Loudoun Schools Repair Online Data Breach - Leesburg Today Online—Daily News Coverage of Loudoun County, Leesburg, Ashburn: News

July 5, 2015
default avatar
Welcome to the site! Login or Signup below.
Not you?||
Logout|My Dashboard

Loudoun Schools Repair Online Data Breach

Font Size:
Default font size
Larger font size

Posted: Tuesday, January 7, 2014 9:05 am

Loudoun County school officials have responded to a data breach that made personal information about students and staff members, as well as detailed emergency response plans for each school, publicly available through a webpage that was thought to be protected by a password.

More than 1,300 links that could be accessed through a Google search led to thousands of documents that detail how each school will respond to a long list of emergencies—everything from an active shooter and a hostage situation to a nuclear attack—and specify staging areas for response teams, as well as where students and staff members will take shelter at each school.

Documents could also be accessed that list students’ course schedules, locker combinations, home addresses, phone numbers and birthdates, as well as the address and cell numbers for many school administrators. Maps for specific schools describe how to shut off utilities, and the location of emergency exits and evacuation plans. Other documents include form letters ready to respond to everything from a student’s death to a school closure caused by a pandemic.

The Public Information Office learned of the breach Thursday and immediately contacted the third-party vendor that is responsible for protecting the data.

“As soon as we found out, we shut it down and recalibrated everything,” Loudoun County schools’ Public Information Officer Wayde Byard said, noting it was error on the vendor’s part.

The webpage, labeled “Emergency Management Plan – Loudoun County Public Schools,” was under maintenance Thursday and was secured by Friday.

It’s not known how long the information could be publicly accessed, according to Byard. “We think it was a short window, but we don’t know.”

A Loudoun County parent informed Leesburg Today about the data breach and the newspaper then alerted the school system about the concern.

The parent, who requested to remain anonymous, said he stumbled upon the webpage after he typed the phone number of a missed call into the search engine Google. The first result led the parent to a page that listed Loudoun County students’ names, as well as their parents’, home addresses, phone numbers and home room assignments. Another online search led him to information on his own child.

“Obviously, this information in the wrong hands of a predator or somebody else wishing to do harm to students or facilities could prove troublesome,” he said. “I don't want to have something happen and me not have acted to secure the data.”

In a statement released Tuesday Superintendent Edgar B. Hatrick wrote he was “deeply concerned” about data breach. He identified the contractor as Risk Solutions International, which was hired to maintain the school system’s Emergency Management Plans.

“Risk Solution International acknowledged that human error, on their part, was the cause of the data breach. I have insisted that they take all necessary steps to ensure the complete privacy of our data,” Hatrick said. “That said, I am deeply concerned that the breach occurred and have taken every possible precaution to make sure it does not happen again.”

Welcome to the discussion.


  • David Dickinson posted at 2:32 pm on Wed, Jan 8, 2014.

    David Dickinson Posts: 980

    Could LCPS administrators possible screw up any more this year?

    And to think that there are 1,400 LCPS administrators costing over $100k/year each, you would think one of these high paid geniuses would have caught on to this sooner.

    I hope LCPS has enough common sense to start looking at the "punitive damages" section of their contract with Risk Solutions International...unless that was another inside contract job given out to someone's relative.

  • Glory posted at 11:37 am on Wed, Jan 8, 2014.

    Glory Posts: 1064

    Is this why schools closed Monday, for damage control? What one gets for low bids - actual risk instead of risk solutions?

    Agree with Erv - "ill-advised to publish the specific method used to access the cached data: it's still highly confidential and the fewer people with access to it the better."

  • Erv Addison posted at 1:11 am on Wed, Jan 8, 2014.

    Erv Addison Posts: 105

    NobodyCares, even though 30 seconds after this article hit the Internet Tuesday morning, anyone with just a little bit of Google savvy was able to access a ton of confidential data belonging to tens of thousands of Loudoun County residents, it was ill-advised to publish the specific method used to access the cached data: it's still highly confidential and the fewer people with access to it the better. Of course, I may be quibbling over merely a moral point (since students' home addresses, telephone numbers, and even their parents' names for nearly every high school in the county were available for the taking all day long), I still think it's important to not exacerbate the problem.

