Insufficient Data Security and Disregard for Student Data Privacy Plague the DeKalb County School District

A+redacted+screenshot+taken+by+The+Blue+%26+Gold+of+a+spreadsheet+revealing+sensitive+student+information%2C+one+of+countless+files+made+widely+accessible+by+the+district+

A redacted screenshot taken by The Blue & Gold of a spreadsheet revealing sensitive student information, one of countless files made widely accessible by the district

Keegan Brooks, Archivist and Honorary Editor

The DeKalb County School District has been making thousands of files containing sensitive student and staff information widely accessible to anyone in the district. 

Types of information exposed have included social security numbers, academic records, medical forms, course transcripts, standardized test scores, discipline records, and the 504/IEP information of students, among others. These files exposed the information of thousands of students and staff members from schools across the county.

This was caused by many files within the district being shared with “everyone except external users” by staff members — “everyone” in this case being the more than 93,000 students and 15,500 employees in the district.

The Blue & Gold reported this issue to the district in early March, which resulted in the resolution of some, but not all, of the issues regarding data security. But this problem has not been shared with staff members at the county’s schools, nor with current and former students, whose information is currently vulnerable. 

Files exposed range from the mundane to the absurd, including everything from a certificate for an elementary school’s ugly sweater contest to the safe combinations for district buildings to spreadsheets of student social security numbers.

One file contained the academic transcripts of an entire grade level of students at Martin Luther King Jr. High School. Other files featured years worth of academic transcripts and report cards for schools. Files detailing the medical conditions of students were also made widely accessible, including files with details about student 504 plans. Elementary schools, middle schools, and high schools across the county were impacted.

It is unclear the exact number of files containing sensitive information that were exposed or how many students were impacted by this exposure of files.

In addition to all of the files shared with the entire district, The Blue & Gold was able to confirm that there were additional files containing sensitive information shared with all staff members of the district.

The issue of sensitive documents being widely accessible was first discovered by The Blue & Gold and reported to chief information officer Monika Davis in early March. We would have also contacted DCSD’s head of IT security, but the position is currently listed as vacant on their website.

“To correct this issue, training is being distributed to district users on what should be restricted as well as proper sharing practices,” wrote Davis in April. As of May 5, no such training has been distributed to Chamblee High School administrators and staff.

A project executive summary from within the district’s IT department obtained by The Blue & Gold outlines some of the tools the district pays for in order to prevent these types of situations.

The document, describing the district’s “Microsoft Premier Support Renewal,” lists “Improve security internally between DCSD users” as one of the district’s business goals through paying for the services of “Microsoft 365 Security and Compliance: Data Loss Prevention” and “Microsoft 365 Security and Compliance: Sensitivity Labels.” The district is paying $99,845.20 annually for these services.

“DLP and compliance tools are 100% built to be a response to [this] behavior,” said Sandar Van Laan, a senior consultant at the consulting firm Slalom. Van Laan has worked as a SharePoint consultant for several organizations over the past two decades.

Training is also something that can only be a part of the solution to this issue, as responsibility lies with the district’s IT department to prevent this issue from happening.

“You can train and educate and remind people all day long and twice on Sunday and there’s still gonna be some percentage who don’t get it or don’t understand this,” said Van Laan. “And they’re going to improperly leak stuff. You have to have the tools, you have to use the tools, you have to implement them.”

As of May 5, the district has not notified school administrators and staff of the issue on any sort of district-wide scale, if at all.

“It’s astounding that [this] is not being treated as an emergency,” said Van Laan.

Note: Shortly after publication, this article was edited to change the word “school” to “Chamblee High School” for clarification.