Personal information for special-education students in the District has been publicly available online since 2010 through a security breach that D.C. public school officials reported on Tuesday.
The personal data was included in training documents for special-education providers in 2010 and 2011. The documents, including one that was more than 300 pages long, were inadvertently posted to an internal Web site that was not secure, officials said.
The training materials contained some charts with individual student names as well as passwords for online mailboxes where documents, such as parent complaints and attorneys’ letters, can be filed and stored.
Education officials are still trying to determine what was accessible and how many students and families had information exposed, said Fred Lewis, a spokesman for D.C. public schools.
Nathaniel Beers, chief of specialized instruction for D.C. schools, said in a statement Tuesday that there is “no evidence that data was compromised.” He said accessing the information with explicit permission is illegal.
The school system was made aware of the breach by BuzzFeed News on Monday. The site was shut down, and log-in information for the database has been changed.
One password included in the training materials provided entrance to the “Blackman-Jones database,” referring to an 18-year-old special-education lawsuit that prompted judicial oversight of how school administrators respond to requests for special education services.
Because of that oversight, the District has been under close scrutiny to meet specific goals for providing due process hearings and services in a timely way. The process has required close monitoring of every request for services and how it’s handled. In December, a U.S. district judge dismissed the suit.
Lewis said that the password included in the training documents accessed an old version of the database.
The school system plans to send letters to families explaining what happened, he said. Families who have questions about the breach or want to know whether their information was exposed can call 202-442-5451.
Beers apologized to D.C. students and families on Tuesday.
“We understand how important it is to safeguard student information and will conduct a top-to-bottom review of our security practices to ensure this does not happen again,” he said in the statement.