Thousands of files of student data — including Social Security numbers, medical records and academic transcripts — were exposed to all students and employees in the DeKalb County School District’s network, according to a high school student newspaper.

Keegan Brooks, a senior at Chamblee High School who recently reported on the issue for The Blue and Gold, said he discovered the data was available while using Microsoft 365, the district’s network for email and file sharing.

He was able to access information such as academic records, course transcripts, discipline records, medical forms, Social Security numbers and standardized test scores from schools across the county, he reported.

“I was shocked,” Brooks said. “My initial reaction was, ‘Wow, this seems like a severe data security issue.’”

The district acknowledged the problem in a statement to The Atlanta Journal-Constitution. The statement said an internal investigation determined that employees were improperly handling files, making the information widely accessible.

The district did not say how many files were made available or how many students could have been affected. It has hired an outside vendor to “comprehensively evaluate the situation” to understand the extent of the issue.

“If it is determined that stakeholders had — or may have had — their information accessed by unauthorized individuals, DCSD will promptly notify those individuals as required by law,” according to the statement.

An initial audit of the district’s infrastructure found that there was no external breach of its information systems or databases, the statement said. The DeKalb school district notified families last year that their children could have been affected by a 2019 data breach. That breach was related to school nutrition technology services.

Brooks first reported the issue to district staff in March.

“More than two months later, there are still issues that are unresolved, still things that are widely accessible that shouldn’t be,” Brooks said.

“Files exposed range from the mundane to the absurd, including everything from a certificate for an elementary school’s ugly sweater contest to the safe combinations for district buildings to spreadsheets of student social security numbers,” the newspaper reported.

The district is reviewing its internal protocols and fortifying its data protection controls, according to the statement. It plans to provide training in data privacy, security and sharing procedures to all staff members.

Shortly after the student newspaper published its story this month, Brooks said he received a request from the school asking him to provide his Social Security number as part of a scholarship requirement.

“As soon as I discovered this huge data security issue, the school asked for a piece of my personal information and I just had to blindly trust them,” he said. “I just found that a little bit ironic.”