Wake student stumbles on peers' personal data. Make sure files you share are secure

Abner Sanabria Cruz sat down at his computer to search for a school assignment. He’d given it a funny name — something that had nothing to do with the assignment — but he couldn’t quite remember what it was. Struggling to find it, the Leesville Road High School senior expanded his search within his school-provided file-sharing system. What turned up sent him on a crusade to tighten data protections across the county. 

Sanabria Cruz found documents that didn’t belong to him — documents created by other students, contact sheets for sports teams in Wake County schools.

Other records had student ID numbers, grades, attendance — even medical records. Some included notes from teachers describing students’ struggles. One note from a teacher described a student as "hopelessly failing.”

“What if this was one of my family members?” said Sanabria Cruz, who graduated from Leesville Road in January, shortly after he stumbled upon the files. “What if somebody took advantage of the information that they found? What if they leaked it, sold it? You don't know what could happen to that data.”

He reported what he found to a teacher and then to the principal. Eventually, word reached the school district that some special education records had been exposed. Sanabria Cruz reached out to WRAL, which reached out to the district. Within weeks of Sanabria Cruz finding the records that didn’t belong to him, Wake schools had fixed the problem.

The discovery was the latest to show the vulnerabilities of third-party software, illustrating how hackers can obtain sensitive student information. 

But unlike recent, high-profile education-technology hacking cases in North Carolina — in which bad actors are alleged to have broken into systems and threatened to leak student or teacher data — the weakness exposed by Sanabria Cruz was largely caused by users, including students, teachers and other school employees.

It's happened in other school districts, too.

In 2023, hackers accessed a Nevada student's school-issued Google account. Hackers were then able to view a trove of records with private student data — records for which file owners had set loose access permissions, a victim said in a lawsuit that blamed the school district for not enforcing stronger password and other security protocols. The hackers then attempted to extort parents over the files and then published many of them online in an attempt to extort the school system.

The 325,000-student Clark County School District, in Las Vegas, temporarily restricted off-campus access to Google Workspace accounts and initiated an automatic password reset. In response to the lawsuit, the school district argued that it is immune from liability in the case and that the plaintiffs didn’t provide enough evidence to support their allegations under Nevada law. The case is scheduled for jury trial early next year.

The vulnerability posed by "oversharing," as cybersecurity consultant Doug Levin calls it, is significant because of the sensitive nature of files often contained in those file-sharing systems.

School systems have long known about the sensitivity of teacher accounts and the data a teacher account could grant, he said. But the Nevada case was particularly eye-opening because it originated with a student account.

“A student account, because of oversharing, was able to access a lot of sensitive data that was not evident to many at first," said Levin, director of the K12 Security Information Exchange, a Virginia-based nonprofit organization that educates school systems on cybersecurity practices.

Tech-savvy people doing advanced searches can accidentally stumble upon the files, and there are growing artificial intelligence tools that plug into these systems and recommend related files. If a file outlining a student's medical issues is set to be available to anyone within the school or district’s file-sharing system, the tool could recommend that any user view it, even if they are not allowed by school rules to view it.

Levin says the problem isn’t just hackers — it also lies with people setting the wrong permissions on their files. Schools have the ability to limit users' ability to change those permissions and never make files findable in a search to unauthorized users. He thinks the companies that create the file-sharing systems could do more to restrict permission-setting to begin with to ensure users don't make mistakes.

Two of the most common file-sharing platforms that schools use are provided within Google Workspace for Education and Microsoft Education.

Google and Microsoft say they educate administrators on how to properly secure data.The systems allow students and staff to create files that could be accessed by another student or staff member in the school system's file-sharing network.

"If IT administrators are not careful, and users are not careful, they may be inadvertently sharing their files with all users internal to that domain, instead of restricting it to those who have a need to be able to see it," Levin said. The systems can also change from time to time, requiring IT administrators to re-examine network settings, he said.

By default, permissions are set to private, meaning files are accessible only to the user who created them.

But people often intend to share the documents they create, and many users make files shareable to others with the link and to be searchable.

But when they do both of those things, the files become viewable to anyone in the file-sharing network.

They're not necessarily easy to find. But tech-savvy people can easily stumble upon them, because they often interact with the systems in more advanced ways that can unwittingly unearth files they were never supposed to have access to.

