School Department transfers Teacher PII Data to Testing Company

2019, Breaches, March

Who: Worcester School Department

When: 8 Mar 2019

# of records involved: 2000 teachers

What happened: The district’s IT department opted to use the last four digits of employees’ Social Security numbers as a password for their entry to a portal run by a testing company called Renaissance, which the Worcester schools began contracting with last year.

How did it happen: Although every employee has a number, ​the challenge with that is not everybody remembers it. It also would have been onerous to have to individually give a new password to every employee that logged into the portal. It’s not uncommon for the last four digits (of someone’s Social Security number) to be used as a password” instead, he said.

Outcome: The administration is reviewing IT policies regarding password creation and information that is shared both within the system and outside the Worcester Public Schools to ensure it is utilizing appropriate safety and security measures. After receiving complaints from staff, the School Department and the testing company changed the passwords in December and purged the Social Security digits from the company’s records. The city teachers union filed a grievance over the incident. The School Committee, meanwhile, is set to take up an agenda item stemming from the data release at its Standing Committee on Governance and Employee Issues meeting next month.