The personal information of tens of thousands of California children -- including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs -- is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.
Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.
The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher's user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.
"I'm fuming mad," said Sarah Gadye, the San Francisco middle school teacher who discovered the problem Thursday -- three years after the district purchased the service for elementary and middle school teachers. "My own child could go into this, figure it out and get all this data on all these students. It's mind-boggling."
San Francisco administrators immediately shut down access to the service, called OARS -- Online Assessment Reporting System -- after a reporter phoned and said she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords.
"It's going to be disabled until every teacher is given an individual, random password," said David Campos, the district's chief counsel. "It should be running again sometime next week. But it seems like this could be a problem for other districts as well. They need to take precautions to protect the privacy of their kids."
Other Bay Area districts using the service are Alum Rock in Santa Clara County, and Pittsburg. Most of the 96 districts statewide that use the system are in Southern California and the Central Valley.
Some districts use OARS to organize student information and get help in creating some of the myriad reports that teachers must prepare about their students.
In San Francisco, about 50 schools use it so students can take frequent, online diagnostic tests automatically graded by the OARS system. This kind of approach has been catching on throughout the state because it allows teachers to tailor their instruction to students' needs and increase chances that students will post higher test scores on the annual state exam.
All Hayward elementary schools began using OARS this year, although it had been used for three years in eight low-scoring schools, and at first, Associate Superintendent Christine Quinn and testing director Debbie Bradshaw doubted the existence of a loophole.
"We have confidence in the professionalism of our teachers" not to share their passwords, Bradshaw said.
But told how simple it was to gain access to the student records of any teacher who had not yet changed to a unique password, the administrators said they planned to make sure teachers did so.
"We will definitely monitor that," Quinn said. "We don't want anyone getting into student information."
Axel Shalson, president of Red Schoolhouse Software, which makes OARS, said the product was secure.
"Our servers are housed at facilities with 24-hour security, and transmissions of every Web page are protected," Shalson said. "Over the past three years, there has never been a single concern voiced to Red Schoolhouse by any teacher or other user of OARS about system security."
At the same time, Red Schoolhouse has five client districts in California that have decided to use the OARS software but house it on their own internal computer systems rather than on the software company's.
Doing so costs no extra money. "But it's more management for the district," Shalson said.
[an error occurred while processing this directive]