Security

Latest DC Snafu Exposes Student Data on Dropbox

• By Dian Schaffhauser
• 02/16/16

About 12,000 students who possess individualized education programs (IEPs) had personal information posted to a public Dropbox site attending schools in Washington, D.C. Reporting by the Washington Post said the data was inadvertently made available online "for several hours" on Tuesday and has since been taken down. The file with the private information was uploaded to the cloud-based file storage site prior to a meeting about the program that manages the IEPs. The file included names, schools, identification numbers and other personal details about each student, including his or her disability and what special services they use.

The announcement came from the district's Office of the State Superintendent of Education, which handles federal grants, compliance with federal laws and other governance activities for area students. According to the Post, Hanseul Kang, the state superintendent of education, issued a "letter to colleagues" in which she stated, "Our families deserve to know that their students' personal information is being kept confidential and secure in the education system."

Just about a year ago the District of Columbia Public Schools suffered a different kind of exposure of special education student information. The district realized that an internal Web site launched in 2010 that stored training materials for district staff included login information that would enable anybody to access a database containing information about special ed students. The district found no evidence that anybody has actually viewed the data. At that time, the district issued a statement apologizing for the breach: "We understand how important it is to safeguard student information and will conduct a top-to-bottom review of our security practices to ensure this does not happen again."

Then in March 2015, the Office of the State Superintendent of Education reported that it had "inadvertently" released student data in response to a Freedom of Information Act request. The disclosed data included student names, birth dates, grade levels, gender, race, ethnicity, English language learner classification, non-public attendance, special ed status, school of attendance, details related to suspensions and expulsions and student identifiers. In that situation the data was actually redacted and the file locked when it was sent to the FOIA recipient; however, the office later found out that the file could be unlocked, exposing the personal information.

In none of these cases were Social Security numbers involved.