Updated: Data for 14,000 MISD students stolen

Photo: Cindeka Nealy Photo: Cindeka Nealy Image 1 of / 1 Caption Close Updated: Data for 14,000 MISD students stolen 1 / 1 Back to Gallery

The Social Security numbers and birth dates of 14,000 current and former Midland ISD students have been compromised as a result of a computer theft from an administrator’s unlocked vehicle, MISD Superintendent Ryder Warren said Monday.

All current seventh-graders through high school seniors are believed to be affected, as well as graduates going back to the class of 2008, Warren said. Students who moved away from the district but fall in that age range also have their information among the stolen data and will receive letters.

The data was encrypted so the thief may not realize they have a cache of student information or be able to access it, Warren said. However, letters were mailed to parents on Monday, as required by the Texas Business and Commerce Code.

“As the superintendent of schools, I deeply apologize for any inconveniences that may result from the theft,” Warren wrote in a press release. “We are reviewing (and if needed — changing) all district-wide safety measures to help further ensure the security of confidential information in the future. MISD prioritizes the privacy and safety of students and families.”

In the letter, dated Jan. 31, Warren said a laptop and external hard drive were stolen on Jan. 23, and a police report was immediately filed with the Midland Police Department. The report included the names of all students who could be affected. Warren said he was notified of the theft that same afternoon or the following day.

The theft was reported at the home of Deborah Acosta, MISD dropout prevention/recovery & at-risk coordinator, at 9:13 a.m., according to MPD records. The doors on Acosta’s Ford F-150 were not locked, and because Acosta and her husband both entered the vehicle on the driver’s side, investigators did not process the vehicle for fingerprints.

The information was obtained through a Freedom of Information Act request.

Warren declined to confirm who was in possession of the equipment.

Warren also declined to provide any information on any disciplinary action taken against the employee.

“If we have an issue that comes up with this stuff, everything has to be documented and the staff member has to be written up,” he said, declining to elaborate on specifics.

It is necessary to keep this information in one place because Texas requires school districts to track dropouts, Warren said.

It is not abnormal for MISD employees to work from home or away from their main office.

“We have people who sometimes never even see their offices for a week at a time because they're going around to so many different campuses, doing whatever responsibility it is,” he said. “That is routine. What is not routine is to not have it passworded where we would not have this breech.”

In response to an open records request for “Midland ISD’s security policy for handling confidential student data,” MISD attorney Leah Robertson referred the Reporter-Telegram to MISD’s Network Acceptable Use Policy. According to the policy, students, parents and teachers all sign a form every year to indicate familiarity with the policy. However, it does not specifically address taking student data or MISD equipment off-campus. The policy also doesn’t state specific terms of use for confidential student data.

“A mistake was made, and we are dealing with the aftermath of that mistake,” Warren said.

Warren said it has always been his expectation that student data is protected.

“It is absolutely my fault for not having done a better job of making sure we have safeguarded everything we need to safeguard,” Warren said. “That one’s on me. I take full responsibility that we have not done a good enough job of making sure everything we have out there (is protected) … and that’s what parents expect us to do. We're going to get on this very quickly.”

Warren said MISD employees all sign acceptable use policies, and are trained to understand what information has to be protected.

“We’re going to re-examine every single safeguard we have in place,” he said. “If we have to change anything, we’re going to do that. We’re going to meet (today) as an administrative staff to make sure every campus staff and district level employee looks at every safeguard we have.”

Police do not believe the stolen equipment will be recovered, he said.

Warren said the data is not readily accessible.

“Everything is coded,” Warren said of the data. “It doesn’t say, ‘Child’s Social Security number, child’s birthday.’”

The computer was password-protected, but the external hard drive was not, he said.

“Hopefully, they wouldn’t be able to decipher it,” Warren said. “But, in case that they would, that’s why we’re making the notices.”

Warren said he thinks the thief wanted the laptop to sell and tossed out the external hard drive.

There is no known use of a student’s name or information being used for fraudulent purposes at this time, according to the letter. Unauthorized use of the information could lead to financial loss for students, Warren wrote.

Warren’s letter recommends that parents place a fraud alert on their child’s credit line and contact one of the three major credit bureaus if the student is 18 years or older: Equifax, Experian or TransUnion Corp. A link for Consumer.gov’s child identity theft page is provided for parents with children ages 17 years and younger.

Warren also referred parents to websites run by the Texas Attorney General, the Department of Public Safety and Consumer.gov for more information on identity theft.

Parents should contact MPD in the event that fraud does occur, Warren said.

Warren encourages parents with questions to contact MISD attorney Leah Robertson at 689-1025.