A former volunteer with DeKalb County Schools was shocked by what she found when she typed her own name into Google recently – an image of her driver’s license posted online.
“I just Googled my name and I saw my driver’s license, the image … and I clicked on it thinking, ‘is this real?’” said Phylena Houde.
Houde volunteered with DeKalb County Public Schools as a room parent when her children attended school in the district. She said she had applied for a substitute teacher position – and for both roles, she needed to scan and send in a copy of her photo ID. When that image popped up in Google, she traced it back to the district website.
“When I clicked on it, I saw it was connected to DeKalb County Schools, and so I clicked on the actual web link and that’s when I saw a file with all these peoples IDs and passports,” Houde said.
Images of the personal information were uploaded into a folder on the DeKalb County Schools website. The district confirmed the folder had been online since 2016. The data was secure, as of Dec. 22, until the district's cloud-based web server crashed due to a vendor-related event. The server was restored on Dec. 24, but the crash had corrupted security software. The data was then unsecure and publicly available online until 11Alive brought it to the district's attention.
11Alive searched the folder and found that it contained over 3 thousand files dating back to August 2016 through the current school year. The files were public and included subfolders for each month, with the most recent uploads posted Wednesday.
Over 2,700 of the uploaded images contained driver's license or government-issued IDs, including social security cards. Over 80 contained images of passports from the U.S. and other counties, along with green cards and military IDs. There were also school transcripts with social security numbers and other private data visible.
Only a few images were blurred. In those cases, it appears the person who submitted the photo to the district did it themselves.
“This is like handing over so much information on a silver platter – it’s very disconcerting,” Houde said.
The DeKalb County School District confirmed the website’s existence to 11Alive Thursday morning, and the personal information was removed within approximately one hour. However, some of the images were still searchable on Google later in the day.
To not draw attention to the personal information still existing online, 11Alive did not publish details about the images until Friday, when the images no longer appeared in Google image search results.
Late Thursday, the DeKalb County School District released a statement to 11Alive:
“The DeKalb County School District has acted swiftly to remove online access to a limited number of photos and driver’s licenses and Social Security cards that were inadvertently accessible in a file-transfer protocol (FTP) folder of the DCSD website. The files belonged to individuals that had applied for appeals of their graduation status in both 2016 and 2017, and were uploaded to a public folder of the website instead of a secured location containing the other portions of the graduation appeals application.”
Houde submitted her information as a school volunteer and to apply for a job, so it is unclear if only those who applied for graduation status were affected. 11Alive also found paperwork requesting school transcripts in the folder. Those requests often contained full Social Security numbers.
Houde said she hasn’t worked with the district for nearly 2 years, and she’d like to know why they’re storing this information – and for how long.
“I was kind of like, in shock,” Houde said. “I really don’t think this is normal … I talked to my older daughter and said, ‘my information is on here, my driver’s license … and I think I need to call 11Alive or somebody because this doesn’t seem OK,” she said. “It didn’t sit well with me.”
In a statement, the district apologized for any “inconvenience” the information dump had on those people who had private data posted online.
“DCSD regrets this oversight. Once the district became aware of the occurrence, the information was quarantined to determine the scope of impact. It is believed that no other private information was compromised outside of the contents of the FTP folder,” the district said.
In addition, the district said it has removed each file from its website and server, disabled the upload form and contacted Google and the website host vendor to make sure the information is scrubbed from the internet. DCSD also said it implemented additional security measures on its website.
In terms of who is accountable for posting the information online, the district told 11Alive they are currently reviewing the circumstances of the "inappropriate release" of information. The district plans to take appropriate action regarding personnel and technical issues as warranted and said its IT staff has reviewed which files were accessed online.
"The unique URL for this folder is not a common publicly-facing web address," the district said in a statement. "As a result, our analytics are showing visits to be of a very limited number." A district spokesperson told 11Alive they are now working to notify individuals who had their information accessed.
However, for those who might have seen their Social Security numbers, driver's licenses or green cards posted online – a lot of questions remain.
“They need to get the message out to pretty much everyone in the school system … I don’t know if they want to call it a breach, but it looks like a breach to me, that potentially some people’s information may have been compromised,” Houde said. “They need to do a better job of locking down personal information.”