By Steve Ragan May 18, 2007, 15:04 GMT
Indianapolis Public Schools exposed over seven thousand students and staff to the potential risk of identity theft, because of a poor network setup according to IT experts in Indianapolis. The setup was used on resource areas of the IPS website that allows teachers to post reviews, student-writing samples, grades, and other confidential material to the IPS network. The forward facing portal to the public was poorly protected, and allowed indexing of its file upload area where documents, spreadsheets, and other confidential documentation were stored.
“On May 16 IPS was approached by the Indianapolis Star and told that it is possible to access confidential information kept in IPS Online, including Social Security numbers, by using the Google search engine. The content at risk was uploaded to the My Content and My Files areas,” said the school system in a press release. After the reporter from the Star News informed IPS of the exposure, the school system moved to correct the issue and fix the leak.
Superintendent Eugene White told the Star News, “We will protect this information in the future. This matter has received the highest priority of the district, and the IT department has made the necessary changes.” The changes made included a patch to the software used to create the portals indexed and the internal audit by IT of the network where the website is housed. The issue the led to the poor design was the complex CMS software used by IPS to create the interface for teachers and other staff to share information, records and other content online. IPS maintains the software was not to blame but in a separate statement to the local CBS affiliate WISH TV reported that the third party vendor had issued a patch to the CMS software.
According to IPS, “Approximately six weeks ago, IPS’ IT Division put steps into place to safeguard data as part of an ongoing effort to keep our data secure. Among those steps was blocking Google from being able to search IPS Online. A disclaimer warning users not to post confidential information to IPS Online also appears. Today, grades, attendance, discipline, and other confidential student information are stored in a password protected database.”
That statement does not sit well with some local Indianapolis citizens and parents of IPS students. If the indexing was disabled for Google six weeks ago, it was either not complete, or poorly done. Google still maintains some copies of the files on its cache.
“While IT has been able to safeguard information within IPS Online, it is not possible for IPS to retrieve information that is currently in the Google databases. IT is contacting Google and other search engine companies requesting that information including Social Security numbers be erased,” the system said.
Many of the exposed teachers and parents of the students expressed privacy concerns. The information currently cached gives way to the possible situation that it was downloaded before the reporter located the flaw. This places students at risk for identity theft and could make them vulnerable to various types of predators. There is also the chance that the district could face a state or federal inquiry if parents file complaints. IPS could also face lawsuits if any of the information was misused. That would cause more financial havoc on the already poorly funded public school system.
IPS started alerting families and staff Wednesday and as of Thursday night, the portal was offline to the public. Google has not responded to the request for cache removal, but some of the cached pages are already missing from their index. There are still a few links with information listed, however, in some of the recent searches of the search engine giant.
Your Talkback on this Story