VA: Fairfax Schools leak: Personal student info will be removed

Posted on by Dissent

Hatzel Vela reports on WJLA:

Fairfax County Public Schools Wednesday learned confidential student information from Fairfax High School was leaked and posted online, but that information is now being taken down.

The information included student’s names, student ID numbers and even grades. The records listed students from 9th to 11th grade. Because senior students are graduating, their files are kept separate and that’s why officials believe those files were not leaked.

Jack Dale, the superintendent of Fairfax County Schools, released a note to parents Friday stating the court granted a request to remove the personal information. The owner of the Fairfax Underground website says the data will be removed by no later than 5 p.m. Friday.

Tom Jackman of The Washington Post has a screen shot of what was posted on the forum and more details on this case. Reportedly, the data were first uploaded to the Fairfax Underground site on Tuesday. On Wednesday, the school system found out about it. On Friday, they were in court to get an order requiring Fairfax Underground to remove the data.

What caught my eye in the first story was this statement by Superintendent Dale:

“Violations of student privacy will not be tolerated and those who are responsible for this breach will be held accountable,” Dale stated in an earlier letter.

It is it just me, or does that read like Fairfax County Schools has no idea at all how they suffered a breach? And it’s one thing to say that those who are responsible will be held accountable, but are they talking only of whomever posted the data, or are they including those who may have failed to adequately secure it?

This is not Fairfax County’s first breach, by the way. In 2008, dozens of files with names and birth dates for 74,000 students in the school system were accidentally exposed online by Princeton Review. Then in 2010, a third grader was able to access the Blackboard Learning System used by the county to change teachers’ and staff members’ passwords, change or delete course content, and change course enrollment. It was nothing so exciting as a hack, however. The child found the password on a teacher’s desk and used it.

So what will it be this time? Were they hacked externally or did some staff member not adequately protect login credentials? I hope we find out.

Update: Some additional coverage of the case and the web forum’s reaction to the injunction:

 

Category: Breach IncidentsEducation SectorU.S.