Google Blamed For Indexing Student Test Scores & Social Security Numbers
Google “hacked our
website” from The Inquirer points to
Blame game from the Hickory Record, a story about how the
Catawba County Schools in North
Carolina has gained a temporary injunction for “Google to remove any information
pertaining to Catawba County Schools Board of Education from its server and
index and alleges conversion and trespass against the corporation.” The school
blames Google for some how getting into a password protected area and indexing
the content.
Let me make this clear, Google cannot submit forms or type in usernames and
passwords. Someone at the school must of left an opening for Google. The
security hole came from possibly someone publishing the content publicly,
somehow, or by letting down the security or by posting a hyper-linked URL with
an embedded password in the URL.
I agree, Google should remove this sensitive information, which they did on
Friday after the judge issued the temporary injunction. But Google should not be
blamed for this.
Postscript From Danny: As Barry notes, this isn’t a case of Google
deserving blame. It cannot guess at a protected server’s usernames or passwords,
nor is it configured to try and hack its way in. If this information got into
Google, that’s almost certainly because it was left unprotected somehow despite
the school’s “very secure site.”
Since the school says all personal information has now been removed and is
protected, I’ll explain more at what I guess happened.
The story mentions that somehow, information from the site’s supposedly
protected DocuShare server got onto the web. OK, where is that server? The story
doesn’t say, but this search at over at Yahoo gives the likely location:
Fifth down is this:
DocuShare Authorization Error
Not Authorized. You are currently listed as Guest, which means you are not
logged in. … Password: Domain: DocuShare Catawba County. Copyright ©
1996-2003 Xerox Corporation …
docucentre.catawba.k12.nc.us/docushare/dsweb/View/Collection-1546 – 6k –
Cached – More from this site – Save
That shows you that Yahoo tried to access a protected page on the DocuShare
server at docucentre.catawba.k12.nc.us. Is this the secure server that Google
somehow managed to penetrate? Probably, given that this search shows nothing at
Google now:
site:docucentre.catawba.k12.nc.usResources
Analytics The 2023 B2B Superpowers Index
Analytics Data Analytics in Marketing
Digital Marketing The Third-Party Data Deprecation Playbook
Digital Marketing Utilizing Email To Stop Fraud-eCommerce Client Fraud Case Study
That search comes up with no matches. That’s probably because Google
responded to the complaint last Friday to remove all pages from this domain. But
since no one contacted Yahoo, there’s a good chance pages from the domain still
show over there. And in fact, that search at Yahoo currently shows 13,500
matches.
Are any of these the pages the ones with sensitive information? I did some
searches that I felt should bring up whatever the page was that Google was
finding and had no luck. This means:
Yahoo clear has some information that the school district itself
says:
This site was a DocuShare password-protected site that required all users to
log-in
No, not all users had to log-in. If that was the case, you wouldn’t see any
cached documents at all, such as
this one. Clearly, some content was accessible without being logged in —
which makes it possible that some content wasn’t properly placed behind password
protection.
Postscript 2: See our follow-up, Follow-Up: School Couldn’t Reach Google Until Injunction Filed