36,000 folders exposed during Baltimore County schools’ June Microsoft data security lapse
Posted by Ann Costantino on 14th August 2019
| 798 views

—– By: Ann Costantino —–

Although Baltimore County Public Schools’ communications department says it does not consider June’s data security issue a “security breach” – and its law office said it is not a “security flaw” either – new information obtained by The Baltimore Post reveals that the lack of proper security measures exposed 36,000 folders for viewing by anyone with a password to the school system’s BCPS OneDrive portal.

According to public records, the school system pointed to eight staff members it found to be responsible for the exposure of all 36,000 folders due to a “share with all” setting that, combined with two Microsoft updates – one in 2014 and the other in late May – allowed the folders and sensitive documents to be seen, and also searchable through an updated search bar function. 

Some records were available for viewing by merely entering the application, while most were available through the search bar, but where even innocuous searches could bring up more sensitive records. [See screenshots lower in article.]

While Baltimore County schools’ staff said that not all students were impacted, some of the documents found by The Baltimore Post go back as far as the 2008-2009 school year.  In all, documents covering at least 10 years were available. Several exposed highly sensitive information.

In June, concerned parents reached out to The Baltimore Post after complaints in late May were not addressed by the school system.  The district did not take measures to remedy the problem until The Baltimore Post contacted a member of the system’s IT staff on June 5.

The Baltimore Post reported the data privacy concern to the employee prior to breaking the data lapse story, which precipitated a temporary shutdown of the Microsoft application on the BCPS OneDrive portal.

Although not specifying the number of documents that were exposed in the folders, according to new public records, “many” were empty.  But at the time this article published, “many” remained undefined since the school system failed to answer questions about the actual number – or how many documents within those 36,000 folders – were exposed.

But, as the new records show, an employee in the system’s communications department put the onus – not on the school system – but on anyone who may have looked at the exposed documents in the BCPS OneDrive portal.

“I’m not a parent, but if I were, I wouldn’t look at other students’ (records)….We are not calling it a breach, because it wasn’t,” a Baltimore County schools’ communications specialist said, according to the records.

The school system would not say how many of the password credential-holders, which include approximately 115,000 students, their parents (or guardians), and thousands of staff members, viewed the documents.

A letter sent to principals stated that the update, which triggered the exposure of the documents, occurred in late May which was also – according to the new records – when the school board was made aware of the security issue.

All of this – according to new information obtained via a Maryland Public Information Act (MPIA) request of the state’s Office of Education Accountability (OEA) – revealed information Baltimore County school staff would not provide to The Baltimore Post, despite requests concerning the nature of the lapse which exposed highly sensitive student and staff records.

As reported in June, some of the records included students’ medical and psychological diagnoses, highly detailed student state test scores with names, addresses and student ID numbers, detailed suspension and expulsion data, and notes and official reports from special education meetings. Some staff members’ medical information was also available for public viewing. Social security numbers were not among the data exposed.

Redacted examples of some of the sensitive records found during the security lapse can be viewed by clicking on each image below.  

But according to documents provided by the OEA on Monday, school system staff do not consider the lapse a breach – or a flaw. 

Documents show that an attorney for the Baltimore County school system said the district is not obligated to report the issue to the US Department of Education which, in July, sent notification letters to parents and students after officials reported that a data breach exposed similar records on 70,000 K-12 Hawaii public school students after a third-party vendor, contracted with the University of Hawaii’s college and career program, was compromised.  All affected students were notified that their personal information may have been compromised.  There is no indication that Baltimore County schools did the same; school officials did not say.

The repair of Baltimore County schools’ security issue in June caused interruption to students’ and parents’ access to the Microsoft 365 application during final exams in June.

Some students could not access resources to prepare for the exams or complete final projects by due dates.

During the Microsoft application blackout, messages from former interim Superintendent Verletta White to principals gave instructions to staff on how to change share-all settings to private.

White left the system at the end of June.  Superintendent Darryl L. Williams took over on July 1, several weeks after the data privacy lapse was discovered.

A teacher, who reached out to The Baltimore Post at the time the system’s portal was down, stated that the district made three attempts to provide proper instructions to staff members in order to repair the security issue. The OAC records also indicated the agency had been notified of the same difficulties.

Baltimore County Public Schools is a two-time recipient of the Trusted Learning Environment (TLE) Seal, given by the Consortium of School Networking (CoSN), a professional association for technology leaders. The district is one of only 16 school systems to achieve the honor, the only school district in Maryland.

The award shows that the school system has demonstrated a strong commitment to student data privacy and security by meeting a rigorous set of standards.

In an earlier interview with CoSN, a spokesperson said the seal is not intended to be an “end-all be-all”… “no one is perfect at data security, but it is a commitment to ongoing improvement…the program requires that there is an ongoing effort and commitment. It’s not that one gets the seal and sits back; it’s that one gets the seal and keeps going.”

A spokesperson for Microsoft told The Baltimore Post in June, “We encourage customers to use best practices when configuring sharing settings unique to their needs…”  The spokesperson also said that Microsoft worked with school staff to resolve the data vulnerability.

When asked for an update from the district on the investigation into the depth of the security lapse, in June, communication specialist, Brandon Oland, said, “We’ve shared updates with the community, and there were swift, detailed instructions for how affected staff could remedy.”  The Baltimore Post is awaiting an update from Oland on the new information concerning 36,000 exposed folders and the depth of the security lapse.

Through an MPIA request, Margaret-Ann Howie, the system’s general counsel and records officer, shared an email that was sent to principals, but would not release information surrounding the security issue. Howie said, “(There) has been no indication from Microsoft that Office 365 OneDrive contains a ‘security flaw.’”

Howie also denied email records between IT staff members concerning the security lapse, stating “(they) contain information about the security of the school system’s information systems… your request is denied,” Howie said.

Baltimore County Executive Johnny Olszewski’s administration, which was notified of the security lapse by Baltimore County schools’ staff and the OEA, according to records, told The Baltimore Post when learning of the 36,000 open folders, “Cybersecurity is critically important and we view data security as a top priority. The County Executive’s office is confident that the steps taken by BCPS were the correct steps to address this issue and safeguard against future concerns.”

Baltimore County schools’ IT staff have since deleted all 36,000 folders, record show.

This story will be updated.

annc@thebaltimorepost.com