Hundreds of employees in the Leonia School District in Bergen County were exposed to a data breach last month when an office worker inadvertently linked their personal information to an online meeting agenda.
The Social Security numbers of about 300 teachers, custodians and administrators were exposed to the public for four days before the sensitive information was taken down, district officials told NJ Advance Media on Tuesday.
“What happened was one of the central office employees inadvertently posted a payroll document that had people’s personal information on it,” said Bryce Robins, board of education president.
Robins said the district’s central office uploads the board of education’s meeting agenda on the website each Friday before the bi-weekly meetings, which are held on the second and final Tuesday of each month.
The agenda is populated with links to documents containing information for the board and the public, such as payroll figures and the names of employees.
But what should not have been included on the May 21 agenda was a link to Social Security numbers and other sensitive data, Robins said.
“Once the central office realized its mistake, they took it down. It was four days that it was up, unfortunately. Four days too long,” Robins said.
In a letter to district employees, Robins said the board of education has requested a full report on the matter from the administration and plans to discuss the issue in closed session at a 7:30 p.m. Zoom meeting Tuesday night.
“We can only imagine the unsettling feeling of vulnerability that this experience must have caused all of you,” Robins said in the letter.
Robins said the mistake was traced back to “a central office employee in the business office” who should have posted “a different version with redactions – or (a version with) that information being completely omitted.”
The sensitive link was first accessed by a member of the public on May 24. District administrators were notified about the mistake on May 25 and the link was taken down the next day, Robins said.
Robins credited the district’s technology team for working with Google to track down the people who accessed the document.
Robins said the research showed there were nine people who accessed the document, which was first opened by a school district employee who shared it via text message with other employees.
Of the nine who accessed the document, five downloaded it and four of those individuals “were identified and have signed waivers stating that they have deleted the document from their records,” Robins said.
Since the incident, the district has offered one year of LifeLock, the identity theft protection system, available to all district employees.
The teacher’s union said in a statement on Tuesday that it was disappointed in the error “as well as the frustration our membership experienced.”
“The district has agreed to provide us with a level of security protection following this incident, and (we) hope to continue the solid working relationship we have shared with our board of education and administration,” John Sassi, president of the Leonia Education Association, said in the statement.
But some in the district weren’t sure the district was doing enough to prevent similar problems from occurring in the future. In an email to NJ Advance Media, one employee said the district should publicly reveal the extent of the breach.
“Teachers and staff are concerned that such sensitive information was able to be leaked in the first place. How easily accessible does the BOE make this information?” said the worker, who asked that his name not be used.
“Further, teachers and staff still don’t know exactly whose/which members’ information was posted, what the leaked document even looks like, or even the nature of the information posted,” the worker said.
The name of the employee who made the mistake or whether the person has been disciplined was not being released because the situation is a personnel matter, Robins said.
“It’s truly a terrible mistake. On behalf of the individual that made it, I know that they’ve been upset over it,” Robins said. “They just made a mistake, that’s the best way to put it.”
Thank you for relying on us to provide the journalism you can trust. Please consider supporting NJ.com with a subscription.
Anthony G. Attrino may be reached at [email protected]. Follow him on Twitter @TonyAttrino. Find NJ.com on Facebook.