RealTime IT News

Education Department Flunks on Security

According to an old saying, those who can't teach, teach gym, and those who can't teach gym work at the Department of Education (DoE).

The agency suffered an embarrassing breach over the past weekend when a site used to reimburse student loans allowed unauthorized access to the personal data of tens of thousands of registered users.

Apparently, not only can't Department of Education administrators teach gym, they can't read their own security manuals.

The Department of Education seems to have ignored "detailed and extensive" security recommendations that are found on its own Web site.

The data breach occurred as the result of a software upgrade.

The Department of Education has not indicated when the problem will be addressed, and it did not return a request for comment.

The following message is posted on the homepage of Direct Loan Servicing Online, the site managed by the Department of Education:

"We are experiencing problems with our web site due to recent software upgrades. Therefore, we have disabled online payment, address change and certain other online options until we can resolve the issues. We apologize for the inconvenience and thank you for your patience."

The site then provides a mailing address for borrowers to mail their payments.

This is by no means an isolated incident.

In recent months, the government has been stung by revelations that laptops containing the personal records of U.S. citizens were stolen from the Department of Veterans Affairs and, later, from the FTC.

Personal data was also compromised as result of security breaches at the U.S. Department of Agriculture and the Navy.

Private security experts believe that these issues need to be addressed in a holistic manner.

James Mobley, President and CEO of Burlington, Mass.-based Intrusic, told internetnews.com that security involves not only technology but policy and communication, as well.

Where the current data breach is concerned, Mobley said he thinks that the software was tested to see if it worked properly but was not tested for security purposes.

"Security testing tries to break the software," he noted.

Eric Lazarus, a computer consultant in New York, said that good security policies are difficult to implement.

"Agencies have to understand the risks, model how those negative outcomes can occur, determine policies and procedures that will address those risks in a balanced and effective manner," he told internetnews.com.

Ed Markey (D-MA), senior member of the House Telecommunications and Internet Subcommittee and the Co-Chair of the Privacy Caucus, blasted the Bush Administration for not having responded to these threats more effectively.

The Administration's "record on preventing and responding to data breaches has been abysmal," he said.