Loudoun County school officials have responded to a data breach that made personal information about students and staff members, as well as detailed emergency response plans for each school, publicly available through a webpage that was thought to be protected by a password.
More than 1,300 links that could be accessed through a Google search led to thousands of documents that detail how each school will respond to a long list of emergencies—everything from an active shooter and a hostage situation to a nuclear attack—and specify staging areas for response teams, as well as where students and staff members will take shelter at each school.
Documents could also be accessed that list students’ course schedules, locker combinations, home addresses, phone numbers and birthdates, as well as the address and cell numbers for many school administrators. Maps for specific schools describe how to shut off utilities, and the location of emergency exits and evacuation plans. Other documents include form letters ready to respond to everything from a student’s death to a school closure caused by a pandemic.
The Public Information Office learned of the breach Thursday and immediately contacted the third-party vendor that is responsible for protecting the data.
“As soon as we found out, we shut it down and recalibrated everything,” Loudoun County schools’ Public Information Officer Wayde Byard said, noting it was error on the vendor’s part.
The webpage, labeled “Emergency Management Plan – Loudoun County Public Schools,” was under maintenance Thursday and was secured by Friday.
It’s not known how long the information could be publicly accessed, according to Byard. “We think it was a short window, but we don’t know.”
A Loudoun County parent informed Leesburg Today about the data breach and the newspaper then alerted the school system about the concern.
The parent, who requested to remain anonymous, said he stumbled upon the webpage after he typed the phone number of a missed call into the search engine Google. The first result led the parent to a page that listed Loudoun County students’ names, as well as their parents’, home addresses, phone numbers and home room assignments. Another online search led him to information on his own child.
“Obviously, this information in the wrong hands of a predator or somebody else wishing to do harm to students or facilities could prove troublesome,” he said. “I don't want to have something happen and me not have acted to secure the data.”
In a statement released Tuesday Superintendent Edgar B. Hatrick wrote he was “deeply concerned” about data breach. He identified the contractor as Risk Solutions International, which was hired to maintain the school system’s Emergency Management Plans.
“Risk Solution International acknowledged that human error, on their part, was the cause of the data breach. I have insisted that they take all necessary steps to ensure the complete privacy of our data,” Hatrick said. “That said, I am deeply concerned that the breach occurred and have taken every possible precaution to make sure it does not happen again.”