Exclusive: Clark County School District student data begins to leak; CCSD doesn’t comment

Tiffany Lane reports:

Problems continue for Clark County School District families and staff about a week and a half after being notified of a cyber security incident that happened earlier this month.

Some parents say they received an email Wednesday with private information about their children.

While they do not know if it is related to the cyber security incident involving CCSD, they say it does include information they believe only the district would have access to.

As one parent described it, the email they received was

“Warning me that my children’s information was released or hacked into and it had three PDF files,” said Hecht. “Each one had my children’s picture, all of their contact information, email addresses, student ID numbers, my information, our address.”

Read more at News3LV.

Parents of CCSD children do have reason to be concerned about the leak of student data. DataBreaches found that some of the data was released this week on a file-sharing site. The post has since been removed, but the leak was described as representing about 1% of the total files obtained. Filenames with links where they could be downloaded were listed. Some of the files had notations including the size of the file.

The following is from the post on the file-sharing site. Links to the data have been removed by DataBreaches.

• 25k Graduates with Personal Email, Birthdate, Ethnicity, PSAT scores.
• Diabetes Database MASTER 23_24 (Personal information on 1k students with diabetes)
• Admin.zip (Misc older spreadsheets 2016-2020. 45 MB)
• HCM (Financial reports, staff salaries, grant information 2019)
• [0277] T3 ONLY.zip (Incident reports for 2022 and 2023 by victim)
• Swainston M.S. Attendance, Absent notes, Suspensions, Behavior referral tracking, student signout, bulling contracts, Truancy, Dress code violations, Early release, safety search, EMI – ASA, School Bus Incident Reports, Police Reports (2 Files, 2.5 GB in total)
• Internal Communications:
  • ZZZ-AIA-completed (185 MB)
  • GDA Grant Administrators (1.3 GB)
  • 0003-ogc.RecordsRequest (415 MB)
  • CCSD Facilities Floor, Site and Portable Classrooms Plans (409 MB)
  • 5 0449-VTCTA-Office Staff
  • Student – Census Verification Report – 12 Grade and Graduate photo and PII.  (800+ students. 78 MB)
• HMS Super Users
• SPED Special Education levels per school. (Student health conditions listed per School in the district. 38 MB)

DataBreaches did not download all the files but did download some to investigate them. As an example, the Attendance directory had folders for the 2020-2021, 2021-2022, and 2022-23 school years.  Expanding the folder for 2022-2023 Swainston M.S. revealed a number of folders that included behavioral incident reports for named students, reports on named students who got lunch detention, and 251 reports on named students who got in-house school suspension. Other files contained the names of alleged bullying offenders and bullying victims with incident reports.

In another folder labeled “[0277] T3 Only,”  DataBreaches noted approximately 7,000 files involving named students from Schofield M.S. during the 2022-2023 school year relating to incidents. Each report contained the date, type of incident, proponent’s name, student ID number, grade, the date and time of the incident, the location of the incident, and description of the incident. Some of these were incident reports, while other .pdf files were witness reports.

DataBreaches also examined the Diabetes .csv file. There were several tabs for that spreadsheet. The “Diabetes Mellitus” tab had 907 student entries with their name, student ID number, date of birth, school, grade, physician name, and other fields.  Other tabs in the .csv file were also populated: “Hypoglycemia,” “Glycogen Storage,” and “Solu-Cortef.”

On October 24, DataBreaches reached out to CCSD to ask them about the leaked files. They have not replied.