The district did not say how many files were made available or how many students could have been affected. It has hired an outside vendor to “comprehensively evaluate the situation” to understand the extent of the issue.
“If it is determined that stakeholders had — or may have had — their information accessed by unauthorized individuals, DCSD will promptly notify those individuals as required by law,” according to the statement.
DeKalb County School District’s statement
The school district released this statement to The Atlanta Journal-Constitution:
The Dekalb County School District (DCSD) is aware of circumstances where isolated files with personally identifiable information were made available to staff and students. An internal investigation determined that improper handling of files by employees caused these conditions. DCSD promptly ordered an initial audit of the district’s infrastructure, and the conclusion was this incident was not caused by an external breach of information systems or databases.
In addition, the District has contracted with a 3rd party vendor to comprehensively evaluate the situation in order for all parties involved to better understand the extent of the improper file handling. Once that process concludes, and DCSD administrators have had a chance to evaluate the findings, all parties will convene and determine the next steps based on industry standards and best practices associated with data governance, user training, awareness, and secure security file storage and sharing. If it is determined that stakeholders had- or may have had- their information accessed by unauthorized individuals- DCSD will promptly notify those individuals as required by law.
In the meantime, DCSD continues to review its internal protocols, which have already resulted in enhanced data protection. These safeguards include fortifying internal data protection controls. Additionally, increased training in data privacy, security, and sharing procedures, including awareness campaigns and enhanced resources, will be provided to all staff members.
An initial audit of the district’s infrastructure found that there was no external breach of its information systems or databases, the statement said. The DeKalb school district notified families last year that their children could have been affected by a 2019 data breach. That breach was related to school nutrition technology services.
Brooks first reported the issue to district staff in March.
“More than two months later, there are still issues that are unresolved, still things that are widely accessible that shouldn’t be,” Brooks said.
“Files exposed range from the mundane to the absurd, including everything from a certificate for an elementary school’s ugly sweater contest to the safe combinations for district buildings to spreadsheets of student social security numbers,” the newspaper reported.
The district is reviewing its internal protocols and fortifying its data protection controls, according to the statement. It plans to provide training in data privacy, security and sharing procedures to all staff members.
Shortly after the student newspaper published its story this month, Brooks said he received a request from the school asking him to provide his Social Security number as part of a scholarship requirement.
“As soon as I discovered this huge data security issue, the school asked for a piece of my personal information and I just had to blindly trust them,” he said. “I just found that a little bit ironic.”