The names, Social Security numbers, and birth dates of about 1,000 students who attended Frederick County Public Schools about a decade ago were stolen and were for sale online.
Information on those students, who were enrolled in Frederick County schools between November 2005 and November 2006, was taken from a data breach that school officials said occurred before 2010.
A former student who discovered the information online alerted the school district of the breach in September, school district spokesman Michael Doerrer said. The information was offered for sale online, he said.
He said an investigation involving multiple state agencies and the FBI could not conclude where the data originated.
The school system maintains student data on a network not connected to the internet, then transmits it as needed, such as to the State Department of Education, Doerrer said.
The investigation started in September and wrapped up this month.
“It’s inconclusive where the breach occurred,” Doerrer said. “We know it appears that no FCPS computers were infected by malware or software.”
The investigation involved the Frederick County school system, the FBI, the Maryland State Department of Education, the state’s Department of Information Technology and the state attorney general, as well as the Multi-State Information Sharing and Analysis Center, which works with the U.S. Department of Homeland Security.
The Frederick Extra website first reported on the breach on Tuesday morning. Shortly before noon, Doerrer said the district was planning to issue a statement about the breach. The district put out a news release at about 6 p.m.
The school district will send victims of the breach a letter this month, Doerrer said.
Doerrer said 2010 was a long time ago as far as information technology goes, and the school district has changed how it stores student information.
He said he is confident the current system is secure. He was unsure how long the district retains student data, but said he was sure it follows applicable laws and guidelines.
Bill Reinhard, a spokesman with MSDE, said he was aware of the breach but had no information on it as of Tuesday evening.
Derek Root, the former director of technology infrastructure for the Frederick County school district, who left this past summer to be chief technology officer with Washington County Public Schools, said on Tuesday that when he resigned, the school district had good security measures in place.
“My security guy was draconian when it came to that stuff,” he said. “We had controls and policies in place.”
Since Root left about six months ago, the school system has not replaced him. His duties were spread between ranking staff member in tech services and Deputy Superintendent Mike Markoe, Doerrer said.
The district will announce Root’s successor on Wednesday, Doerrer said.
Doerrer said he was unaware of any previous leaks in student data, though several years ago employee data was breached.
Frederick County Board of Education President Brad Young said the board recognizes the seriousness of this issue.
“Our position is that we need to address protocol when you have a data breach and work toward making the systems better,” he said.
Young said the board would take no immediate action on the breach.
School board member Colleen Cusimano, who worked in IT for the school district between 2008 and 2010, said the board is concerned about the breach.
“I hope that this is a catalyst for a long-overdue conversation on how to manage and protect our data better,” she said in an interview.
The board passed a policy last school year concerning student data privacy that mirrors the requirements of a state law approved during the 2015 Maryland General Assembly session.
That policy and law direct that the school system must institute certain protections to safeguard student data, even when working with an outside contractor or website.