Oops! Details Of 100,000 Students Leaked Online

A school testing company's blunder left personal details of more than 100,000 students publicly viewable on the web.

The Princeton Review, which produces courses designed to help students prepare for tests including the SAT (the standard entry exam for US universities), recently switched Internet providers. During the move, password protected mechanisms were inadvertently disabled, allowing for full public exposure to sensitive student records.

Among those which lost their cloaking were one file with names and birth dates of 74,000 Virginia students, and another with more extensive details regarding 34,000 students in Sarasota, Florida. These included their annual test scores, ethnicity and any learning disabilities.

It is reported that the Sarasota education firm had paid $1.7 million for Princeton to develop the system and another $350,000 a year to run it. (Source: heraldtribune.com)

The company suffered further embarrassment as the files also included internal guidelines revealing confidential details about how it prepares texts. Most intriguingly, these included the suggestion that exam writers could rewrite old questions without copyright problems as long as they made sure no three consecutive words remained the same.

The problems came to light when a rival firm was nosing around the site. Its staff informed the New York Times, who then informed the Princeton Review before running the story. Its CEO said "As soon as I found out about [the] security issue, we acted immediately to shut down any access to [the] information." (Source: nytimes.com)

There are no firm details yet on how many files were left unsecured, or who may have seen them during the seven weeks they were apparently viewable. It appears the rival firm found the files by simply guessing at a web address, though some of the relevant pages were indexed by search engines.

Security experts have pointed to several underlying problems which were exposed by the glitch in transferring to the new Internet provider. In particular, confidential information should have been stored on a different server with less restricted details. Furthermore, the seven-week gap suggests the company wasn't paying enough attention when monitoring and reviewing its security measures.