Students' Personal Data Posted Online

By Michael Alison Chandler
Washington Post Staff Writer
Thursday, August 21, 2008

Personal information for hundreds of Fairfax County students was accidentally published online this summer by the Princeton Review, a test-preparation company.

Student names, identification numbers assigned by the school system and dates of birth were inadvertently stored on a publicly accessible Web site for about six weeks beginning in June, school officials said yesterday after a conference call with company officials Tuesday. The information, dating from 2006, also included the students' sexes and schools.

The Princeton Review shut down access to the information Monday, shortly before a story about the breach was published in the New York Times. In a statement, the company said the security breakdown probably occurred when the files were transferred to a new Web hosting provider.

Officials for the 165,700-student system received a copy of the files yesterday to check the extent of the breach. They said they planned to contact parents whose children might have had information on the unprotected site. After a preliminary analysis, it appeared that fewer than 300 students were affected, said Paul Regnier, a Fairfax schools spokesman.

"We think the exposure is minimal . . . but we certainly would not want to risk any of our student information being exposed to a security breach," said Maribeth Luftglass, chief information officer for the school system.

Information about thousands of students in Sarasota, Fla., was also accessible without a password on the Princeton Review's Web site during the same period, including test scores, race and ethnicity, and ID numbers, which, in some cases, match Social Security numbers.

Gary Leatherman, a spokesman for the 42,000-student system, said that the school district was reviewing its contract with the company and creating a set of separate ID numbers so that "even when there is a presumption of confidentiality, we don't have that [Social Security] number in the mix."

The Fairfax school system had a three-year contract with Princeton Review worth nearly $3 million to provide practice tests for students in grades 3 through 8 preparing for standardized state exams. The contract, which has a confidentiality agreement, was due to expire this year as the system places its own online testing program in each school.

The potential for insecure information grows as companies outsource operations, said David H. Holtzman, author of the book "Privacy Lost" and a Herndon resident whose children graduated from Fairfax schools.

"Each organization that is hired to do another piece loses the sense of urgency. . . . The personal contact and sense of responsibility are gone," Holtzman said. The answer is "vigilant quality control" starting at the top, in this case with the Fairfax County School Board, he said.

The Princeton Review's statement and a spokesman said the company will review its security policy and procedures. It will also try to determine how the information became public and how many people might have seen it.

"We are working diligently to put in place any needed remedies to make certain this problem does not recur," the statement said.

© 2008 The Washington Post Company