Shostack + Friends Blog Archive


California Schools, "tens of thousands" of Student Records, Default Passwords

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.

From “Software glitch reveals private data for thousands of state’s students
S.F. administrators close program to update passwords
.” Reporter Nanette Asimov was good enough to respond to my email and clarify that the ID numbers in question are not SSNs, making this far less bad than it could have been.

There’s a lesson there for businesses that are still using SSNs as identifiers. There’s also a lesson that some of the California privacy laws are having positive effects. I’ve discussed the positive effects of 1386 frequently, but also SB 168 (forbidding use of SSNs as identifiers in some places). California’s legislature is doing a good job of shifting the legal rules surrounding capturing and relying on government-authenticated identification information. We’re not where we ought to be, but we’re getting there.