Springfield Public Schools in Missouri may be in the early stages of what could become an all-out employee revolt. And if they are, some employees claim that the district has no one to blame but itself for not properly securing employee, student, and parent data even after they were warned of serious privacy breaches and data security failures.
For the past few weeks, PogoWasRight has been investigating a situation first reported by Cheri Kiesecker on the Missouri Education Watchdog. The situation appeared to be a complicated one, involving an employee blowing the whistle on alleged Medicaid fraud and then finding herself stalked, with her accounts hacked by someone compromising her accounts from a district IP address in the Bentley building. But that’s just how the story begins.
In the process of investigating the hacks and identity theft, the employee, Brooke Henderson, and her sister Brette Hay, who is also employed by the district, discovered that all of their personal information — account login credentials with passwords, web sites visited, and even voice recordings of Hays’s children, had been collected and stored in their district-issued Google Drive accounts for years.
And not only was vast amounts of information being collected about them – and many other employees – without their knowledge or consent, but it was available to anyone in the district – including, presumably, an as-yet uncharged district employee who is suspected of hacking Henderson’s accounts and attempting to steal funds from her bank accounts.
To their horror, Henderson and Hay could see what they estimate as the school and personal account credentials of more than 25,000 students and employees in the district. The credentials could be viewed in plaintext and made accessible to anyone with a SPS google account.
What Henderson and Hay discovered was that anyone — any employee or student’s parent or student — who used a personal device to connect to a district-provided Google account might have had all of the personal information on their personal devices — contacts, account logins, web activity, etc. – collected and stored on the district’s Google drive without their knowledge or consent.
Did you connect to your child’s Google account from your work computer, Mommy? If so, all your work contacts and logins may be stored in your child’s Google Drive and available to district personnel in plain text.
Is your child in K-2 and using their own device for their school work because the district does not issue Chromebooks to students in early grades, Daddy? If so, you might want to check to see if all of your personal accounts and information are now stored on Google Drive and available to district personnel in plain text.
Do you have a child under 13 who is not a student in SPS but has an older sibling who is? If so, that young child’s personal information and web browsing might be stored on SPS district servers without parental consent or knowledge. And if it is, would that violate COPPA?
According to some employees, even after the district was made aware of the privacy breach, the district failed to wipe all the data it had improperly and needlessly collected on its servers, and it failed to instruct people properly as to how to prevent the problem from continuing to occur.
But if you thought it couldn’t get any worse, you thought wrong, because it could. Some patients of Cox Health might have had their protected health information collected and stored on the school district’s servers because a doctor used his own device to connect to a Google account, not knowing it would then sync his credentials and files to that drive. On his device were his login credentials to his employing health system. His device was also used to sign patient reports. Upon discovery, he immediately alerted his employer of the HIPAA situation.
As district employees and parents have become aware of this case and have checked their own accounts, some have been shocked to discover that they, too, have had their personal and sensitive information collected and shared without their knowledge or consent. Asked to estimate how many employees may have already reported similar experiences to Brooke Henderson or Brette Hay, Henderson estimated that about 100, and possibly every employee in the district will find that they have been affected the same way if and when they check their own accounts. One employee reported:
“As an SPS employee, I had students whose accounts were hacked and assignments changed. I also had some passwords from personal accounts saved on my school google account.”
Another employee wrote:
“Girls!! I just logged into my Google Drive and checked – it has ALL of my passwords saved (bank, Mercy, Apple, Amazon, etc)!! None of those accounts are tied to my Google but since I used Google on my personal device, it saved it all. Don’t be fooled by SPS garbage. This stuff tracked back 3 years ago on mine.”
As awareness grows, some employees are reportedly refusing to agree to the new district consent form — consent that the district allegedly never bothered to even request until after this case started to blow up.
Springfield Public Schools allegedly created a privsec nightmare and then failed to address it effectively. The district appears to have put its employees at risk of predictable harm and injury by requiring them to use their Google account when it was not adequately secured from cross-contamination and viewing by other employees, and they failed to provide adequate instruction and security advice to parents, students, and employees as to how to protect their personal information from being collected and stored.
FERPA, the federal law protecting the privacy of student education records, does not provide a private cause of action, i.e., parents cannot sue the district under FERPA for violating their children’s privacy or their privacy. What parents can do, however, is get together and file a massive complaint with the Family Policy Compliance Office of the U.S. Education Department and ask the department to cut off all federal funding to the school district until it remedies the problem. The federal government generally does not take such extreme measures, but it is an available remedy under the law, and in this case, if employee allegations are true, the extreme response might be appropriate.
And of course, parents might also seek other legal recourse against the district while employees might work through the NEA and/or EEOC to seek their own recourse for the breach of their privacy and/or any harm or injury they have suffered, including being disadvantaged in negotiations because the district had access to their personal information and accounts.
To help assess the scope and potential of the breach, Project Insecurity offered to take a look at the evidence. Because of the district’s (somewhat ironic) policy of not allowing employees to share login credentials, Project Insecurity had Brooke Henderson conduct a number of tests while filming the procedures and results. Their report, which is non-public at this time but was made available to PogoWasRight.org, confirms the allegations made by Henderson and Hay concerning the extent of the data collection and the fact that passwords could be viewed in plain text simply by clicking on an icon.
“It’s the worst case of cross-contamination I’ve ever seen,” one of the Project Insecurity investigators told PogoWasright.org.
PogoWasRight reached out to Springfield Public Schools for a response to some of the allegations. Claiming that this was a personnel matter and that they were therefore limited in terms of what they could say, they provided the following statement:
Statement from Springfield Public Schools:
Given that the district allegedly uses extremely poor password hygiene and tapes student IDs to the bottom of their Chromebooks, their claims about “safe and secure” strike this blogger as optimistic, at best. If they have third-party vendors reviewing their security, are they actually following their advice? I cannot imagine any reputable firm telling the district that their configuration and policies are appropriate or best practices. Indeed, the district’s claims in its statement are disputed by Project Insecurity, who responded to the district’s statement by informing PogoWasRight.org that not only did their review identify a number of security risks that are being overlooked by the district, but they have compiled a detailed report of their findings with evidence and are willing to work directly with the district to help them ensure that their systems and polices are both up-to-date and commensurate with the rapid advancement of cybersecurity threats.
Update: This post was corrected post-publication to make clear that credentials could be viewed in plain text by anyone with an SPS Google account. They were not stored on SPS’s server, as originally mis-stated.