
D.C. accidentally uploads private data of 12,000 students - salmonet
https://www.washingtonpost.com/local/education/dc-accidentally-uploads-private-information-of-12000-students/2016/02/11/7618c698-d0ff-11e5-abc9-ea152f0b9561_story.html
======
OJFord

        > determined that one person downloaded the document from
        > the website. That person was part of a community
        > organization that has verbally agreed to delete the
        > document, Peabody said.
    

Fortunate that they were able to do that; considerably softens the blow.

------
jph
If any of the DC public school people want help protecting their student
records, I will donate pro-bono hours.

There's one technique that is powerful and rare, which is translucent data
access. It's ideal for identifying memberships and trends, such as "how many
students are in a class each year" while protecting personally identifying
information. A simple common example is a one-way hash function that lets an
app confirm a password without needing to store the password in plain text.

~~~
smaili
Send me a ping if you're interested with helping schools with their data -
me[at]smaili.org

~~~
matt_wulfeck
How exactly are you helping schools and their data?

------
cevaris
Feel there is really no way to prevent this. This was doubtfully uploaded
knowingly (or possibly with ignorance). Data dumps occur all the time. As a
file, they can too easily be shared. For sure, the school should work on
increasing their awareness of handling secure data. But, in the end, nothing
would really prevent this from happing again.

~~~
travoc
We do SSL and content inspection of uploads to unexcepted sites to prevent
this sort of thing where I work.

~~~
PakG1
I'm completely ignorant here, but how do you do that without this?
[https://news.ycombinator.com/item?id=11042353](https://news.ycombinator.com/item?id=11042353)

Hoping to learn something, honest question.

~~~
jdavis703
I'm imagining IT has proviosned certificates on the computers under their
control that allows them to do a MITM attack on either blacklisted sites, or
non-white listed sites.

------
spike021
In my 2nd year of university the chair of the CS department shared an excel
file via email containing the private data of all the CS students. ID numbers,
addresses, phone numbers, first/last names.

He claimed it was meant for an office assistant but somehow he blasted it to
both the BS and MS student lists. I doubt he got more than a slap on the wrist
as he remained the chair for another 2-3 years.

~~~
thaumasiotes
At my university, a publicly accessible file on the university systems listed
addresses, phone numbers, and names for all students, not just those of a
particular department. Leaking the same information in an email would have
been superfluous. Are those supposed to be secret?

~~~
spike021
I don't know, maybe they are publicly accessible with FERPA. However,
considering that some secure systems on (my) campus are pre-registered to our
names using just firstname-lastname@xyz.edu with the password being the ID, or
some other simple variation thereof, I don't feel very comfortable about it.
As much as I wish I lived in a perfect world, I don't, and so it wouldn't
surprise me that students don't think to change their original passwords to
secure ones.

------
PythonForGirls
> “Our legal department is now in touch with them to sign off legally that
> they will delete the file,” she said.

You'd have to be a fool to sign a document. This will just make you liable if
the document does get out.

