DC schools posted private data of 12,000 students on public website

© Dado Ruvic / Reuters
For several hours on Tuesday, around 12,000 students in the District of Columbia Public Schools system had their personal information publicly available online. This marks the third time the school district has experienced such a security breach.

It happened by accident, according to an internal memo from the DC Office of the State Superintendent of Education, the Washington Post reported. An office worker uploaded the students’ identification numbers, race, age, disabilities, and other sensitive data to a public Dropbox account managed by the DC Council.

“I am deeply disappointed by this situation,” state superintendent Hanseul Kang wrote in a letter to colleagues, the Post reported. “Our families deserve to know that their students’ personal information is being kept confidential and secure in the education system.”

The data was eventually taken down, but not before it had been downloaded by a single person, according to state superintendent spokesperson Patience Peabody. That person worked for a “community organization,” the Post reported, and according to Peabody, they agreed to delete the files.

The last time something like this happened was in March of 2015, when DC Public Schools officials unintentionally released audited enrollment data, including student disciplinary records, among the files they had provided to BuzzFeed to fulfill a Freedom of Information Act request. The sensitive data was locked, but also easy to unlock.

Prior to this, the District’s school system had left the private information of special education students accessible online from 2010 to early 2015.

“As you know, we have taken significant steps as an agency over the past 11 months to better protect our student data, but they are clearly not enough,” Kang wrote in Tuesday’s letter.

Kang’s office created a call-in hotline for parents who have questions and concerns.

Legislation requiring organizations with DC Public Schools contracts to take security precautions was proposed in January by David Grosso, a DC Council at-large member and Chairperson of the Committee on Education.