Oops. Data leak not fixed as Topeka school leaders thought
Last week, I posted a privacy breach involving student data in Topeka Unified School District 501 over on PogoWasRight.
It seems I missed an update, but happily, @VERISDB caught it and tweeted a link. Celia Llopis-Jepsen reports:
Confidential student data continued to be available this week to unauthorized people at Topeka Unified School District 501, even after the superintendent assured The Topeka Capital-Journal and the U.S. Department of Agriculture the problem had been fixed.[…]
On Tuesday evening, after USD 501 mailed its letter, The Capital-Journal learned the district hadn’t succeeded in fixing the PowerSchool leak.
A person with PowerSchool access who should not legally be able to view the low-income status of students provided samples of that data to the newspaper. The person masked student identifiers to avoid further compromising the privacy of children.
Read more on CJOnline.com.
So not only did they have a breach, but their mitigation of the breach was inadequate as the data were still exposed even after their assurances that it had been locked down.
The district has not been particularly forthcoming with the Capital-Journal, either. The following day, they reported:
In recent weeks, The Capital-Journal has reported on uses of the family-income information at USD 501 that violated federal law on student confidentiality. The data in question identifies which children come from low-income families. Principals and some other educators had unauthorized access to it on PowerSchool. Some schools posted the information on coded wall-hanging displays.
USD 501 indicated in a letter responding to questions from the Kansas State Department of Education and U.S. Department of Agriculture that four schools displayed the data.
In a statement to school board members Thursday, Ford said two schools displayed it, adding that one school had been mistaken.
She didn’t address the fourth school.
The district hasn’t responded to The Capital-Journal’s request for the names of the schools.
So have all the parents of students whose information were exposed either electronically or on wall hangings been informed of the breach? Has anyone sat the school district down to educate them about transparency? And does Kansas’s state education department have anything to say about this breach?