Student, Teacher Data Exposed Online at Princeton Review Site


Test preparation company The Princeton Review exposed personal information on tens of thousands of students for about seven weeks on its Web site. According to coverage in The New York Times, an unnamed Princeton competitor "stumbled on the files" while doing competitive research and contacted the newspaper, which informed the firm of the data breach. Princeton closed off access to that part of the Web site.

According to Princeton, the blunder apparently occurred when it switched Internet service providers.

The company has two divisions, one that offers test prep courses and tutoring and another that works with school districts to provide assessment, intervention, and professional development. It was the latter division whose data appears to have been exposed.

One set of files made public included information for about 34,000 students--80 percent of the total student population--in Sarasota County Schools in Florida. The data was used by teachers to create tests and track student progress and included names, school identification numbers, birth dates, gender, ethnicity, disability status, and results of the Florida Comprehensive Assessment Test. In some cases, the social security numbers were part of specific student records.

According to coverage in Sarasota-based, school superintendent Lori White was informed about the exposure by a reporter covering the story and said the district would be "reviewing the contract [with the Princeton Review] and deciding whether they want to keep it." The district renewed the contract at $350,000 for the current school year.

Another set of 245 files contained information on about 74,000 students in Fairfax County Public Schools in Virginia. In that case, compromised files had facts about students in grades three through eight as part of a state Standards of Learning practice test program. Details included student ID, names, and birth dates. The files also contained data on 3,157 teachers, including domain login ID and names. That contract had ended for reasons unrelated to the breach.

According to a statement posted on the Fairfax district Web site, Princeton Review is finishing an investigation to determine how the breach occurred and preparing a letter of explanation and apology to the students whose information was exposed. The district said it would "notify parents of affected students and affected teachers via e-mail."

Get daily news from THE Journal's RSS News Feed

About the author: Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at [email protected].

Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at [email protected].

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.