IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Data Breach Exposes Hundreds of Student Records

The personal information of Palo Alto High School students was published via a website that allowed students to see class ranking, grade-point averages and identification numbers.

(TNS) -- PALO ALTO — Personal information of hundreds of Palo Alto High students was leaked and used to create a rogue website that allowed students to see their class rank, district officials said.

The leak from the Palo Alto Unified School District’s Infinite Campus electronic locker system includes names, student identification numbers and weighted grade-point averages for Palo Alto High sophomores, juniors and seniors. The data was incorporated into a web display that enabled a student to see an individual class rank, but not an entire list of students.

The website was taken down before noon Thursday, within hours of district officials learning of it, said Derek Moore, the district’s chief technology officer.

But that quick action didn’t comfort parents worried about the disclosure of data about their kids.

“I’m absolutely concerned about it,” Palo Alto High parent Taly Katz said. “I’m generally concerned about students’ safety.”

The Infinite Campus system also includes a trove of valuable private data, including immunization and health records, report cards, schedules, family information and more. It is not yet clear how much of that was released.

Class ranking is a number that the school does not calculate, but in the hyper-competitive race for college admission, some students crave to know where they stand among their peers. The rogue “paly rankcheck” site also included info to satisfy a geek: a student’s GPA, percentile placement, standard deviation and the class’s mean GPA.

Even though the pirate website made only limited data available, the access to at least 1,500 student records was a serious digital break-in.

Data breaches of school information are on the rise — last year, there were 455 incidents, including 73 with confirmed data disclosure, according to the Verizon 2017 Data Breach Investigations Report.

K-12 schools are an inviting target because of their valuable data.

“It’s fantastic if you’re a hacker or marketer — this is golden information,” said Pam Dixon, executive director of the San Diego-based World Privacy Forum.

Twenty years ago, hackers targeted financial institutions, she noted. As banks hardened their defenses, attacks moved to the health sector, Dixon said.

Now, as hospitals sew up their security holes, schools have become a prime target, she said.

“Classrooms throughout the K-12 system can have all sorts of unsecured laptops and mobile devices,” she said, “and lots and lots of skilled little hackers.”

An overseas, free web-hosting firm that Moore declined to name posted “paly rankcheck.” Among other things, he’s concerned the site could have been engaged in phishing — a ruse to mine information from students who sign on.

“We don’t know who’s behind it and what it’s about,” Moore said. “We are worried it will pop up again somewhere else.”

The district notified parents about the data breach in an email and web posting Thursday evening.

Paly Principal Kim Diorio sent a message warning students not to submit their student record numbers to the unauthorized website — because the operator and purpose of the site were unknown — and also not to report their alleged class ranking on college applications. Paly tells colleges that it does not report student rank.

“For you to report a rank could negatively impact you in the eyes of an admissions rep. Don’t take that chance!” Diorio wrote.

The breach was the second known exposure of student information from the Palo Alto Unified School District this year. Last spring, a data security researcher was able to access student information on a backup disk of Schoolzilla, a former outside vendor, Moore said. In that case, Schoolzilla told the district that only the researcher, who was conducting a systems vulnerability analysis, was able to access the data before it was deleted, according to the district.

Moore learned of the hack Thursday morning, when Paly Principal Kim Diorio contacted him after editors of the campus online news site asked to interview her about the class-ranking site. Some students were talking about the site when school began Thursday, said William Sallomi, co-editor-in-chief of the Paly Voice. Editors-in-chief Maya Reuven and Noah Yuen posted a story before noon.

It’s not clear how many students saw the website before it was taken down, sometime before noon.

Sallomi understands the allure of the site’s information.

“Lots of people are really curious to see how they stack up to one another,” he said. But the access to private data gives him pause. “I’m not really thrilled about it.”

For two decades, Palo Alto High has purposely avoided ranking students — a practice followed by a number of high-achieving schools — in order to not further competition.

But last school year, after a contentious debate, the Palo Alto district decided its high schools would calculate weighted grade-point averages, to better position its students in college applications. That means that advanced-placement classes get extra weight in grade calculations, so that it’s possible to rack up a GPA exceeding 4.0, the maximum under the old system.

Diorio could not be reached for comment Friday. But she told the Voice, “The news that there’s now a way for students to get that information is really disturbing to me because this is really counterproductive to all that work we’ve been trying to do.

“I don’t want false information out there, I don’t want people’s privacy breached in any way, I don’t want to contribute to the climate and culture of competition among peers, which is what ranking does.”

And even if it turns out, as some believe, the hack came from within Paly, officials and privacy experts worry about the implications.

“The threat has become more sophisticated,” Dixon said. “It’s very, very hard for a school to compete with that.”

District officials ask anyone with information about the data breach to contact Moore at 650-833-4243 or dmoore@pausd.org. Information may be submitted anonymously online through the district’s feedback form at http://bit.ly/2fRKvIG.

©2017 the San Jose Mercury News (San Jose, Calif.) Distributed by Tribune Content Agency, LLC.