Chicago Public Schools officials this week confirmed confidential student information has been improperly disclosed in yet another data breach, this time involving the recently removed principal of Ogden Elementary School.
CPS Chief Education Officer LaTanya McDade informed Ogden parents in a letter Thursday that former principal Michael Beyer improperly shared a Google Drive folder with files containing employee ratings and evaluations from last school year as well as identification numbers, grades, standardized test scores and the email addresses of numerous students.
“The disclosure of this information is unacceptable and prohibited by CPS policy and state and federal law,” McDade wrote in the letter.
The exposed information also contained students' race and special education status.
Beyer initially shared the drive without CPS authorization in August when he was still Ogden’s active principal, but the district says it didn’t learn about the sensitive information it contained until late last week.
Beyer had enabled settings on the folder allowing anyone who received a link to the drive to view its contents, according to McDade. That link has since been disabled, but not before a copy of an email containing that link was shared with a “community member” as part of a Freedom of Information Act request.
The recipient of that FOIA response posted the email and various CPS responses online, McDade said, and may have shared the link via other means before it was disabled. The district is now asking anyone who may be in possession of that information to delete it from any web pages and dispose of any documents containing the information “in a fashion that renders it unreadable, unusable, and undecipherable.”
“CPS takes its responsibility to protect personal information very seriously, and immediately after learning that personal information had been improperly shared the district acted to prevent access to the file,” CPS spokesman Michael Passman said in a statement.
“The person responsible for this disclosure has already been recommended for termination, and the district will be retraining staff members on their duty to effectively protect personal information."
Beyer denied any wrongdoing in a phone interview Friday. He says that when he shared the Google Drive, it didn’t contain any sensitive information. And he believes Ogden local school council members will back that claim.
“I disagree that there was a data breach at all,” he said. “At the time, (the drive) did not include any of that information.”
A polarizing figure who oversaw the difficult merger of Ogden and Jenner Elementary that went into effect this school year, Beyer was removed as principal in November amid allegations from the CPS Office of Inspector General that he had falsified attendance records at his school for years.
The OIG investigation revealed Beyer would unenroll students with extensive absences in order to artificially inflate his school’s attendance rate, making it appear as if those students had transferred elsewhere. CPS says it has also referred this latest incident to the OIG’s office for investigation.
The inspector general recommended Beyer for termination and he was placed on paid leave. He has since filed a lawsuit against the school district contesting his removal.
Beyer believes the sensitive information could have been inadvertently added by someone after he shared the drive or it may have been intentionally added in order to ensure his termination.
“How do they know someone didn’t hack it and set me up?” he said.
The district says there’s no information security risk posed by the release of this information, but it will be re-issuing student identification numbers for affected students out of what it says is an “abundance of caution.” Those changes, however, will not be made until the end of the school year.
In her letter, McDade says CPS deeply regrets the situation and takes family privacy “very seriously.”
“This violation of your student’s privacy is unacceptable,” she wrote.
But this isn’t the first time CPS has dealt with allegations of mishandled personal information.
In November, a former district employee was charged with multiple felonies after she allegedly downloaded and stole the personal information of 80,000 CPS workers. And in June, the district similarly apologized for an “unacceptable breach” after an employee mistakenly exposed the private data of 3,700 CPS students and families.
CPS says it has trained school leaders on Google security in order to prevent these types of incidents in the future. The district will also begin training all staff on the importance of safeguarding personal information.