Like many institutions, the Office of Data and Accountability for Washington D.C.'s public schools uses an "intranet" for sharing confidential documents.
Unlike most intranets, theirs was unintentionally public.
City officials locked the intranet on Monday, after a BuzzFeed News inquiry. But before then, anyone who Googled certain phrases — such as "Blackman-Jones," a high profile class action lawsuit about special education — could stumble upon the intranet and obtain sensitive data about individual students with disabilities.
Hundreds of documents were hosted on the intranet, some providing an unfiltered look into the inner workings of the city's public school system, others leaving confidential information about individual students exposed.
One document also included usernames and passwords that could be used to access a mailbox containing complaints from parents of special education students. BuzzFeed News viewed publicly-available pages on DCPS's website but did not attempt to log into the databases or email accounts. However, a spokesperson for the DC government said he believed that the credentials still worked until the site was locked on Monday.
Another section, devoted to professional development courses, listed teachers' and other district employees' email addresses and workplace information.
Administrators locked the site within hours of being contacted by BuzzFeed News on Monday and acknowledged that the public had been able to access information on the internal website since it launched in 2010. In a statement Tuesday, Dr. Nathaniel Beers, Chief of Specialized Instruction for D.C. public schools, admitted that the training materials included "some student information" as well as "login information to a database regarding the District's special education students."
"We apologize to DC students and their families for this situation, and will be reaching out to families to explain what happened," Beers said. "We understand how important it is to safeguard student information and will conduct a top-to-bottom review of our security practices to ensure this does not happen again."
The Blackman-Jones database — the mailbox for which a username and password had been posted — allows both DCPS and the Office of the State Superintendent of Education to resolve special education due process complaints, hearing officer determinations and settlement agreements. DCPS developed the database after a lengthy legal battle spurred by two 1997 class-action lawsuits. In those lawsuits, parents claimed that DCPS violated the federal Individuals with Disabilities Education Act by refusing to respond to cases in a timely manner.
According to the intranet, DCPS administrators accepted the ruling grudgingly. "We may one day be lifted from the burden of the Blackman Jones Consent Decree, but we must continue our timely and efficient response to special education complaints," a page on the intranet stated.
The intranet included over a dozen guides on accessing, inputting, and correcting student data, but it also contained some potentially troubling information: log-in credentials for three DCPS email addresses that have been used to receive documents for entry into the Blackman-Jones database.
One of them, firstname.lastname@example.org, appears to be still in use. According to instructions, "The following documents are received in this mailbox: Hearing Officer Determinations [...], orders and attorney correspondences." A form pointed correspondence to the address as recently as May 2014.
The documents sent to the email address could contain details about students with disabilities, their special education programs, and other sensitive information necessary for handling disciplinary cases against a student. Here's an example complaint from 2011, that was posted on the Office of the State Superintendent's website.
The intranet also included extensive information about how to use DCPS's Special Education Data System, or SEDS. Various documents explained how to search for public school students by name to view all sorts of personal data, including behavior evaluations.
Although most parts of SEDS required a special username and password, some did not.
According to a 2010-2011 document about standardized testing, anyone with a dc.gov email address could use the same password they used to log into their email to review students slated to take the DC CAS ALT test, an assessment for DC students with significant cognitive disabilities. They could also edit those student records.
In his statement, DCPS's Beers said, "There is currently no evidence that data was compromised," but did not provide evidence to rule out the possibility.
"This is a very serious breach of both teacher and student confidentiality and privacy," Washington Teachers' Union president Elizabeth Davis said in a statement to BuzzFeed News. "It's premature to assume that an apology is enough until we know the extent of the damage. Parents and the WTU would certainly want to know what steps will be taken by the city and the school district to correct the problem and ensure that such a breach can never occur again."
John Templon is a data reporter for BuzzFeed News and is based in New York. His secure PGP fingerprint is 2FF6 89D6 9606 812D 5663 C7CE 2DFF BE75 55E5 DF99
Contact John Templon at email@example.com.
Katie Baker is an investigative reporter for BuzzFeed News and is based in London.
Contact Katie J.M. Baker at firstname.lastname@example.org.
Got a confidential tip? Submit it here.