However, the files I found just list one class each, with names and attendance dates, so they do not satisfy the requirements for Personally Identifiable Information which would require a name and another identifying item, such as a SSN. So public exposure of these files is not a PII breach.
However, I think these spreadsheets do violate FERPA regulations. Here is the requirement:
Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.From: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Here are the Google queries I used to find these files:
Googling for:
inurl:edu "inurl:aspx?sectionid"
inurl:edu inurl:ExportExcel
Downloads an Excel file of student data
sstrong@ciis.edu dreyna@ciis.edu security@ciis.edu web@ciis.edu
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=13&ved=0CDwQFjACOAo&url=https%3A%2F%2Fmycc.cambridgecollege.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3Dfb796721-d3fe-4eee-abc5-623c99494a9e%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNFeoqiDMdp_gsYYcVGC10BgOkY-2Q&sig2=15Yf666NQ8ECpwX3CflweQ&bvm=bv.57155469,d.cGU
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=14&ved=0CEMQFjADOAo&url=https%3A%2F%2Fmycc.cambridgecollege.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D43855187-886b-45b7-8525-5986c8406591%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNGfgf-7n-XPnuPDpyi-eZSLuWAteQ&sig2=i6dCf-Da1ttVNycUrbvt3g&bvm=bv.57155469,d.cGU
Downloads XLS files of student data
Deborah.Jackson@cambridgecollege.edu Regina.Robinson@cambridgecollege.edu John.Papadonis@cambridgecollege.edu
Downloads an XLS file of student data
security@carrollu.edu abuse@carrolu.edu mzens@carrollu.edu msmith@carrollu.edu skuhn@carrollu.edu
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=8&ved=0CGAQFjAH&url=http%3A%2F%2Fgullnet.endicott.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D0116f106-18d7-48a1-86f6-56af60c7cdac%26AttendanceMode%3D0&ei=gA2eUtSBGobpoASY3ID4Bw&usg=AFQjCNGB8jXJ029uNg-dxNe07l2aI4V9jA&sig2=Afbhn_bYPGXU67Izi2_S4w&bvm=bv.57155469,d.cGU
Download XLS files of student data
scarvalh@endicott.edu bdawson@endicott.edu support@endicott.edu
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=19&ved=0CGYQFjAIOAo&url=https%3A%2F%2Fportal.flsouthern.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D5cdc5856-0faf-400f-9e27-a7b1647758ef%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNFYEVS6C4HxbM3keH_Q7VZRRPX0RA&sig2=dhdRzWiBM0bCkwMRnxkTVQ
FSCJustAsk@flsouthern.edu kpawlak@flsouthern.edu vdennis@flsouthern.edu security@flsouthern.edu
Download XLS file of student data
ptsaffaras@quincycollege.edu tpham@quincycollege.edu sbossa@quincycollege.edu
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=17&ved=0CFgQFjAGOAo&url=https%3A%2F%2Fmy.smccme.edu%2FICS%2FPortlets%2FLMS%2FAttendancePortlet%2FExportExcel.aspx%3FSectionID%3D651d7e58-8281-441b-883a-4b449c407570%26AttendanceMode%3D0&ei=txaeUqq2FYH0oAT1ioDACQ&usg=AFQjCNG29RWja2_pgwQnZdQflHna1HSL9A&sig2=4GpDAmDmVMe81-M4a2lXig
Downloads Excel spreadsheets with student attendance data with no authentication
aMullen@smccme.edu mhelpdesk@smccme.edu webmaster@smccme.edu
Download XLS file of student data
marketing@umobile.edu djohnson@umobile.edu tmashburn@umobile.edu mdavis@umobile.edu
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=0CEsQFjAE&url=http%3A%2F%2Fwww.usi.edu%2Ftsisc%2Fexportexcel.asp%3Faffiliation%3DA%2520%257C%2520A%2520Mechanical%2520Service%2520Inc&ei=gA2eUtSBGobpoASY3ID4Bw&usg=AFQjCNGNFcXzr8ZTZkf2ryvshFGwDjY8mg&sig2=i5ulJQ0A6ONi9hMSpTU2Ew&bvm=bv.57155469,d.cGU
Download XLS files of student data
abuse@usi.edu security@usi.edu jallen@usi.edu mmcox1@usi.edu
Downloads an XLS file of student data
help@myunion.edu press@myunion.edu security@myunion.edu
Downloads Excel spreadsheets with student attendance data with no authentication
records@colum.edu skauffman@colum.edu clientservices@colum.edu security@colum.edu
Downloads Excel spreadsheets with student attendance data with no authentication
support@setonhill.edu security@setonhill.edu
To: sstrong@ciis.edu dreyna@ciis.edu security@ciis.edu web@ciis.edu Deborah.Jackson@cambridgecollege.edu Regina.Robinson@cambridgecollege.edu John.Papadonis@cambridgecollege.edu security@carrollu.edu abuse@carrolu.edu mzens@carrollu.edu msmith@carrollu.edu skuhn@carrollu.edu scarvalh@endicott.edu bdawson@endicott.edu support@endicott.edu FSCJustAsk@flsouthern.edu kpawlak@flsouthern.edu vdennis@flsouthern.edu security@flsouthern.edu ptsaffaras@quincycollege.edu tpham@quincycollege.edu sbossa@quincycollege.edu aMullen@smccme.edu mhelpdesk@smccme.edu webmaster@smccme.edu marketing@umobile.edu djohnson@umobile.edu tmashburn@umobile.edu mdavis@umobile.edu abuse@usi.edu security@usi.edu jallen@usi.edu mmcox1@usi.edu help@myunion.edu press@myunion.edu security@myunion.eduException: Columbia was accidentally included in my SQLi notifications, and moved to this list later, as #11. Seton added as #12 the same way.Subject: Student Data Exposed on the Internet
Hello:
I am Sam Bowne, an Instructor in Computer Networking and Information Technology at City College San Francisco.
Your web site allows one or more attendance spreadsheets to be downloaded by anyone from the Internet.
Please alert your webmaster. Feel free to contact me if I can be of any assistance.
If you could, please tell me what software you are using to create these files, because, as you can see below, several colleges have the same problem.
Complete details are pasted below.
--------- Forwarded message ----------
From: Uthe, Christopher
Date: Wed, Dec 4, 2013 at 5:46 PM
Subject: [ICS-A] FW: Security Patch Released
To: ICS-A@lists.jenzabar.net
All-
It has come to our attention that customers could inadvertently allow the attendance report (within e-Racer and eLearning) to be viewable by guest users. While this access is extremely unlikely (due to the high level of obscurity), it is important to be aware of potential access concerns that might result from this situation.Thus, we have released an updated DLL for you to place in your Portal\Bin area which will strengthen the security and restrict access such that a user would need to be logged in with proper permissions in order to access the file. We have placed the update on the myJenzabar.net download page for both e-Racer and eLearning titled “Security Update 12/4 – LMSVERSION”.
For any customer who previously installed the recent eLearning test taking patch, you must use the Patch V7 to get this update (so as not to break your test taking updates.) If your current version is not listed with a patch file or if you would like to discuss this further, please feel free to contact me directly.
We will be posting an updated eLearning 1.1 installer to include this fix tomorrow, if you have downloaded but not installed eLearning 1.1 please re-download when you see a note that it has been updated to address this.
Thanks-
Chris Uthe
Product Manager, JICS & eLearning
Jenzabar, Inc.
101 Huntington Avenue, Suite 2200 | Boston, MA 02199
tel: 617.221.4444 cell: 605.291.2217 fax: 617.492.9081
christopher.uthe@jenzabar.net
www.jenzabar.com