Tuesday, May 24, 2016

Call the CIA - PUSD had a Data Breach

By now I think it safe to say, many of you have seen the uproar over the “Data Breach” at PUSD. At first blush, it sounds bad and concerning. In today’s information age, “Data” is power. With power comes responsibility. The problem is power corrupts and blinds normal thinking. I watched the “Special Meeting” called by the PUSD School Board to address the issues surrounding the “Data Breach”. It’s hard not to shake one’s head and not voice the thoughts running through my mind out loud. “REALLY?” is what popped out of my mouth several times as I tried listening, while not laughing, at the absurdity of it all.

It is abundantly clear someone screwed up. It is clear changes need to be made to ensure this does not occur in the future. It’s also clear this was made into something it is not. I will explain, but after stumbling upon the thirty-eight (38) page manifesto by Gabriela Dow (Link Here) detailing her interpretation of the events, I’m not sure really what the “End Game” is in all of this.

If you have not read the “Dow Report” above, grab your favorite beverage, find a comfortable chair and take the time to read it. It’s long, wordy, repetitive and written with a flair for the dramatic. A disclaimer; ensure your internet security is up to date and working and cross your fingers there is no malware or worms secreted into the link above (tongue firmly planted in cheek).

Ms. Dow received information not intended for her to receive nor possess. That is a given. What Ms. Dow did with this information is as concerning as the fact she received it in the first place. Motive is a question in the evaluation of any act. Leonardo de Vinci said it best; “Every action needs to be prompted by a motive.” I am not a mind reader and won’t speculate as to why she felt the need to give the information she received to the District Attorney and then file a complaint with the State’s Cybersecurity Task Force in Sacramento. She attempts to explain this in her report by way of a question and answer format on page one.

The remainder of the report is what it is. No doubt, cathartic for Ms. Dow and a way to justify her actions after receiving the data. I did have to laugh at the information shared on page four regarding spyware and protecting her family. I digress.

To further her explanation and provide her side of the events (her 38 page report is not enough) Dow wrote the following:

     As promised, please find via the URL below a comprehensive summary of what I directly observed related to the Poway Unified School District data breach that involved over 36,000 students and 70,000 parents' private information. The CDs that I received contained COPIES OF EMAILS dating back to 2014, which demonstrates that the attached spreadsheets with our private data were emailed by third-party vendors long before this recent incident. 

     We need to understand how this specific breach happened, and why the spreadsheets with personal contact info, medical data, test scores, parents' occupations, mobile phone numbers, etc were being emailed around and then handed out to a member of the public. 


     This summary doc answers the most common questions and misinformation I have seen since this horrible data breach that resulted from my work with the District Educational Technology Advisory Committee (ETAC). The reason I contacted the District Attorney's office is because I did not believe PUSD would notify parents if they were the only ones with evidence of the data breach. Additional reasons are detailed in the summary along with copies you can review of the many emails and other communication between PUSD board, managers, their attorney, ETAC, etc. 

     You can also see video of concerned parents speaking at the May 18 emergency board meeting that was finally called to address the data breach I reported on May 9 (I am the last speaker) via http://powayusd.com/en-US/Board/Video/boe-2016-05-08

     It is disappointing that it took this long for the board to finally meet, and also that it took calls from a Union Tribune reporter to get the district to finally notify parents that anything had happened. Part of the reason I contacted the DA's office is because I was told by board member Kimberley Beatty that board president Michelle O'Connor-Ratcliff had decided to not call an emergency meeting for the board members when I reported the breach but instead wanted staff and the attorneys to handle the very breach that they allowed to happen. 

     I have told many of you for months and months that I simply cannot believe what I see happening with our school district. I keep thinking I have seen worst of it, then I saw how carelessly our most private data was just handed out. THEN I saw how some people were spreading rumors that I somehow tricked the district into releasing the data or that I was trying to make a big deal out of nothing. Attempts to shift focus to the person that identified and reported the alarming data breach from the district officials and break-down (or lack of) process that allowed this to happen has got to be the worst thing I have observed at PUSD.

     Thank you to each and every one of you that has stood up for me when you see the ridiculous online rumors or hear people trashing my attempt to have this data breach addressed responsibly. 

     Please share this with any PUSD parents or community members that you know, and feel free to share on social media. I can only reach so many people directly, but all PUSD families deserve to receive more details and answers about how their personal, confidential data was carelessly handled. It is important that everyone is informed on what happened, how we can address this serious risk, why I took the steps I did to report the problem and why other parents need to get involved. 

     I recognize, as I describe in the summary, that this is only my experience with how the data breach happened and how long I think our data has been emailed around and possibly misused. I recognize that there is context I am not aware of and that is why I hope to receive clear answers from our district. I hope they can see this summary I prepared, and all of the supporting material, as an example of how complete transparency and clarity can be provided to the community. 

     I hope to see many of you at the May 31 PUSD board meeting. Details are posted via the link below and the agenda should be added soon:


     The ETAC committee that I serve on was already scheduled to present our final recommendations to the board on May 31st. I have included these recommendations in the final pages of the attached data breach summary-- please review these and get involved. These recommendations address just some of the leadership, safety and tech planning challenges our district faces. Cybersecurity was an item the recommendations addressed, but ETAC was thinking of teachers, parents and students that need education about keeping their data safe, we had no idea that the district itself was lacking policies and processes for handling some of our most private data. 

