Teachers’ social security numbers, student academic records, and families’ home addresses are among the dozens of pieces of information a group of tech savvy high school students stumbled across on Google Drive this year.
The documents — many of which contained confidential information — were leaked because of a quirk in the education department’s Google Drive sharing settings, a group of Brooklyn Technical High School students found.
The students unintentionally discovered they had access to these documents in January. They noticed that the Google Drive folder where they uploaded their class assignments during remote learning contained documents uploaded by students and staff at schools across the city. Those documents included second graders’ classwork, a parent-teacher conference sign up sheet, and college recommendation letters, said a Brooklyn Tech High School student who asked to remain anonymous.
The students then requested a meeting with a senior staff member at their school, an email obtained by Chalkbeat confirms. At the meeting, the Brooklyn Tech student recalls, the staff member listened as the students walked through a PowerPoint presentation explaining the privacy issues in the education department’s Google Drive. The presentation included a slide with photos of some of the shared documents, including a template the students themselves created saying “Brooklyn Tech is better than Stuyvesant.” (Brooklyn Tech and Stuyvesant are two of the city’s top high schools.)
“At that point [after the meeting] we thought the issue was going to get taken care of,” the student said, adding that the staff member seemed shocked that students could see so many private files. “We kind of forgot about it.”
The administrator with whom the students met did not respond to Chalkbeat’s request for comment.
In March, students checked Google Drive to see if officials had resolved the issue. They discovered it had only gotten worse. The student said they stumbled upon a school’s payroll document that contained teacher pay information, along with social security numbers, phone numbers and addresses.
Concerned, the student began calling the phone numbers of teachers on the list, hoping to get a hold of someone who would take the document down. Eventually, a teacher picked up and was shocked to hear the student rattle off his social security number.
“He was in shock because no one really expects a 16-year-old to call them at 10 o’clock in the morning saying ‘I have your social security number,’” the student said.
The student said he also happened across a Google Drive folder that contained teachers’ certificates of completion for TREP, or trauma responsive education practices. Those certificates contained the last four digits of the teachers’ social security numbers, the student said.
On March 18, the Brooklyn Tech student emailed three officials at the city’s education department, informing them of the data breach.
“My friends and I have discovered an issue with Google domain that allows for the sharing of files with all students and teachers in the @nyc doe google drive system,” the email reads. “My friends and I would be glad to show you the extent of the issue (which is getting worse by the day), the probable cause behind it, and how to prevent it from happening in the future. I have taken the time to call 3 schools and alert them of recently edited files that contain SSNs , employee ID’s, OSIS numbers, and home addresses. Please reply to this email or preferably call me so I can show you how the situation is escalating by the hour.”
Education department officials responded within minutes, and call records show the student received a phone call from the department that same day.
The student explained to officials over the phone and in a subsequent email that a hidden setting in Google Drive automatically enables anyone with an email address provided by the education department to search for Google Drive files. This past year, all students at city-run schools were given education department-issued email addresses to access remote instruction.
The student explained how the issue could be avoided going forward.
The next day, the student sent another email to department officials saying “a lot fewer files are visible in the Google domain.”
The student suggested that the education department communicate with schools on how to prevent files from being viewable to everyone within the domain. And he thanked the education department “for responding quickly” to the problem.
Last week, the education department confirmed that approximately 3,000 students and 100 employees had been impacted by a data leak. Education department officials said that a student managed to access a Google Drive that contained private information of some students and department employees.
Department officials did not confirm whether the breach reported to the education department by the Brooklyn Tech students in March was the same incident as the one confirmed last week. They said confidentiality laws preclude them from commenting on specific schools. Still, they said the breach reported last week involved two separate incidents, one in August 2020 and the other in March 2021.
The department responded to those incidents by taking steps to prevent future data breaches. For instance, they conducted a review of electronic files, restricted file sharing permission settings, and implemented new tools to monitor new files and permission settings.
Those impacted by the August 2020 and March breaches were informed via mail. They were given the option to enroll in two years of free credit monitoring and identity theft monitoring services.
One teacher anonymously informed Chalkbeat that the letter they received stated the data breach that affected them occurred in March.
According to the education department, there are several ongoing investigations into what was addressed in the letters.
Although the Brooklyn Tech student said he thinks that confidential information has been removed from Google Drive, he said he is still worried about potential future data breaches.
“The issue isn’t really fixed per se,” the student said. He said he believes sensitive information should not be shared through Google Drive because it is still possible for a staff member to accidentally share information to an entire school with the click of a button.
The education department did not state whether they would stop using Google Drive to store and share sensitive information. But they explained that their privacy guidance and training emphasizes that confidential information must only be shared with the individuals authorized to view such information.