Privacy Breach Leaks Confidential Student Files to a Pupil's iPad

School Data Breach

Imagine that you head an organization that makes a mistake and incidentally exposes personal details of quite a few innocent individuals. It is undoubtedly an unpleasant and embarrassing experience, but people can draw a lot of conclusions about you from the way you handle the situation. Today we'll take a look at one recent privacy breach, see how the affected organization responded, and find out if this is the way to go about things.

On Friday, the Herald Sun wrote about a 14-year-old girl that attends the Manor Lakes P-12 College in Wyndham Vale, a suburb of Melbourne, Australia, who recently found some very interesting information on her iPad. The girl, which will remain unnamed, was browsing through her Google Docs folder when she uncovered extensive physical and psychological profiles of around 30 students that attend the same school.

Most of the profiles included color photos of the students in addition to details on potential health issues, whether or not there's a tendency for aggression, evidence of problems at home, a risk of self-harm, and many other things that shouldn't really be in the Google Docs folder of a 14-year-old girl.

School in Melbourne, Australia: "A 14-year-old girl hacked us!"

The girl did the right thing and told the school about it. Instead of thanking her and busying themselves with trying to understand what went wrong, the school officials pointed the finger at her.

The girl was accused of hacking, and she was repeatedly asked how the document came into her possession. When she couldn't provide a satisfactory answer, the school officials "figured it out" by themselves. They told her father that she did it when she borrowed a teacher's laptop for a school task.

Common sense: "Did she, really?"

It must be said that many of the Guy Fawkes mask enthusiasts start "hacking" into things in their teens – a period when mischief is often on the agenda anyway. Even if we presume that the 14-year-old girl fits the profile of a hacker, however, we mustn't overlook one more thing.

Apparently, not a single school official stopped for a moment to think: "If she really did steal the file, then why is she coming back to let us know about it?" This is especially strange considering the fact that there's a very simple, extremely plausible explanation that could bust the mystery wide open.

Of course, we should point out that we don't know all the details. We do know how the Google Docs tool works, though. There's a share button which lets you share certain documents either with specific people, with everyone in an organization, or with the whole world. Did someone fat-finger the Share button by any chance?

We don't know. What we do know is that after the school demanded further interrogation of the girl, her father got fed up and complained to the Australian Department of Education and Training. After an investigation, the Department apologized to the family and said that the leak was caused by human error. The girl was never at fault.

Organizations that somehow end up losing sensitive data are often under enormous pressure to figure out what happened exactly and to rectify the issue as quickly as possible. This is no excuse for jumping the gun with the attribution, especially when they're blaming a serious privacy breach on a 14-year-old student.

October 12, 2018

Leave a Reply