Educational Dissertation Puts 17,036 K-12 Students at RiskFOR IMMEDIATE RELEASE: October 2, 2007 UPDATED: July 10, 2008
Media Contact: Aaron Titus
FRANKLIN, Tennessee. On August 28, 2007 the Liberty Coalition discovered three files on a personal website containing sensitive personal information for for about 17,000 Tennessee K-12 students and the names of several hundred teachers. The files were deleted and the website (http://tnweb.org/) was taken down within hours after notification.
The files were placed online as a part of a Longitudinal Dissertation by Williamson County Schools employee, Christopher Nugent, who had used the website as a temporary method to transfer files between computers. According to Nugent, the website never contained direct links to the files, and Mr. Nugent believed that the files had been encrypted during transfer. He mistakenly believed that the files had been deleted after he transferred the files to the other computer.
During his dissertation work, Mr. Nugent generated random IDs and purged names before working on the data set, to ensure privacy. He was shocked to find that Google had indexed the original files, and acted immediately to take down the website and alert search engines to clear their caches. In an e-mail to the Liberty Coalition, Mr. Nugent expressed his dismay, "Because I believe that the privacy of every individual is of the up most importance, I cannot express to you enough that I believed I had taken every precaution to maintain strict security procedures and secure all information."
One file contained the Grade Levels, Elementary School, Teacher's Name, Student's Birth Date, Student's Full Name, Student's Gender, and Test Scores for about 11,789 students. Another file contained the Grade Levels, Elementary School Names, Social Security Numbers, Students' Full Name, Gender, and test scores for roughly 2,247 elementary school students. The file also contained the names of several hundred teachers. A third file contained the names, social security numbers, and composite scores for approximately 3,000 K-12 students.
The Liberty Coalition independently notified the FBI of the breach, but has received no response to date. Google cleared its caches by October 2, 2007, after efforts by Mr. Nugent and the Liberty Coalition.
The Liberty Coalition issued a press release announcing the breach on October 2, 2007 and contacted statewide media. Nearly one year after the original breach, the Williamson County Schools Attorney, and WKRN independently contacted the Liberty Coalition for more information. The same day, July 9th, 2008, WKRN published a story about the breach. We updated this press release after becoming aware of Mr. Nugent's relationship with the school district. The Liberty Coalition also worked directly with district officials to help them notify the affected individuals.
[Update: July 17, 2008] To their credit, the Williamson County Schools (WCS) posted an informative and factually accurate account of the entire incident in a comprehensive Questions and Answers document on July 16. WCS has contracted with National ID Recovery to provide counseling an fraud alerts to children whose social security number was exposed. In addition, WCS has ceased collecting social security numbers as a part of registration, and plans to purge its database of existing SSNs:
"Williamson County Schools is no longer requiring social security numbers as part of the registration process, effective immediately. All new students will be issued a Personal Identification Number (PIN). In addition, we are working with the Tennessee Department of Education on efforts to remove all existing social security numbers from the Williamson County student information system by replacing social security numbers with a student PIN."The Liberty Coalition commends the Williamson County Schools for taking such decisive action which will all but guarantee that a similar breach will not happen again in the future.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.