Loudoun schools’ data accidentally breached
By Caitlin Gibson and Martin Weil,
An accidental security breach of Loudoun County school system data left unprotected personal information about students and employees, school officials said.
The breach, attributed to an outside software vendor, may have left the data exposed from as early as Nov. 4, schools officials said. It was another incident that demonstrates the difficulties of protecting the confidentiality of personal information in the computer age.
In messages sent Tuesday to the Loudoun school community, Superintendent Edgar B. Hatrick III said the site in question was taken down immediately while the problem was corrected.
He said he has insisted that the vendor, Risk Solutions International, “take all necessary steps to ensure the complete privacy of our data.”
It was not clear whether anyone had accessed the data.
School officials said the breach involved information used to permit the locating of and accounting for students in an emergency. They said the data involved included such information as students’ birth dates, addresses, class schedules, locker combinations and parent contact data.
The schools had hired the vendor to create an emergency management Web site.
Somone working on the site mistakenly removed some security features and left it online without password protection, school officials said. Usually, it is accessible only to authorized school personnel, said school system spokesman Wayde B. Byard.
The breach was reported first by Leesburg Today, which reported Tuesday that it was discovered by chance by a parent who was searching for the source of a missed phone call.
The parent’s information came to the attention of school officials Thursday, the article said.
Officials said it was unclear how long the potential exposure had existed but added that Risk Solution had identified three dates for when the breach could have occurred. They were Nov. 4, Dec. 19 and Dec. 24.
Michael Alison Chandler contributed to this report.