High school students who raised the alarm after discovering a severe data breach involving teachers’ personal information say they were ignored for months.
In January, students at Brooklyn Technical High School reportedly stumbled across a Google Drive containing documents uploaded by staff and students at schools across New York City. Among the documents were college recommendation letters, classwork, and parent-teacher conference sign-up sheets.
The students could access the files because of a quirk in the school’s education department’s Google Drive sharing settings. A hidden setting automatically allowed anyone with an email address provided by the education department to search for files in Google Drive.
After making the discovery, the students arranged a meeting with a senior staff member at their school and used a PowerPoint presentation to walk them through the data breach.
“At that point [after the meeting], we thought the issue was going to get taken care of,” one of the students who discovered the breach and who wished to remain anonymous told Chalkbeat.
When the students rechecked the Google Drive in March, they found that even more documents were now accessible. This time, the students could view a school’s payroll document that contained teachers’ salary information, Social Security numbers, phone numbers, and addresses.
The student said they began calling teachers on the list to find one who could remove the document from the drive.
When a teacher answered, the student said, “he was in shock because no one really expects a 16-year-old to call them at 10 o’clock in the morning saying, ‘I have your Social Security number.’”
On March 18, the student notified three officials at the city’s education department of the data breach via email. Earlier this month, the department confirmed a data leak that impacted approximately 3,000 students and 100 employees.
The department told Chalkbeat that confidentiality laws prevented them from confirming that this leak was linked to the data breach reported by the Brooklyn Tech students in March. However, a teacher anonymously told the publication that a data breach notification letter they had received from the department stated that the leak had taken in place in March.