      We need accountability for this mistake and for any other breaches that are uncovered, but we also need to unite the community and truly work together to stop this downward spiral of one issue after another. With our Superintendent on paid leave and so many years of simple challenges ballooning into epic battles due to a lack of fair, competent leadership and clear communication from the Superintendent's office, this is really a time to stop the petty fighting to do the right thing for all of our kids. 

     With that, there are additional questions I receive on a daily basis that I didn't include in the (long enough) summary, but that I will address here for friends:

     1. Will you run for school board? No. While I do realize the need for board members that can address these serious challenges head-on and to finally get majority votes to be able to implement necessary reforms, I have seen enough of the toxic culture within the old "Po-way" and Federation of Teachers union leadership mounting personal attacks, spreading misinformation and booing people at board meetings, that the only direction I am running in is away from such an awful environment. I do strongly support Kimberley Beatty's re-election as I have experienced her to be a strong leader that actually listens to the community, that asks questions despite staff being offended at the request that they explain and improve their outdated processes. I also commend board member Charles Sellers and hope to see board member T.J. Zane finally start voting and making decisions to support families and tax-payers vs consultants, attorneys and a Superintendent that needs to go. 

     2. Are you going to sue the district? No. Like all parents I am certainly monitoring the District's responses and activity to make sure they do not try to shift focus on the recipient of the data vs the fact that they mishandled confidential material (something the DA's office called ridiculous but a concern I am getting from parents, "they will try to blame this on you") and I will of course defend myself in any way that is necessary. But I don't believe more attorneys are what are needed to fix these serious problems. The District needs to complete a thorough investigation to understand how private data has been handled, communicate honestly with the public and implement secure processes to make sure the data is handled safely. 

     3. How can I help? Please review the attached summary, the ETAC minutes (http://powayusd.com/en-US/Board/Board-Advisory-Committees), the board minutes, talk to people that are actually involved, and get involved yourself by attending the May 31st board meeting. Take a deep breath, as I have had to do so many times through the course of this ordeal and realize that despite challenges this is an AMAZING community and school district with talented, dedicated, hard-working teachers, staff, parents, coaches and kids. We just need to get our leaders working together, to demand accountability for lack of transparency and mismanagement like we have seen from the Superintendent-- and we need to recruit an amazing new Superintendent that can work with the board, empower qualified (not just loyal) managers and address problems fairly with the community. 

     Thanks so much guys, I will see you at the May 31 board meeting and throughout this summer! 

     Gaby

I do not for a millisecond, believe the inadvertent passing of the information Ms. Dow received, is not serious. In perspective, it is not the end of the world and it is not earth shattering. The information Ms. Dow received should not have been provided to her and when she realized what the information was, it should have been returned to the District, NOT the District Attorney. The “Data Breach” has been furthered and the cry for justice muted by the further dissemination of this information to persons who did not need to possess it.

I often hear people complain about laws, policy, transparency, ethical behavior and more. I hear complaints that the “system” takes too long to work. Instant gratification at its finest. The people who complain about laws, policy, transparency and ethical behavior are most often the ones who don’t believe any of it applies to them. “That’s a stupid policy”; “That law is ridiculous”; “I tried to bring it to their attention, they ignored me” (They didn’t answer the telephone so I did it my way).

In perspective, the information Ms. Dow received, should not have landed in her hands. The information was not gained by illegal or nefarious means. The information was not gained for ill purposes, by an individual who wished to use the information for bad intentions. The information was secure for all real purposes. The concern is to ensure this failure does not occur again. To do that, the Board must set clear direction and hold accountable those entrusted with the security of private and confidential information. That appears to be their course, BEFORE the special meeting was called. While certain members of the Board and public wish to grandstand and point fingers, it is the calm, level heads of reason who methodically moved to plug the “Data Breach” hole.


To those who want to use this event to remove the President of the School Board, your motivations are misguided and out of sync with reality. I trust Dr. Mel Robinson was working diligently to find out how this occurred and working to ensure it does not happen again. I trust Ms. O’Connor-Ratcliff was working with Dr. Robinson and staff with the same goal in mind. I just happen to be one of those people who follow the rules and laws, and trust in the system and allow the system to work, for good or bad. If you want your district to work for you, you must work with your district. In life you often get what you give. This issue is now part of history. Nothing about this can be changed. Moving forward, the District is taking steps to ensure it not happen in the future. It’s time for others to move forward as well. 

3 comments:

  1. I agree with most of what is written here about the so called data breach. I can't help but think after reading the full 38 page whatever by Gabby Dow, she was looking for a reason. I also can't believe her description of the events and the time line. Several of us who have discussed this all feel the same way. There are pieces missing. My biggest take after watching the special meeting is Beatty and Sellers nudged Dow to action and made her believe nothing was being done. We will never know. Thank you for writing about this and providing the documents you did.

    ReplyDelete
  2. These people really need to get lives!!! I couldn't read the entire report by Dow. Bat Shit Crazy comes to mind. This woman really thinks a lot of her self. Dramatic? You were kind. Good luck finding a real superintendent to take over for this district. No one in their right mind would do it.

    ReplyDelete
  3. Gaby complains that people are spreading rumors but the moment she called it a data breach she opened the door for the skeptics to come down hard on her. A security breach by definition is one where someone or some application has illegitimatly gained access to a private and confidential IT perimeter. This was human error but Gaby appeared to want to paint this in a very certain way. Using the favorite word of a certain individual, Gaby may have had an "unscrupulous" motive.

    ReplyDelete

Please be respectful when posting comments.