letter, please email FCPS at firstname.lastname@example.org and we will assist you. If you are unsure if you were impacted by the data breach and need more information, please email us at email@example.com for assistance.
Frequently Asked Questions (FAQ)
When did the breach happen?
The breach happened several years ago. It hasn’t been possible to identify the exact date or time of the breach, because server logs and files have been deleted in the intervening years.
When and how did you find out about the breach?
We found out on August 31, 2016 when a former student contacted our Technology Department. See the timeline below of how we learned of the data breach, how we have taken action, and our ability, as defined by law, to notify the victims and our community.
What did FCPS do about it?
We immediately launched an internal investigation and contacted local law enforcement (the Frederick County Sheriff’s Office). They directed us to the FBI, which we contacted immediately. We also contacted the Maryland State Department of Education (MSDE) when we saw that some data in the breach did not belong to Frederick County, which indicated that PCPS may not have been the source of the breach. They investigated as well. Ultimately, several agencies were involved in this matter, including the Maryland State Attorney General’s Office, the Maryland State Technology Department, MSDE, and the Multistate Information Sharing and Analysis Center.
When did the investigation end?
In December 2016.
Why didn’t you inform people immediately in September?
The law (Maryland Annotated Code section 10-1305) specifies that we needed to complete the investigation of the data breach before we could share information. This is intended to help prevent the further spread of personal information, protect the victims, and assist the investigation. During the MSDE investigation, FCPS was requested and agreed to delay notification of consumers pending the completion of the MSDE investigation. Their investigation was completed in December, at which time FCPS began preparing letters for all those affected. Our letters share information about the breach and the steps taken to help those affected. A sample letter (that’s being personally addressed to every person affected) is on our website.
What data was stolen?
The data included names, social security numbers, and dates of birth of about 1,000 former FCPS students (those who were enrolled in FCPS schools in 2005-2006).
Who did it?
We don’t know. Because it happened so long ago, it’s not possible to pinpoint exactly how or when it happened or who is responsible for the attack.
Some people have said that there are 20,000 people affected. Is that true?
The foreign website on which the 1,000 FCPS names appeared, claims to have the data of many thousands of other people for sale as well. It’s not possible to know for sure what other data is out there.
Why hasn’t FCPS removed the names from the foreign website or had the site shut down?
The website is operated outside of the United States by the unauthorized users who stole the data. Law enforcement agencies are aware of this breach and the website. We have been told that the Maryland Attorney General’s Office is working to take the website down. FCPS is not able to control contents of the foreign website.
What did the investigation find?
Because the breach happened so long ago, it is not possible to say for sure where or how it happened. Even though the results of the investigation were not conclusive, it does not appear that the breach originated with FCPS.
Why does it matter where the breach occurred?
Anytime there’s a security breach, it’s important to learn as much as possible about how it happened so that systems can be strengthened and improved. But what FCPS cares most about is helping anyone who was impacted by the breach, not assigning blame.
Were you going to share information about the breach with the entire community?
Yes. FCPS was following a clear process: complete the investigation, communicate with those affected, and communicate with the wider community. This process was meant to assist the investigation and help victims without raising an unnecessary alarm for community members who weren’t impacted by the breach. Incomplete press reports circumvented that process, caused confusion, and further hurt victims of the breach.
What are you doing to help people who have been affected?
FCPS is providing those affected with services, offered through Kroll, a global leader in risk mitigation and response, to protect their identity for 24 months at no cost. The services will include credit monitoring and identity consultation and restoration. FCPS is sending all those affected specific information on how to enroll in these services. After 24 months, if it’s requested and needed, FCPS will consider extending the timeframe for these services.
What if my address is different now than it was in 2010?
Kroll used a locator service to get the current address for everyone affected.
Why can’t I just provide you with my address?
By using a locator service, Kroll was able to verify your identity too. It’s the safest way to locate you and it’s doesn’t require you to do anything.
Is FCPS doing anything differently now to enhance security?
Yes. FCPS has strengthened IT security processes and procedures. For example, beginning this fall FCPS no longer collects student Social Security numbers and we’ve removed them from our student information system. In addition, FCPS is eagerly participating in an Interagency Internal Audit Authority (IIAA) audit and is taking the additional step of hiring an outside cyber security specialist to investigate our data system and provide recommendations. Next, the Board of Education is seeking confirmation from MSDE that its current data system is secure prior to approving any future transmittal of FCPS data to them. Finally, the Board is scheduled to begin discussion at its January 25, 2017 meeting to develop a Policy on data breach security and notification processes.
How do I know if my data was compromised?
If you email us at firstname.lastname@example.org, we can help determine if your data was compromised.
Where can I get more information?
You can email email@example.com or call 301-644-5332 with questions or to get more information.
Are there online resources that will help me understand identity theft and how to respond to a data breach?
Absolutely. For example, the Federal Trade Commission has created an interactive guide to create a recovery plan personalized for your situation. Visit https://www.identitytheft.gov/ to create a plan and put your plan into action. Even if you’ve never been the victim of a data breach, you may still want to learn more about how to protect yourself. Here are some resources that offer helpful information:
The US Government offers guidance on identify theft: https://www.usa.gov/identity-theft
The Maryland Attorney General has an Identity Theft Unit: http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/default.aspx
Risk mitigation leader, Kroll, shares expert insights: http://www.kroll.com/en-us/intelligence-center