Before reading the following emails and subsequent translations, check out the cast of characters to whom the emails were sent. Notably, our buddy Salim is listed on the lengthy email accomplice list.
In this email, dated six years ago, the boys are trying to figure out what to do about a security breach involving the Concept Schools’ database. Apparently, the schools’ database was stolen, making it extremely susceptible to identity theft.
As part of the enrollment process, all personal student information is entered into the database, including social security numbers. Likewise, all employee information is also compiled within the database.
So knowing that this particular security breach might just alarm students’ parents and employees, Ozgur Balsoy decides that it might just be best if they --- a) downplay the episode and state that only names, phone numbers, and addresses were on the stolen database – so as to lessen the overall shock, or b) simply come out with a policy of “silence” and not tell any of the non “friends” (that would be the students and employees) about the security breach.
Hmmm, is that legal? There must be some law out there that mandates if and when confidential information (like social security numbers) is compromised, that the victims of the stolen information must be immediately informed.
But then – the boys kind of make up their own set of rules as they go along -- don’t they? And what about the Board members, were they notified -- and if so, why didn’t they act? Oh! That’s right – they are part of the boys’ exclusive “friendship” circle.
We’re pretty sure that the boys did not notify the parents or staff about this and have to wonder if any of the students or employees had any issues with identity theft over the past six years. If so, please contact one of the boys listed in the emails – they are all still around and actively employed as administrators at Concept schools.
And as a side note, the email author and then Concept Schools’ IT guy, Ozgur is now the CEO of Advance Solutions for Education – seems like he’s so good at “solutions (like his idea not to disclose the security breach), that he’s heading his own company. Perhaps he should diversify into security solutions….
Below are the emails and the translations are in italics:
Date: Mon, 20 Nov 2006 03:17:55 -0500
From: "Ozgur Balsoy" <firstname.lastname@example.org>
To: "Huseyin Avni" <email@example.com>
Subject: Re: server and database
Cc: "Fatih Unlu" <firstname.lastname@example.org>, "mustafa yazici" <email@example.com>,
"Onder Secen" <firstname.lastname@example.org>,
"Kemal Kaman" <email@example.com>, firstname.lastname@example.org,
"Aydin Kara" <email@example.com>,
"murat sagnak" <firstname.lastname@example.org>,
"hasan kose" <email@example.com>,
"ugur zengince" <firstname.lastname@example.org>,
"hizir disli" <email@example.com>,
"salim ucan" <firstname.lastname@example.org>,
"Fatih Unlu" <email@example.com>,
"Mustafa Yazici" <firstname.lastname@example.org>,
"onder secen" <email@example.com>,
"onder secen" <firstname.lastname@example.org>,
"Kemal Kaman" <email@example.com>,
"Murat Sagnak" <firstname.lastname@example.org>,
"ugur zen" <email@example.com>,
"hizir disli" <firstname.lastname@example.org>
buyuk gecmis olsun. cok uzucu bir durum.
It is a very sad situation.
soyle bir sey aklima geldi, simdi arkadaslar hemen durumu bu sekilde
duyururlarsa tepki alinabilir, merak edilen konu privacy konusu
olacak, yani personal bilgileri ne kadar compromise edildi. SSNs yok
galiba sistemde mesela bu soylenebilir bunun haricinde maas bilgileri
bulunmuyor. bunun gibi rahatlatici birkac sey de eklenebilir meseja
belki. girilmis olan okullarda telefon ve adresler tabiki problem.
bunlar identity theft'e acik konular.
I think that if our friends announce the incident, we can get reactions. Something like this came to my mind.
People will be worried about their privacy and how much personal information was compromised.
For example, I guess, we can say that there were no SSNs (Social Security Numbers) on the system.
In addition, say that no pay stub information was on the system, to relax the concerns in the message.
It is a problem for the schools at which the phone and address information was entered to the system. They are open to identity theft.
ogrenci bilgileri icin de benzer bir konu sozkonusu. bankalar bu gibi
konularda musterilerine acik oluyorlar. eger ciddi bilgi kaybi yoksa
ogrenciler skip edilebilir ama ogretmenlerden durum yayilabilir. bu
konuyu duyuru policy'si lazim acilen....
It is a similar situation for the student information. Banks are honest with their customers.
If there is not any important information lost for the students, they can be skipped but they might learn it from the teachers, so it is urgent to have a policy before making a public announcement.
On 11/20/06, Huseyin Avni <email@example.com> wrote:
On behalf of Concept Schools IT Team, I am writing to inform you and your
staff about recent internet/database problem. As our web hosting company, CI
Host (www.cihost.com), Chicago Office/Data Center reports us, there has been
an incident in their Chicago Data Center. Police has been involved and
investigation is going on. Among many servers, a number of servers including
Concept Schools' server have been either stolen or damaged during the
attempt. The company has announced that they were expecting the police
The IT Team at Concept Schools have been working hard to make a new server
completely available by Monday 8:00 am CT. All school data has been backed
up as of Monday, November 13, 2006 2:00 am CT. As soon as the uploading
process is complete you will be able to continue to manage your school data.
The restored data is up-to-date as of last back up date.
As Concept Schools IT Team we apologize for the inconvenience and thank you
for your patience. Please call (847) 671 2624 for further information.