DeKalb student newspaper exposes data leak in district’s online network

Student data is widely available in the DeKalb County School District's shared network, a student newspaper reported. (File photo)

Combined ShapeCaption
Student data is widely available in the DeKalb County School District's shared network, a student newspaper reported. (File photo)

School district says it’s working to address the problems

Thousands of files of student data — including Social Security numbers, medical records and academic transcripts — were exposed to all students and employees in the DeKalb County School District’s network, according to a high school student newspaper.

Keegan Brooks, a senior at Chamblee High School who recently reported on the issue for The Blue and Gold, said he discovered the data was available while using Microsoft 365, the district’s network for email and file sharing.

He was able to access information such as academic records, course transcripts, discipline records, medical forms, Social Security numbers and standardized test scores from schools across the county, he reported.

“I was shocked,” Brooks said. “My initial reaction was, ‘Wow, this seems like a severe data security issue.’”

The district acknowledged the problem in a statement to The Atlanta Journal-Constitution. The statement said an internal investigation determined that employees were improperly handling files, making the information widely accessible.

The district did not say how many files were made available or how many students could have been affected. It has hired an outside vendor to “comprehensively evaluate the situation” to understand the extent of the issue.

“If it is determined that stakeholders had — or may have had — their information accessed by unauthorized individuals, DCSD will promptly notify those individuals as required by law,” according to the statement.

DeKalb County School District’s statement

The school district released this statement to The Atlanta Journal-Constitution:

The Dekalb County School District (DCSD) is aware of circumstances where isolated files with personally identifiable information were made available to staff and students. An internal investigation determined that improper handling of files by employees caused these conditions. DCSD promptly ordered an initial audit of the district’s infrastructure, and the conclusion was this incident was not caused by an external breach of information systems or databases.

In addition, the District has contracted with a 3rd party vendor to comprehensively evaluate the situation in order for all parties involved to better understand the extent of the improper file handling. Once that process concludes, and DCSD administrators have had a chance to evaluate the findings, all parties will convene and determine the next steps based on industry standards and best practices associated with data governance, user training, awareness, and secure security file storage and sharing. If it is determined that stakeholders had- or may have had- their information accessed by unauthorized individuals- DCSD will promptly notify those individuals as required by law.

In the meantime, DCSD continues to review its internal protocols, which have already resulted in enhanced data protection. These safeguards include fortifying internal data protection controls. Additionally, increased training in data privacy, security, and sharing procedures, including awareness campaigns and enhanced resources, will be provided to all staff members.

An initial audit of the district’s infrastructure found that there was no external breach of its information systems or databases, the statement said. The DeKalb school district notified families last year that their children could have been affected by a 2019 data breach. That breach was related to school nutrition technology services.

Brooks first reported the issue to district staff in March.

“More than two months later, there are still issues that are unresolved, still things that are widely accessible that shouldn’t be,” Brooks said.

“Files exposed range from the mundane to the absurd, including everything from a certificate for an elementary school’s ugly sweater contest to the safe combinations for district buildings to spreadsheets of student social security numbers,” the newspaper reported.

The district is reviewing its internal protocols and fortifying its data protection controls, according to the statement. It plans to provide training in data privacy, security and sharing procedures to all staff members.

Shortly after the student newspaper published its story this month, Brooks said he received a request from the school asking him to provide his Social Security number as part of a scholarship requirement.

“As soon as I discovered this huge data security issue, the school asked for a piece of my personal information and I just had to blindly trust them,” he said. “I just found that a little bit ironic.”