Security audit ordered
STSCO school busing agency taking additional steps after accidental release of student personal information
The agency that co-ordinates busing for schools in the Peterborough area has arranged for a security audit after it accidentally allowed public access to a database of student contact and busing information through social media.
Joel Sloggett, CAO of Student Transportation Services of Central Ontario (STSCO), said Wednesday that the personal information of five students – including addresses and dates of birth - was breached after a posting was made to the agency’s Facebook and Twitter accounts last week.
None of the five students live in Peterborough, Sloggett said – STSCO oversees school bus transportation for 26,000 Catholic and public board students in Peterborough, Northumberland and Clarington.
Sloggett said the five files were accessed by two people – both of them parents – who realized the link to the database was likely posted in error.
The two parents had both looked at their own children’s files and both reported it to STSCO within an hour of the posting.
The first parent had clicked on their own child’s records before shutting down the database and reporting the error to STSCO, and the other clicked on their two children’s records and then clicked on two more students at random to check whether any record in the database could be breached.
Then that parent shut down the database and reported it to a school official, who immediately got in touch with STSCO.
Sloggett said the site was taken down within an hour and 45 minutes of the link being attached in error to a Twitter and Facebook posting.
The posts were meant to inform parents of a potential school bus driver strike in Bowmanville, Sloggett said; the attachment was intended to give parents further information.
But instead a link to a training document containing the dates of birth, addresses and bus routes of all 26,000 kids using STSCO services was posted – and there was no password protection.
“It should have been password protected,” Sloggett said.
STSCO immediately took down the link, he said, and a school board official is now arranging for a security audit to look at all the postings and procedures STSCO uses when managing its documents.
Sloggett said STSCO also reported the incident to the privacy commissioner, who will be expected to ensure that the public was advised and the document can no longer be accessed.
STSCO issued an apology, but many parents took to Facebook to say that wasn’t enough.
“I find this very alarming that anyone who clicked that link was able to access any child’s information, from bus stop pick up time, to location, to home address and school as well as contact information,” Theresa Perry stated.
Both the Catholic and public school boards released statements on Wednesday in reaction to the privacy breach.
The Peterborough Victoria Northumberland and Clarington Catholic District School Board stated that it takes seriously the responsibility of protecting and managing students’ personal information.
“We were alarmed and concerned about the information that was potentially made available by the Student Transportation Services of Central Ontario (STSCO) last week,” wrote communications manager Galen Eagle.
“At the current stage of the investigation, we do not have evidence that the personal information of any of our students was subject to unauthorized disclosure, however, we do know the potential existed for a period of time. As such, we will be joining our coterminous board (KPRDSB) in engaging the services of a thirdparty expert to investigate the full scope of the incident, to identify any ongoing vulnerabilities with STSCO systems and to ensure the privacy of student information is protected at all times.”
Diane Lloyd, the chairwoman of the Kawartha Pine Ridge District School Board, also issued a written statement.
“At the Kawartha Pine Ridge District School Board we take the management and care of our students’ information very seriously,” she stated.
“We share the concerns of our parents regarding the information and data that was made available by STSCO last week. We are pleased that STSCO has reported this matter to the Information and Privacy Commissioner’s office, and know that they will follow any direction from that office closely. In addition we have requested, and will ensure, that STSCO engage a third-party expert to undertake a complete audit and review of its processes and systems to ensure that the privacy of student information is maintained at all times.”