Thousands of Students Have Their Private Information Exposed after Passing a Test Online

Svetlana Gladkova,

on August 20, 2008,

Approximately 34 thousand of students in the southwest Florida school district have been affected by a security hole and had their private information leaked online. All the students used Princeton Review program to study for annual assessment test.

After the test preparation company switched to a new hosting provider all the information students provided the program with leaked online, including their birthdays, ethnicity, gender, state ID (which in Florida is very similar to social security number) and scores in the tests they passed.

What’s even more disturbing, this information was available online for a month and a half (since early June and until this Monday). It is particularly fascinating that the site where the information had been available was discovered by a competitive company when performing a research of their competitors. And instead of informing Princeton Review of the problem that competitor chose to report it to The New York Times. In its turn, The Times informed Princeton Review of the breach (prior to publishing an article about the situation) and the company finally had that section of its website closed.

Of course, the company apologized to the affected customers and promised to carry out an investigation to find the reason for this terrible leak and prevent it from occurring again in the future. It explained that the files with sensitive information were supposed to be protected with passwords but those passwords were probably lost when reconfiguring the site on a new server.

Right now the company is trying to find out who could have accessed the files since some of them could be found on search engines. But even if access to the information has been closed now, I think the event is still very disturbing and it demonstrates once again that one can never feel completely secure when providing sensitive information to any company operating online.

And of course the situation should serve as a good cautionary example for any company that collects private information of its customers: security should be one of the highest priorities for your service unless you want your competitors to use your mistakes in competitive struggle and provide The New York Times with the detailed information of what exactly you are doing wrong.

If you enjoyed this post, make sure you subscribe to profy RSS feed!

PassPack: Holding Your Keys for the 2.0 Kingdom

Students Advised by Professors not to Use Wikipedia

StudentFace – a Social Network for Australian Students

UK University Wiki-fies Learning

2 Comments (Subscribe to rss)

Benjamin Wright - August 20, 2008 at 08:21 am PDT

The whole question of what does and does not constitute a security breach is open to debate. (The reason for the debate is that virtually all data are exposed to one degree or another at all times.) One might argue that there was no meaningful breach at Princeton Review until the NY Times was informed. Hence, one might argue, the competitor caused (or contributed to) the breach! Liability? –Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Svetlana Gladkova - August 21, 2008 at 01:43 am PDT

@Ben: Interesting idea, of course the behavior of the competitor could hint at just that. But unfortunately the company easily admitted there was a breach so most probably it is not the case.

Leave a comment (We support avatars from Gravatar, MyBlogLog, and FriendFeed)