Summit School District corrects security breach that leaked student information
June 24, 2014
Last week Summit School District officials discovered a security issue that made some student and parent information available online.
The district's communications coordinator, Julie McCluskie, sent a letter to school families from Superintendent Heidi Pace on Thursday, June 19, informing them about the breach and the steps the district took to correct it and prevent a similar incident in the future.
"We take our responsibility of protecting student information very, very seriously," McCluskie said by phone Tuesday.
She added that the district was grateful to the parent who retrieved the information while doing an online search and brought the issue to the district's attention Thursday.
The information the parent found came from an internal student data file the district used for automated calls to parents about their children's negative food account balances.
The file contained the following information for all of the district's roughly 3,200 students: student first and last name, grade level, school identification number, assigned PowerSchool number, current food service balance, phone number and the personal email address of the guardian.
No other personal student information was included.
Bethany Massey, the district's director of assessment and technology, said the lunch balance number wasn't clearly labeled so anyone who might have seen the information probably wouldn't have known what that number represented.
She said the district immediately investigated why the file was accessible, found a setting that allowed for a security bypass and then made sure the file was no longer accessible on the Web or available to anyone outside of school district personnel.
Though the incident appears isolated to that individual file, McCluskie said, the district took more steps to reinforce security measures.
Officials immediately conducted internal vulnerability scans, which did not identify any areas of concern.
The district is in the process of hiring an external IT security firm to audit any potential internal and external threats or vulnerabilities. After that, the district will correct problems as needed. Passwords for PowerSchool, the Web-based student information system that lets teachers, students and parents view grade and attendance records, were not available in the file.
Massey said the incident could serve as a reminder to reset passwords periodically.