    NobodyCares, however, does shed light on some very important concerns for LCPS families. The first is that the search method used belies Wayde Byard's assertion that LCPS doesn't know how long the data was unsecured and "We think it was a short window, but we don’t know.” First, since the cached files on Google's and other search engines' servers go back six months, we know that that private information has been accessible for at least half a year, so it's definitely not a "short window."

    Second, we need to better understand how this happened, and not just the "human error" by Risk Solutions International, but the follow up by the vendor and LCPS's IT staff. As NobodyCares mentions, using a method called robots.txt is a standard method web developers employ to prevent the search spiders (programs) from indexing data on private and government servers for listing in search results. Since all the files (over 1,300 of them apparently) show up in Google searches, that means that not only were the files not behind a password protected gateway, but they were always available to search engines for caching on Google, Yahoo, and Bing servers. This is not simply a single "human error."

    This then raises the problem with the follow-up once the breach was reported to the school system. According to the article, LCPS was informed of the security breach last Thursday and they say they shut down direct access to the data immediately. However, the cached data was still available until just a few hours ago. Google provides administrative tools specifically designed to clear those cached files, so we must ask why so much of the highly sensitive student information was still out on the Internet five days after LCPS's IT department knew that Google had indexed all of the files.

    This also makes the Public Information Officer's claim that LCPS doesn't know how long the confidential data was vulnerable somewhat problematic. Anyone who executed the search NobodyCares did would know in seconds how long the data was out there for the taking. This means that either no one at LCPS or Risk Solutions International thought of the search engine cache issue—which would explain why the caches were alive tonight and raise serious questions about LCPS's technical expertise—or they did know about them, but for some reason didn't clean them out after almost a week and before the story broke to the public—which then raises troubling questions about the accuracy or veracity of the Public Information Office's statement.

    Only LCPS knows for certain how much private information is now in the hands of who knows how many people and there's no putting that genie back into the bottle. A year ago LCPS hired a new Assistant Superintendent for Technology Services to the tune of $200,000 a year. I wouldn't want to be in his seat right now, not after last year's very bumpy network upgrade implementation, a sloppy rollout of a new email system in his first year, and now a data security breach reminiscent of Target's recent problems.

    The candor and transparency of LCPS's response to this event will say much of the character of its school board and administration going forward.

  • 12345678 posted at 8:36 pm on Tue, Jan 7, 2014.

    12345678 Posts: 6

    If the media had not been notified, the parents may never have found out about the security breach. The media is also how we found out about the bullying of teachers at Loudoun Valley, and nothing has been done about that.

  • Cmckeonjr posted at 6:49 pm on Tue, Jan 7, 2014.

    Cmckeonjr Posts: 350

    Nice, NobodyCares, very nice.

  • NobodyCares posted at 6:38 pm on Tue, Jan 7, 2014.

    NobodyCares Posts: 2

    To be more specific: use this search for Google site:http://loudoun.rsi-emp.com and to give more clarity about "it was a short window." The oldest cached page I can find is from July 3, 2013

  • NobodyCares posted at 6:25 pm on Tue, Jan 7, 2014.

    NobodyCares Posts: 2

    A few hours ago they placed the robots.txt which prevents spidering but it does not clear the cached of already indexed pages. They should use the admin tool of search engines.

    Just search of http://loudoun.rsi-emp.com on any search engine and you find still hundreds of private address and phone details like:

    S*X: M
    PARENT 1: DOE, X
    xxx FORT EVANS RD NE #xx
    LEESBURG, VA 20176
    HOME PHONE: 571-xxx-xxxx

    After that the data is still not save. The site is based on an older unsafe Microsoft technology. Clearly poor maintenance as even the server time is not synchronized.

    But why does all this detailed data to be available on a system connected to the internet at all?

  • Barbara Munsey posted at 4:55 pm on Tue, Jan 7, 2014.

    Barbara Munsey Posts: 599

    actually securing the data is not the same as securing transparency on how the data became unsecured.

    first call to either the school system, or to law enforcement, as the actual data was far too transparent!

  • teacher aide posted at 4:29 pm on Tue, Jan 7, 2014.

    teacher aide Posts: 9

    Wyade Wade Wayde Waid Waed I've seen his "no media memos" before; [beam]

  • Erv Addison posted at 4:22 pm on Tue, Jan 7, 2014.

