College Loans Consolidation Blog

For nearly two months, thousands of the The Princeton Review’s private files including folders containing the company’s and test-takers’ personal data were unintentionally made accessible to anyone with an Internet connection, according to an article in The New York Times (“Student Files Are Exposed on Web Site,” Aug. 18, 2008).

Digital files containing student identification information, test-preparation materials, and internal communication documents, which should have been password protected, have been listed on an easy-to-find, publically viewable webpage ever since the test-preparatory firm switched Internet service providers in late June.

The error was discovered by a rival company while it was conducting competitive research on The Princeton Review. The rival company, which asked not to be named, provided the Times with the Web address containing the files. The Princeton Review promptly shut off access to the exposed private data on its website after the newspaper informed it of the error on Monday. It is not known how many people may have accessed the files.

Security Error Blamed On Company’s Faulty Internet Protection Practices

One of the files listed the identification information of about 34,000 Florida elementary school students, including their birthdays, ethnicities, and whether they had learning disabilities. The school system had hired The Princeton Review to build an online tool that would measure students’ academic progress.

Another 74,000 students in a Virginia school system — which had also contracted with The Princeton Review to measure and improve student performance — had their names and birth dates exposed.

The test-preparatory company’s own educational materials for the LSAT, PSAT and SAT exams, as well as its course schedules, internal instructor evaluations, and the entire texts of some of its study books like “Cracking the LSAT” were also open to the public. Another folder on the site contained digital scans of eight official SAT and PSAT exams from 2005 to 2007 that included accompanying files explaining how The Princeton Review uses older exams to create practice tests.

Mike Haro, an analyst for Sophos, an Internet security firm, says the security mishap is an indication that The Princeton Review was not following “accepted” Internet-security protocol by keeping confidential files and innocuous files on the same computers. “In this case it would have made sense for the company to separate information such as names of the students from their test scores and whatever confidential information the company had,” Haro said. “But we are finding that companies today don’t change until they experience the pain of a data breach that is exposed to the public.