The Social Security numbers of 164,406 students who graduated from eight Texas school districts over the past two decades were placed at risk for identity theft because they were sent unencrypted via the mail, according to internal Texas Education Agency documents obtained by The Texas Tribune.
In a January 14 memo, senior policy adviser Michele Harkrider told TEA Commissioner Robert Scott that there had been "violations of agency data security operations" in the agency's handling of sensitive data from students who graduated in the top 10 percent of their classes between 1992 and 2010 at the following districts: Crowley, Harlingen, Round Rock, Killeen, Richardson, Irving, Mansfield, and Grand Prairie.
Between August and January, the districts mailed unencrypted CDs loaded with students' Social Security Numbers, dates of birth and ethnicity — data requested by the University of Texas at Dallas’ Education Research Center — to the TEA, with the expectation that the TEA would deidentify the records and pass them along to UT-Dallas. The former agency employee who handled such data said it was standard operating procedure, however TEA spokeswoman Debbie Ratcliffe strongly disputed that the agency had ever had a policy of sending confidential data through the mail.
“At a minimum, 164,406 individuals were at risk for identity theft or other avoidable risks,” Harkrider wrote in the memo.
At least one of the eight districts, Grand Prairie, did not send in Social Security numbers as requested because its public information officer felt the risk of identity theft was too high. Instead, it identified students using their local PIEMs numbers.
It is unclear how many districts agreed to participate in UTD’s project. But according to the memo, there were multiple districts the agency knew were participating but had yet to receive data from — raising the possibility that records had been lost in the mail. The Tribune reported in March that the agency had indeed misplaced the Social Security numbers of 24,903 current and former Laredo ISD high school students.
A string of internal emails reveals that the agency became aware of the missing Laredo data on January 21, after the district confirmed from its tracking information that a man named “Thomas” in the Railroad Commission’s mailroom had signed for the package on Oct. 28. (The William B. Travis building in Austin houses five government agencies, including the Railroad Commission and the TEA.)
Ratcliffee told the Tribune that Laredo ISD's data set is the only one believed to be missing. The January memo says the agency has since destroyed the CDs from the eight districts whose information it did receive.
“TEA staff should continue to contact districts to investigate whether additional diskettes containing individual level data were sent but never received by TEA to ensure there are no social security numbers unaccounted for,” Harkrider wrote, adding, “Notifying the [United States Department of Education] of the possibility of a security breach of student level data should be considered.”