Education Department Flunks on Security

According to an old saying, those who can’t teach, teach gym, and those who
can’t teach gym work at the Department of Education (DoE).

The agency suffered an embarrassing breach over the past
weekend when a site used to reimburse student loans allowed unauthorized
access to the personal data of tens of thousands of registered users.

Apparently, not only can’t Department of Education administrators teach gym,
they can’t read their own security manuals.

The Department of Education seems to have ignored “detailed and extensive”
security recommendations that are found on its own Web site.

The data breach occurred as the result of a software upgrade.


The Department of Education has not indicated when the problem will be
addressed, and it did not return a request for comment.

The following message is posted on the homepage of Direct Loan Servicing
Online, the site managed by the Department of Education:

“We are experiencing problems with our web site due to recent software
upgrades. Therefore, we have disabled online payment, address change and
certain other online options until we can resolve the issues. We apologize
for the inconvenience and thank you for your patience.”

The site then provides a mailing address for borrowers to mail their
payments.

This is by no means an isolated incident.

In recent months, the government has been stung by revelations that laptops
containing the personal records of U.S. citizens were stolen from the Department of Veterans Affairs and, later, from the FTC.

Personal data was also compromised as result of security breaches at the U.S. Department of Agriculture and the Navy.

Private security experts believe that these issues need to be addressed in a
holistic manner.

James Mobley, President and CEO of Burlington, Mass.-based Intrusic, told
internetnews.com that security involves not only technology but
policy and communication, as well.

Where the current data breach is concerned, Mobley said he thinks that the
software was tested to see if it worked properly but was not tested for
security purposes.

“Security testing tries to break the software,” he noted.

Eric Lazarus, a computer consultant in New York, said that good security
policies are difficult to implement.

“Agencies have to understand the risks, model how those negative outcomes
can occur, determine policies and procedures that will address those risks
in a balanced and effective manner,” he told internetnews.com.

Ed Markey (D-MA), senior member of the House Telecommunications and Internet
Subcommittee and the Co-Chair of the Privacy Caucus, blasted the Bush
Administration for not having responded to these threats more effectively.

The Administration’s “record on preventing and responding to data breaches
has been abysmal,” he said.

News Around the Web