Test scores, birth dates, and other personal information for more than 100,000 students were published accidentally on The Princeton Review’s web site this summer, according to the New York Times.
The information was available on the test preparation company’s web site for nearly two months, and the information should have been available only through passwords, the company told the Times for an Aug. 19 story. A Princeton Review official told the newspaper that the site’s protection probably was lost when the company switched internet providers in June.
A mistake in web site configuration exposed student records for anyone to see and made public Princeton Review internal communications and educational materials, according to the Times, which reported that the web site was accessible through a simple web address. In a statement, Princeton Review said only "highly sophisticated computer users" were able to access students’ information.
In a statement released by Princeton Review, the company confirmed that the security error occurred when its "web hosting was recently migrated to a new provider."
"We devote a lot of attention to the security of our data, and have extensive procedures in place to manage this process," the company said in the statement. "On Monday, we were advised that some information which had been kept safe and secure may have inadvertently been accessible to highly sophisticated computer users."
After a security review, The Princeton Review said the student data was never "widely available," as suggested in the New York Times article.
"Nonetheless, we have apologized to our customers for this situation, and assured them that access to the information has been closed, and that we are working diligently to put in place any needed remedies to make certain this problem does not recur."
The Times reported that another test-prep company discovered the error while conducting competitive research and alerted the newspaper. The Princeton Review reportedly blocked access to that part of its web site when a Times reporter informed the company of the mistake Aug. 18. The company said it would find out how many people might have accessed the files through search engines.
The exposed files included information from 34,000 students in Sarasota, Fla., and 74,000 students from the Fairfax County school district in Virginia, according to the Times. Both school systems had hired Princeton Review to improve standardized test scores.
Paul Regnier, a spokesman for the Fairfax County school system, told eSchool News that school officials were not aware of the security breach until a Times reporter contacted the district on Aug. 18. District officials are looking into the repercussions of the breach, Regnier said.
Regnier said Fairfax officials had a conference call with Princeton Review Monday night. The company agreed to send "all the data that had been exposed," Regnier said, adding that the test scores and personal information were from 2006. The school district would sift through that data and contact parents whose children’s information had been available online, he said. Fairfax schools’ contract with Princeton Review expired at the end of the 2007-08 academic year, Regnier said.
Asked if the district had received any complaints from parents or students, Regnier said complaints and concerns have yet to pour in.
"I’ve heard nothing," he said, adding that the school system would have more information for students later in the day.
Officials from the Sarasota school system also had a conference call with Princeton Review Monday night, schools spokesman Gary Leatherman said. Before administrators contact parents, Sarasota officials are trying to determine "exactly what the extent of the [security] compromise really was."
Recent Florida state legislation dictates that students use their social security numbers as identification numbers. Leatherman said the district was looking into how many students out of the 34,000 had their social security numbers available online.
Internally, the school district is deciding if it will continue its contract with Princeton Review, Leatherman said. If the company’s IT experts can assure school officials that a breach will not happen again, Sarasota is "very likely" going to maintain its relationship with Princeton Review, he said.
"We may very well continue with them because we’ve been happy with the service they’ve provided," he said. "This was just something that was apparently a fluke."