Thousands of New York City teachers’ social security numbers, student academic records, and other confidential data were left exposed for months despite the best efforts of a group of tech-savvy high school students who stumbled across them, told their instructors, and waited nearly a year for action to be taken.
The documents showed up online due to a quirk in the Education Department’s Google Drive sharing setting, a group of Brooklyn Technical High School students found.
The students told Chalkbeat that they unintentionally discovered they had access to the documents in January after they noticed the Google Drive folder, in which they uploaded their class assignments during remote learning, contained documents, some with confidential and sensitive material, from schools across the city. The documents contained everything from sign-up sheets for parent-teacher conferences to college recommendations and home addresses, Chalkbeat reported.
After discovering the information, the students met with a senior staff member at their school. They prepared a PowerPoint presentation explaining the privacy issues found on Google Drive. The presentation also included a slide with pictures of the shared documents.
HIGHLY SKILLED HACKERS BREACH US AGENCIES AND PRIVATE COMPANIES
“At that point, [after the meeting], we thought the issue was going to get taken care of,” the student, who requested not to be identified, told Chalkbeat, adding that the staff member expressed shock that students had access to so many private files.
The students assumed the issue would be dealt with, but when they checked back a few months later, they noticed the problem had gotten worse. They could now see payroll documents containing confidential teacher pay information, social security numbers, phone numbers, and teachers’ home addresses.
Disturbed by the escalation, one student started cold-calling the teachers on the list, hoping someone would answer and take charge of the situation. Finally, a teacher picked up and was surprised to hear the Brooklyn Tech student read back his social security number.
“He was in shock because no one really expects a 16-year-old to call them at 10 o’clock in the morning, saying, ‘I have your social security number,'” the student told Chalkbeat.
The student then emailed three officials at the city’s Education Department, telling them of the data breach and how the situation could be avoided in the future. The following day, fewer files could be seen, but not all of them were taken down.
Months after the incident, the education department confirmed that nearly 3,000 students and 100 employees had been affected by a data breach.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
The department said a student had managed to access a Google Drive that contained private information but claimed the information in the files had not been misused or shared.
They also directly contradicted the Brooklyn Tech student and said no social security numbers of parents or students were involved. Despite the claim that no social security numbers had been made public, the department offered two years of free credit and identity theft monitoring services for those affected.
A call to New York City’s Education Department for comment by the Washington Examiner was not immediately returned. No one answered the telephone at Brooklyn Tech, and the school’s voicemail was full.