    Erv Addison Posts: 105

    Additionally, we should keep in mind that when LCPS initially deployed its online Clarity student information system a couple years ago, login required only the student's state ID and birth date, two pieces of information widely available to a large number of parties.

  • Erv Addison posted at 4:19 pm on Tue, Jan 7, 2014.

    Erv Addison Posts: 105

    Considering the "transparency" with the commonwealth's investigation into possible test fraud at LCPS last year (not even the school board was told) and the complaints about grade inflation at Loudoun Valley, perhaps contacting the media first is the best way to ensure real transparency.

    Consider Mr. Bayrd's quantification of the breach: "It’s not known how long the information could be publicly accessed, according to Byard. “We think it was a short window, but we don’t know.”

    Despite acknowledging that LCPS has no idea how long the information was exposed, it still tells us "it was a short window." Smart move. Another is to deflect blame responsibility with statements like "it was error on the vendor’s part."

    Awareness of dangers here should not be something new to LCPS. Just last month, Fordham University Law School's Center on Law and Information Policy released a study, "Privacy and Cloud Computing in Public Schools," noting serious problems with secure control of private student information with K-12 schools across the country that have contracts with private companies using cloud storage, as well as in alerting parents and students about who has access to student data.

    These three findings of the study should prompt LCPS stakeholders to ensure there is substantial follow-up on this incident—

     Districts frequently surrender control of student information when using cloud
    services: fewer than 25% of the agreements specify the purpose for disclosures of
    student information, fewer than 7% of the contracts restrict the sale or marketing of
    student information by vendors, and many agreements allow vendors to change the terms without notice. FERPA, however, generally requires districts to have direct control of student information when disclosed to third-party service providers.

     An overwhelming majority of cloud service contracts do not address parental notice, consent, or access to student information. Some services even require parents to activate accounts and, in the process, consent to privacy policies that may contradict those in the district’s agreement with the vendor. FERPA, PPRA and COPPA, however, contain requirements related to parental notice, consent, and access to student information.

     School district cloud service agreements generally do not provide for data security and even allow vendors to retain student information in perpetuity with alarming frequency. Yet, basic norms of information privacy require data security.

    We should fully understand how much of the "error" lies with the vendor and also ask what, if any, other similar incidents have occurred.

    LCPS has just signed a large contract for a student information system with Edupoint Educational Systems, potentially expanding the breadth and integration of confidential information available online and now would be a good time to fully understand the plan and safeguards for securing that information.

  • hphokie posted at 4:17 pm on Tue, Jan 7, 2014.

    hphokie Posts: 2

    I like how "teacher aide" knows Wayde so well she can assert that he is "not media friendly and will distort", yet doesn't even know how to spell his name....

  • teacher aide posted at 3:48 pm on Tue, Jan 7, 2014.

    teacher aide Posts: 9

    Wade is not noted for being forthcoming to the media when LCPS has a security issue.

    I, as a parent, would have contacted the paper first as well, to be sure the news was publicized, and assuming the paper would notify the school. Wade is not media friendly, and will distort.

  • Cmckeonjr posted at 3:42 pm on Tue, Jan 7, 2014.

    Cmckeonjr Posts: 350

    My guess is the parent did not have the information you have–that the school system had a data security plan in place to secure the data; that the reason for this exposure of sensitive data was vendor error–and went to Leesburg Today to draw public attention to the situation. Hindsight is always 20/20.

  • hubba bubba posted at 10:49 am on Tue, Jan 7, 2014.

    hubba bubba Posts: 435

    Agree with Barbara....I guess my first call would have been to LCPS and then the paper. Now I hope LCPS will share with us (after getting the 3rd party vendor to disclose) how long the info was unsecured. I'm wondering if I need to access a credit report on my child. Children's identities are often favorite targets of ID thieves because no one thinks to check their reports regularly.

  • Barbara Munsey posted at 10:08 am on Tue, Jan 7, 2014.

    Barbara Munsey Posts: 599

    how does calling a newspaper secure the data?

    Thank you to Leesburg Today for actually doing so by informing the school system.

    and for holding publication of the news until after the site was secured.