The public website of Baltimore County Public Schools (BCPS) was found containing a major security flaw that exposed highly sensitive information on students and staff members.
The big picture
Anyone with login credentials for the BCPS One/Schoology platform, which provides students access to academic resources, is able to access the personal information of other students and staff members, as well as certain sensitive school records.
A total of around 11,400 students, parents, and staff members, who have access to the platform could view these records. It is not known for how long the records have been exposed through the platform and whether any unauthorized party gained access to it.
What data was affected?
What actions have been taken?
The Baltimore Post, which first reported on the story, contacted the IT staff at the Baltimore County Schools on Wednesday. The staff member explained that the flaw arose from a “share all” function in Microsoft Office 365 and the site’s search functionality which allowed any user to search for all the records.
Upon discovering the flaw, the district has worked with Microsoft to resolve the issue and identify any other security concerns.