LEANDER, Texas (KXAN) — Educators across Texas recently had their names and social security numbers posted for anyone to see on the website of a nonprofit group that provides services to school districts.
Weeks after administrators first started finding out about the security issue, the organization responsible for the breach still hasn’t made the extent of it clear.
“Somebody’s mistake could potentially cost me a lot of money,” Jayne Serna said.
She’s a high school teacher at Leander ISD and teaches dual enrollment classes at Austin Community College. This is the first summer she’s had off in 15 years, she said, and this put a kink in her vacation.
“A couple weeks ago in the mail I got a letter from the Texas Association of School Boards,” or TASB, she said.
“Regrettably,” the letter starts out, “I am writing to inform you that some of your personal information was exposed on the Internet.”
Serna shared the letter with KXAN. “They said it was my full name and my social security number,” she said.
“It’s a little disturbing,” she said, “because so many things are tied to my social security number.”
And she’s not alone; the TASB said in a statement to KXAN the information was revealed inadvertently through a web application the organization uses “to report wages to the Texas Workforce Commission for an unemployment compensation group program we administer for participating district employers.”
“This does truly make you nervous,” Serna said. “It does. Trying to put it in perspective, but it’s a bad thing.”
Just how bad? That’s not clear.
TASB didn’t answer KXAN’s questions about how many people’s information was made public.
Austin ISD told KXAN they don’t believe any employees’ information was included in the list because TASB hadn’t contacted them about it. A spokeswoman for Round Rock ISD said “a number of our current and former employees were included.” Leander ISD said the 18 people TASB told them were affected were all former employees.
TASB also didn’t say when the breach happened, when they found out about it, or when they started contacting those affected.
In a second statement to KXAN, the group said they took down the site as soon as they learned the information was public and hired a “forensics firm to determine what data was affected.”
Then they started notifying affected districts, the statement said, and mailing out letters as administrators provided addresses.
But a letter to staff members posted on the website of Alief ISD in southwest Houston includes two pages of answers to frequently asked questions that appears to contain more detailed information.
The letter, dated June 21, warns Aleif staff of the security incident. It says TASB discovered the problem May 22, a month earlier, though it notes the organization didn’t know how long it had been visible. A letter Corpus Christi ISD sent to its employees notes the same discovery date in May.
The FAQ section of the letter from Alief administrators also notes TASB has “no evidence that any of the employee information was used in any way.”
“I know it’s nothing intentional,” Serna said, “but it does still make you unhappy and nervous.”
A spokesman for Leander ISD said as a current teacher there, Serna is not on their list of affected former employees, so it appears some ACC employees got hit, too.
“The good thing is I don’t get paid much so there’s not much to steal,” she laughed. “However, what I do have I’d like to keep.”
TASB offered those affected by the breach a year of free credit monitoring and said they strengthened security measures on their web site.