619 students' secure data revealed online

June 24, 2006

By Andrew Shain and Hannah Mitchell


A number of Catawba County high school students received an unwanted adult-world graduation present: Their Social Security numbers were exposed on the Web.

The mother of a graduate found the numbers along with test scores of 619 students on a school Web site this week. She found the page while looking on Google for information about a beauty pageant contestant.

Catawba County Schools officials said the page was password protected and they had no idea how Google got access. Google was working to remove the page Friday night.

"I wonder how long they've been there and who's got them," said Janet Weaver, a Newton mother who discovered the information, "and what damage has been done and what kind of repair can be done."

These 619 Catawba County students join more than 88 million people nationwide victimized in security breaches at banks, data brokers, stores and government agencies since 2005, according to the Privacy Rights Clearinghouse, a California consumer advocacy group. Few of the announced breaches have come from school districts.

Recent breaches include the theft of data last month belonging to 26.5 million military personnel from U.S. Department of Veterans Affairs files and an ATM security breakdown announced this week by Visa that exposed information of an undisclosed number of bank customers.

This week, the Federal Trade Commission, which can punish companies for failing to secure information, said laptops with personal data of about 110 of its employees were stolen from a car.

With a name, Social Security number and some other personal data, ID thieves can open credit accounts and obtain government documents. Social Security numbers are coveted by identity thieves because the numbers are difficult to change. It's unknown whether anyone has fraudulently used the Catawba County students' information.

"These are matters that are completely out of consumers' hands," said Avivah Litan, a Gartner Group research analyst who follows identity-theft trends. "They can't stop all this leakage, shy of retreating from society all together. Google's search engine is exposing all these weakness in the system."

But, she added, Google also is part of the problem by publishing anything it finds on Web sites -- even Social Security numbers.

"They say the Internet is free and open, and you can't stop them," Litan said. "But they ought to scrutinize some of the content and, at least, send a warning to Web sites that they're exposing this information."

Google said it offers an automatic system that allows Web site owners to remove pages from the search engine. "We recognize that privacy is important," spokesman Barry Schnitt said.

The Catawba County students' Social Security numbers were on a page that listed 2001-02 middle school students' scores on placement tests. The students on the list are now rising high school seniors or 2006 graduates.

The information was on a Web site that Catawba schools use to store student and testing data. Some general school information posted on the site is available to the public. Charlotte-Mecklenburg Schools has a similar site, but does not store student information on it.

Catawba officials said Friday that, once they were notified about the discovery, they immediately removed the information from the school system's Web site and asked Google to eliminate access to the information on its end.

The Web page that contains the numbers should have been accessible to only a handful of school officials with a secret password, Catawba schools spokeswoman Beverly Lampe said. She said they don't know how an outside source accessed the protected information.

"I explained that it could be a public relations disaster for Google if they didn't address the concern," Lampe said.

But Google said that its program that collects snapshots of Web pages is not able to enter passwords.

"At some time, the page was available in the open," Schnitt said.

The school system stopped using students' Social Security numbers for identification purposes after the 2001-02 year, Lampe said. School officials said they have combed all other electronic records to make sure they're secure.

They informed parents of students whose information was exposed about the problem through letters mailed Friday and a message posted on the system's Web site.

"We are staying right on it," Lampe said. "It is our No. 1 priority right now, the protection of our students."

[an error occurred while processing this directive]