Online learning company K12 exposes student data in Missouri

In a bid to expand operations in Missouri, the online learning company K12 recently distributed extensive personal information for hundreds of its students, according to state officials. 

Christopher Neale, assistant commissioner of the Missouri Department of Elementary and Secondary Education, wrote in a letter obtained by the St. Louis Post-Dispatch that the company “committed a significant data breach” as its lobbyists pushed lawmakers to loosen regulations on for-profit education companies operating during the pandemic.

Neale wrote that K12, which operates in 33 states and Washington D.C., shared a spreadsheet that contains personally identifiable information of more than 1,600 students, “most of them from Missouri.”

In a Oct. 5 deposition, Neale said the spreadsheet contained student names, dates of birth, phone numbers, parent names and addresses.

“The more I looked, scrolling to the right through the spreadsheet, the more I was surprised to find what I did,” Neale said.

Though the company has said it’s notifying those affected by the incident, a K12 attorney defended the spreadsheet.

“Although the spreadsheets include the first name and last name of individuals, the names are not in combination with any of the other pieces of information required to meet the definition of ‘Personal Information,’” wrote attorney Stephen Goldman.

Goldman said K12 also asked all of those who had received the spreadsheet to delete it and confirm that they had done so, a common practice when information falls into the wrong hands, but one that is impossible to verify.

The incident follows a much larger breach last year in which K12 left a database containing nearly 7 million student records unsecured on the public internet for more than a week.