Networks for file-sharing, shared across an entire organization, are different from someone's personal use of that same technology, Levin said. A person sharing a document from their own personal Google Drive, outside of a network, isn't necessarily making it findable to the public.

In Wake County, officials have advised teachers on how and when to restrict access to their files and created a script that crawls the system's file-sharing network to look for files with sensitive information and improper permissions. If the script finds any, it deletes them.

"We are also continuing to work on educating staff on the appropriate ways to store and share information and are working on a plan to adjust sharing permission options to ensure information is stored and shared appropriately moving forward," spokeswoman Sara Clark told WRAL News.

It’s unclear whether or how Wake could be required to inform families whose students’ records were exposed this way.

The North Carolina Department of Justice told WRAL News that the state’s Identity Theft Protection Act would require a breach notice only if records exposed could be used to access someone’s financial accounts or resources, and it’s not clear that the records exposed would qualify.

The North Carolina Department of Public Instruction and the U.S. Department of Education didn’t respond to requests for information on requirements that would apply in this scenario.

The federal Family Education Rights and Privacy Act protects student information but doesn’t require families to be notified if that information is disclosed. It requires only that a record of the exposure be made in a student’s file.

WRAL News asked the Wake County Public School System about the investigation that followed Sanabria Cruz’s discovery, including  what data may have been exposed and whether the district took note of who was affected.

The district said that they received two requests to fix records that were generic in nature and didn’t reference specific students.

When asked how they verified and investigated the claims, Wake said only that they wrote code to automatically delete sensitive files that were improperly shared.

School administrators can limit users' ability to share files by defining "target audiences," a Google spokesperson said.

Microsoft Education allows administrators to enforce similar restrictions.

Neither product makes that the default administrative setting, favoring allowing their products to be customizable instead. But files are private by default.

“We provide schools with extensive resources, including best practices for administrators on managing permissions and protecting student data.” a Google spokesperson told WRAL News in a statement. “We encourage districts to regularly review their sharing ‘audiences’ to ensure they align with their specific privacy goals.”

Both companies noted they embed security measures into their products and that they provide cybersecurity training to school systems.

“School IT administrators can set and enforce security policies, manage devices, and safeguard student and school data across their environments,” a Microsoft spokesperson wrote to WRAL News. “This administrator-led approach helps schools apply protections that align with their policies and requirements while maintaining secure digital learning experiences for students and educators.”

Levin said schools need to make sure employees know how to keep files secure, for starters.

Then they need to regularly audit their systems to make sure they're being used properly.

Numerous companies offer such services, for potentially a couple thousand dollars per year.

"Ideally folks wouldn't have to rely on a third-party tool to kind of understand software they're running in their own system," Levin said, questioning why the companies that make the networks are leaving their customers needing that outside audit.

He said a "brute force" script like what Wake County now uses to delete files would work, but he noted it could end up deleting files that employees needed.

Generally, Levin said, schools should regularly search for any documents with sensitive information that may no longer be needed, such as documents pertaining to students who graduated long ago.

Anyone with an account in any shared network, and who is creating files, should understand how they work and what different settings really mean, Levin said. They should understand that allowing a file to be searched for means it could be accessed by anyone who searches that network, he said.

"Those settings may be a little bit confusing," he said. "So in the case where it's not clear, it's probably important to reach out to the IT department to make sure that everyone is crystal clear when they are creating files or sharing files, they know exactly who is able to view them, because again, those settings may be a little bit vague and unclear, and maybe may result in oversharing."

Schools can take more action to control student accounts within these networks, too, Levin said. They can prevent the sharing of files within and outside of a network.

People should also act as though anything they're creating on a school device could be discovered and take the proper precautions to make sure it can't be, or decide not to create that file on a school device at all, Levin said. People presume a level of privacy that may not exist, he said.

"I think that that illusion of privacy… should be pierced, right? It could. It could be discovered," Levin said. "Anything that you as a student, are typing, are viewing, are saving on a school computer, may be subject to review."

If parents have concerns about the way records are kept at their school, they should talk to their school board members, he said.

Schools should remember that users may not be tech-savvy enough to protect themselves or others, said Sanabria Cruz, the recent Leesville Road graduate. Some, especially students, aren’t legally obligated to, either. They need training, he said, adding: “Some people just don’t understand how that stuff works.”