Keegan Brooks writes:
The DeKalb County School District has been making thousands of files containing sensitive student and staff information widely accessible to anyone in the district.
Types of information exposed have included social security numbers, academic records, medical forms, course transcripts, standardized test scores, discipline records, and the 504/IEP information of students, among others. These files exposed the information of thousands of students and staff members from schools across the county.
This was caused by many files within the district being shared with “everyone except external users” by staff members — “everyone” in this case being the more than 93,000 students and 15,500 employees in the district.
Read more at the Chamblee High School student paper, The Blue and Gold.
In response to this article, DataBreaches.net reached out to the District on Friday to ask them to respond to the allegations. As of the time of this publication, they have not responded at all.
DataBreaches also reached out to Jim Siegl, Senior Technologist at the Future of Privacy Forum, to ask him for his comments on what Brooks wrote.
Siegl introduces himself, in part by writing:
Having managed a very large (~250,000 user) Google Education domain for a decade in a prior job, my educated guess is that this is could be caused by an inappropriate setting in the district’s google administrator console at one pint in time, or it could be the result of end users, including staff not understanding the impact of their choices when they share files.
Figuring out what happened is complicated, since the settings and options in Google Workspace have changed over the years, but this is a problem I am very familiar with.
Siegl, whose personal website is appropriately named PrivacyIsHard.net, responded with a detailed commentary that is extremely helpful for those of us trying to understand the allegations and how such things can occur. His article suggests specific actions the district might want to take if they have not done so already, and specific questions concerned students like Keegan Brooks might want to ask the district using a public records request.
Read Siegl’s thoughtful commentary to the Blue and Gold’s concerns in his article, Oversharing is Not Caring: A reminder that for schools, privacy is hard, it is everyone’s job and that vendor defaults, communication, training and auditing access matter