Personal information, including academic records and biographical data, of about 3,000 New York City public school students and 100 education department staff members was inadvertently shared more widely than intended, education department officials confirmed on Thursday.
At least one student within the public school system managed to access a Google Drive that contained the private information of students and department employees across the city.
The education department did not specify how the student accessed the files nor did officials confirm when the data breach occurred. Those who were affected were notified by mail.
Upon investigating the data breach, the education department did not find evidence that information in the files was misused or shared further. No social security numbers of parents or students were believed to have been involved, officials said, noting that the department doesn’t collect social security numbers for routine inclusion in databases. Still, the department is offering two years of free credit monitoring and identity theft monitoring services to those who were impacted. That service will be available through IDX, a third-party consumer privacy platform.
“We are committed to protecting the privacy of our staff and school communities, and a DOE student should not have been able to view these files,” education department spokesperson Sarah Casasnovas told Chalkbeat in an email. “We have no indication that anyone’s information was further shared or misused at this time, but we implemented aggressive measures to prevent this from happening again, and out of an abundance of caution we are offering free credit monitoring service to impacted individuals.”
Google Drive is a service that lets users store files on the cloud and then share the files across multiple devices and users. The owner of the files, in this case the education department, has the ability to regulate the visibility of information. The owner can share files with individuals through their Gmail account, or they can generate a secret URL that anyone can use to access the files.
At least one school with students impacted by the data breach is in District 28 in Queens. Superintendent Tammy Pate informed the district’s parent-led Community Education Council about the incident during their public meeting on Thursday evening.
“I wanted to share with you that this indeed happened,” she said. She highlighted the aggressive data privacy measure the department has taken in response to the incident. “We now have three-part authentication to get into the system,” she said. “It’s driving me bananas… But if it keeps us safe, then that’s what we’re going to do.”
Vijah Ramjattan, president of District 28’s CEC, said after the meeting that the incident is not thought to have been malicious, or even intentional.
In response to the incident, the education department also conducted a full review of all electronic files, restricted file sharing permission settings and implemented new tools to monitor new files and permission settings.
The incident also prompted the department to develop new mandatory training to educate all staff members with access to student data about their data privacy and security responsibilities, officials said. Training for employees who work for the department’s central staff is underway, and those working in schools will receive the training later this year. The department also provided guidance to staff on document sharing as well as using permission setting to prevent unauthorized access to confidential information.
Earlier this year education department officials inadvertently saved a draft letter in Microsoft Sharepoint about the reopening of high school campuses — days before the official announcement ending the monthslong shutdown — that a student discovered when searching for schoolwork on their account.