—– By: Ann Costantino —–
A massive security flaw has been detected that allowed unrestricted access to highly sensitive records pertaining to students, staff and internal school system data on a Baltimore County Public Schools (BCPS) public facing website.
A tool within the system’s BCPS One portal platform, where students are able to access classes, grades and academic resources online, is the source of the breach where anyone with a password – including students, parents, and staff members – have had access to others’ personal student and staff member information, as well as some sensitive school system records.
Some records found go back to the 2008-2009 school year.
It is unknown how long the records have been open to thousands of students and employees and whether there was a larger scale breach of the data.
The Baltimore Post reached out to an information technology contact at Baltimore County schools on Wednesday night prior to publishing this story. The contact confirmed that the error stemmed from a “share all” function on Microsoft Office 365 and a search bar that permitted any user to search for any subject – without restriction. Microsoft and the district have since fixed the error and are working to identify other areas of concern on the platform.
Along with student projects and staff presentation materials, records detailing some student assessment scores for PARCC, MAP and PSAT have been available for anyone with a login and password, which includes 114,00 students and thousands of parents, teachers and staff members. Some information – such as PARCC assessment scores – were modifiable, although official scores are kept behind a firewall, according to a district employee.
Detailed personal student discipline, suspension and special education plan data were also open for view, along with some special education referral letters and emails. Medical information for some students and staff members, as well as all student contact information were also open for viewing.
In some cases, students’ home addresses and official student identification numbers were also available for examination. Additionally, some staff meeting notes and specific details from some Individual Education Plan (IEP) meetings on student and family history were also available.
BCPS One is the interactive platform for the district’s STAT program. STAT, for Students and Teachers Accessing Tomorrow, began under former Superintendent Dallas Dance. Under the program, the district provides laptop computers for all students and staff members.
Dance was convicted last year on perjury charges for lying on his financial disclosure statements. He served four months in prison and currently works as an educational consultant.
Under Dance, the district began the switch to digital curriculum in 2014, staggering the rollout to all grades over five years. All high schools received the devices in 2018, which completed the implementation. The leased devices, including software and licensing fees, is estimated to have cost or committed Baltimore County schools to over $450 million since the program started.
The district is the recipient of awards for its commitment to student privacy. Last month, the school system received a renewal of the prestigious national Trusted Learning Environment (TLE) Seal, which it first received in 2017. The TLE Seal has been awarded to only 16 school systems and indicates that Baltimore County schools has demonstrated a strong commitment to student data privacy and security by meeting a rigorous set of standards. The district’s website shows it is the only TLE Seal recipient in the State of Maryland.
A source, who spoke with The Baltimore Post under a condition of anonymity, said one parent discovered the security breach on Monday. The parent reached out to two district administrators, but the security flaw remained unaddressed.
Correction: 6/6/2019 at 7:19am – An earlier version of this story stated that one parent notified school administrators late last month (last Wednesday, May 29), the correct day the parent notified school administrators of the security flaw was Monday, June 3. Other parents purportedly reported the breach prior to Monday. This story has been updated to reflect the correct date.