Baltimore County Schools found exposing highly sensitive information on students and staff members

• The platform contained sensitive information such as academic records, medical information, and contact information, of many students and staff members.
• Around 11,400 students, parents, and staff members have access to the platform.

The public website of Baltimore County Public Schools (BCPS) was found containing a major security flaw that exposed highly sensitive information on students and staff members.

The big picture

Anyone with login credentials for the BCPS One/Schoology platform, which provides students access to academic resources, is able to access the personal information of other students and staff members, as well as certain sensitive school records.

A total of around 11,400 students, parents, and staff members, who have access to the platform could view these records. It is not known for how long the records have been exposed through the platform and whether any unauthorized party gained access to it.

What data was affected?

• The BCPS One/Schoology platform provides access to student projects, assessment scores, students discipline records, suspensions, among other academic details.

• The platform also contains data on applicants for the special education plan.

• Additionally, the medical information, home addresses, and contact information of certain students and staff members, was also accessible to anyone with access to the platform.
• Some of the records stored on the platform date back to the 2008-09 school year.

• A few of the critical records such as assessment scores could also be modifiable. However, the official scores were stored securely behind a firewall.

What actions have been taken?

The Baltimore Post, which first reported on the story, contacted the IT staff at the Baltimore County Schools on Wednesday. The staff member explained that the flaw arose from a “share all” function in Microsoft Office 365 and the site’s search functionality which allowed any user to search for all the records.

Upon discovering the flaw, the district has worked with Microsoft to resolve the issue and identify any other security concerns.