Students' Personal Data Posted Online

Fairfax County school officials said today that about 75,000 of their students had been affected by a technological breach this summer in which names, birthdates and other personal information was accidentally published online by the test-preparation company Princeton Review. Late last night, school officials had said the glitch affected a much smaller number of students --about 300.

The students' names, identification numbers assigned by the school system and dates of birth were inadvertently stored on a publicly accessible Web site for about six weeks beginning in June, school officials said yesterday after a conference call with company officials Tuesday. The information, dating from 2006, also included the students' sexes and schools.

Although a report about the breach that appeared in the New York Times earlier this week estimated the number of Fairfax students affected at 74,000, a spokesman for the Fairfax school system contacted The Post at 9 last night to say the number was much fewer.

This morning, however, school officials corrected that information again, saying there were about 250 files published online, with information on approximately 75,000 youngsters.

In addition, school officials said the names of about 3,000 teachers were also published online.

The Princeton Review shut down access to the information Monday, shortly before the story about the breach was published in the Times. In a statement, the company said the security breakdown probably occurred when the files were transferred to a new Web hosting provider.

Officials for the 165,700-student system received a copy of the files yesterday to check the extent of the breach. They said they planned to contact parents whose children might have had information on the unprotected site.

"We think the exposure is minimal . . . but we certainly would not want to risk any of our student information being exposed to a security breach," said Maribeth Luftglass, chief information officer for the school system.

Information about thousands of students in Sarasota, Fla., was also accessible without a password on the Princeton Review's Web site during the same period, including test scores, race and ethnicity, and ID numbers, which, in some cases, match Social Security numbers.

Gary Leatherman, a spokesman for the 42,000-student system, said that the school district was reviewing its contract with the company and creating a set of separate ID numbers so that "even when there is a presumption of confidentiality, we don't have that [Social Security] number in the mix."

The Fairfax school system had a three-year contract with Princeton Review worth nearly $3 million to provide practice tests for students in grades 3 through 8 preparing for standardized state exams. The contract, which has a confidentiality agreement, was due to expire this year as the system places its own online testing program in each school.

The potential for insecure information grows as companies outsource operations, said David H. Holtzman, author of the book "Privacy Lost" and a Herndon resident whose children graduated from Fairfax schools.

"Each organization that is hired to do another piece loses the sense of urgency. . . . The personal contact and sense of responsibility are gone," Holtzman said. The answer is "vigilant quality control" starting at the top, in this case with the Fairfax County School Board, he said.

The Princeton Review's statement and a spokesman said the company will review its security policy and procedures. It will also try to determine how the information became public and how many people might have seen it.

"We are working diligently to put in place any needed remedies to make certain this problem does not recur," the statement said.