On the afternoon of December 4th an email was sent from Hellgate High School to 32 email addresses containing an attachment with information from a parent meeting the night before. While generic day to day information such as the meeting agenda, school fact sheet, and promotional poster for an upcoming event were included, what caused the outcry was the inclusion of sensitive information relating to the students. Academic, medical, disciplinary and criminal data on 1,100 students – both current and former – was included within the attachment.
After the email had been sent, and the error was noticed, the school quickly contacted parents and asked them to delete the email without reading the attachment. The breach was investigated, and results concluded that the incident was most likely a result of user error after no sign of malware or file manipulation was found. The sender of the email – the school’s assistant principal Libby Oliver – has now resigned.
Prior to the breach, the school had a policy in place regarding the retention and storage of students (both past and present) information, but no data classification policy in place and no software to enforce any kind of data classification rules. This lack of policy and software allowed a ‘drag and drop’ of highly confidential information to be selected and added into the email document with a single mouse action, which was then sent to a list of external recipients who would never have received the email had there been data classification software in place.
The sender of the email most likely understood the sensitivity of the documents that were sent, but was probably unaware of them being included in the attached documentation, which is where even a data classification policy alone can fail an organisation. Software such as Boldon James Email Classifier can detect the classification that has been assigned to a specific file through its metadata, and in turn can assess whether the recipient is permitted to receive documents with this level of classification. In the case of the student information that was created by the school – considering its sensitive nature – the classifications given to the document would have been enough for the software to know that this was a confidential document, and sending to external unauthorised persons would be blocked.
Following an investigation of the breach, recommendations have been made for the Montgomery County Public Schools (MCPS) board to adopt a data classification policy alongside implementing and testing a Data Loss Prevention solution. It is also recommended that users are educated on the correct handling of sensitive information, to prevent any future breaches. Find out how Boldon James Email Classifier can help protect your sensitive data from user error now, and see how it has already helped organisations like DeltaCredit boost their security culture.