In one of the worst security breaches ever in a public K-12 school system, confidential data for thousands of Indianapolis Public Schools (IPS) students–including, in some cases, medical information and Social Security numbers–were accidentally posted online.
The Indianapolis Star, which discovered the error and reported it May 16 to the district, said it appeared the problem had been going on for at least two years.
Officials were working to correct the problem, but they said some of the information still could be accessed through the popular search engine Google as of press time. The school district was contacting Google and other search-engine providers asking that information with Social Security numbers be erased, it said in a news release.
The Star reported that at least 7,500 students were affected. The nature of the information posted to the internet varied.
Among the files that were accessible were special-education diagnoses, students’ names and addresses, and essays in which some students revealed personal details such as experiences with abuse.
Details about the IPS computer system, employee job reviews, and other personnel files also were posted.
Beth Givens, an identity-theft expert with the Privacy Rights Clearinghouse, said the most dangerous data consisted of Social Security numbers for about 20 students and five staff members.
“That’s horrendous–the entire family has been victimized,” she said.
Internet security expert Roger Thompson, who reviewed the IPS web site at the Star’s request, said the error appeared to have resulted from improper settings on the district’s server or from a software flaw.
“It looks like it’s a really poorly configured system, and a lot of people are going to be really embarrassed and a lot of people are going to be really upset,” said Thompson, the chief technology officer at www.LinkScanner.com. “It looks like somebody has made a mistake.”
IPS said the information apparently was posted by individual users uploading content to certain areas of IPS Online. The district’s information technology division took steps about six weeks ago to block Google from being able to search its web site, IPS said in a news release. A disclaimer warning users not to post confidential information to IPS Online also appears.
District officials said grades, discipline, and other confidential student information now is stored in a password-protected database.
However, IPS Online is not private and can be accessed by persons outside the district, the release warns.
IPS officials reportedly began working to fix the problem within an hour of being told about it by the Star, and they notified staff and media the same day. Parents were notified that evening by telephone message, the Star reports.
Since then, some teachers and parents have expressed frustration at what they say is the lack of clear information from the district. A searchable list available on www.IndyStar.com lets users check whether a student’s records might have been exposed–information that parents reportedly have struggled to get from the district itself.
School board members said they want a full report once the district is done with its internal review.
“We’re going to look at the problem, and I’ll ask a whole lot of questions until they get tired of me,” board member Olgen Williams told the Star. “They’re going to have to reassure me and the board to the best of their ability” that such a problem can’t happen again.