Friday, April 29, 2005

Incident: Halifax student information posted on Internet

A teacher with the Halifax Regional School Board apparently put a confidential student list on an accessible website. It wasn't linked to from anywhere, but someone e-mailed the URL to the Halifax Chronicle Herald:

Student information posted on Internet: "

Teacher at Dartmouth school unaware confidential file could be accessed

By BARRY DOREY / Staff Reporter

School webmasters can expect a stern warning and a reminder about the dangers of their online duties after a detailed Dartmouth student list was left accessible on the Internet.

A teacher at Bicentennial School on Victoria Road posted a spreadsheet that listed the name, address, birthdate and phone number of every student.

It was posted in an area where she believed nobody would find it and there were no links to the page on the school website. But provided with the web page address, anyone could download the file.

"That information should have never been able to be accessed," said Doug Hadley, spokesman for the Halifax regional school board.

"We will be following up, we will talk to our schools this week."

Alerted to the situation by this newspaper, board officials located and removed the file within an hour Thursday night.

Mr. Hadley said the board is looking into the possibility that a hacker located the file, which was created last summer and was stashed in a private folder on the board's servers. But it was not protected by any passwords or other safeguards, meaning anyone with the URL could view the page.

"It's possible it may have been accessible for the entire year," Mr. Hadley said.

An e-mail including the web address was sent to this newspaper Thursday.

Board officials will use the incident as a "teaching moment" for all teachers or administrators who act as webmasters, he said. They will be reminded of the board's acceptable-use policy and will be warned of the perils of posting confidential information.

"This type of breach was not done with any type of (malicious) intent in mind, but we have to treat it seriously," Mr. Hadley said.

"The teacher was likely going beyond (the call of duty) and carrying the work home," where she could access information online.

The warning to webmasters, who receive general training but little in the way of followup or skills upgrading, is clear.

"Files may not be just for their eyes" if a hacker finds the page or "if someone knows what they are looking for," Mr. Hadley said.

He wouldn't speculate on any discipline that may be meted out to the teacher who made the mistake.

"I'm sure that the principal will follow up with the staff person," he said.

One parent of a Bicentennial student said the school board should be doing more to train and oversee teachers.

"It's unfortunate and I think the school board has to be more vigilant," said the father of two students.

"It's disappointing that it was not more secure."

Board policy forbids the posting of any student information without the written consent of a parent or guardian. And any files containing personal information must be protected with user names and passwords."

No comments: