California’s wide-open educational software reveals personal info

From Nanette Asimov’s “Software glitch reveals private data for thousands of state’s students” (San Francisco Chronicle: 21 October 2005):

The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox. …

San Francisco administrators immediately shut down access to the service, called OARS — Online Assessment Reporting System — after a reporter phoned and said she had been able to access student information for all the children in two middle-school classes where the teachers had not yet changed their passwords. …

Most of the 96 districts statewide that use the system are in Southern California and the Central Valley. …

“We have confidence in the professionalism of our teachers” not to share their passwords, Bradshaw said.

But told how simple it was to gain access to the student records of any teacher who had not yet changed to a unique password, the administrators said they planned to make sure teachers did so.

“We will definitely monitor that,” Quinn said. “We don’t want anyone getting into student information.”