IPS student records compromised

May 16, 2007

By Andy Gammill


Records for thousands of Indianapolis Public Schools students were accidentally posted to the Internet, exposing their grades, personal details and other confidential information to anyone surfing the Web.

Within minutes of being told about the problem by a Star reporter, IPS officials began working to fix the problem and said by this afternoon the records had been protected.

The district is investigating how the records were released.

The files, some of which contain extremely sensitive information, could be found through searches on the popular search engine Google. It appears that teachers and students loaded the files onto IPS's network thinking it was secure. Instead, they ended up posted online.

At least 7,500 IPS students -- about 1 in 5 -- are affected by the disclosure, according to an analysis of the records by The Indianapolis Star. Thousands of records found, posted from two IPS servers, appear to violate the federal Family Educational Rights and Privacy Act, and it appeared the problem had been going on for at least two years.

Some of the files reveal medical details, such as special education diagnoses. Others are rosters of students that include names, addresses, home phone numbers, birthdates and other information.

A suspension list from Emma Donnan Middle School and all the locker combinations at John Marshall Middle School were among the files. Thousands of essays and writing assignments by middle and high school students also were available. In the essays, some students wrote about abuse at home, selling drugs or described abusive relationships.

Details about the district's computer system and the cell phone numbers of the entire information technology department were also accidentally placed on the Internet. Several employee job reviews and other personnel files were posted. Besides the violation of federal law, the files' accidental release put students at risk for identity theft, exposed personal details predators could use to exploit children and put at risk the district's entire network because they signalled an open door for hackers to get onto the system.

The most dangerous information posted consisted of the social security numbers of about 20 students and five staff members, said Beth Givens, an identity theft expert with the Privacy Rights Clearinghouse who was read information from some of the files.

"That's horrendous, the entire family has been victimized," she said. "It is truly egregious."

The district, she said, should pay for a credit monitoring service for those students and staff whose social security numbers were compromised. Roger Thompson, an Internet security expert who reviewed the IPS Web site at the Star's request, said that from his analysis, the error appears to have resulted from improper settings on the district's server or a flaw in the software that powers the district's system for storing student and staff information.

"It looks like it's a really poorly configured system and a lot of people are going to be really embarrassed and a lot of people are going to be really upset," said Thompson, the chief technology officer at LinkScanner.com. "It looks like somebody has made a mistake."

main page ATTRITION feedback