min read

Data Breach in NYC Schools: Refine Data Access to SaaS Applications

We’ve written about how the security vulnerabilities of SaaS applications are not fully appreciated, even by IT professionals. Imagine now trying to persuade a layman that there’s been a data breach through an organization’s commonly used SaaS app. Imagine further that the people sounding the alarm are a couple of high school students. Do you think the message is going to get through?

If you answered “nope,” you’re right. As a result, sensitive information regarding  New York City’s public schools remained exposed for months – until the students raised the issue again. 

That’s the story reported recently by Chalkbeat, a publication focused on educational matters. The students, from Brooklyn Tech High School, discovered in August 2020 that the Google Drive the district used to store records was not properly configured to prevent access to records that should have remained private. Initially, the visible documents were nothing particularly sensitive – sign-up sheets for parent-teacher conferences, second graders’ classwork, and college recommendation letters. 

After they presented their findings to an administrator, they thought the matter was settled. But they checked again the following March, only to discover that now they could see such documents as records of teacher Social Security Numbers, phone numbers, addresses and pay information. They finally got action when they reached one of the teachers and said, “I have your Social Security Number.”

That prompted the district administration to wake up and take action, but not before exposing the personal information of some 3,000 students and 100 employees.


What went wrong?


Technically, this is not a complicated issue. The Google Drive that was vulnerable had not been configured properly to limit access. Eventually, the district curtailed access to the documents that shouldn’t have been visible to begin with. 

Still, Google Drive doesn’t provide the flexibility that school administrators or any other users would want in terms of providing access to files. There are three choices: make them public, make them accessible to those with a link, or restrict access to selected individuals. An administrator might want to share files with one department, such as the HR department that would need to keep track of employee information, but not teachers or students. Or they might want to share with an identified group, such as the second-grade parents looking for those sign-up sheets. Google Drive doesn’t provide that granularity or flexibility that we have said is a limitation of the controls of many SaaS applications

With so few options, it would hardly be shocking if a similar situation arises again, given the limited options available in Drive and similar, widely used applications.

A better approach


No SaaS administrators, security personnel or IT administrators should rely on notification from high school students – or users of any sort – to become informed of a breach. That should be an automated message, driven by a platform with enough sophistication to quickly determine the vulnerability and shut it down quickly. On the flip side, the security measures should not be so strict as to prevent normal business operations, including sanctioned collaboration via sanctioned SaaS applications. That is, policies should be readily available to balance the need for protection and the normal, expected flow of information.  

And given that rarely does an organization rely on just a single SaaS application these days, the platform monitoring and remediating such threats should be able to watch all the apps at once and allow administrators to remove unwanted access across one or more apps in open single action. 

Guess what? Just such a platform exists today: the DoControl platform. We’ll be happy to give you a demo – there are no prerequisites for this class!

Adam Gavish is the Co-Founder and Chief Executive Officer of DoControl. Adam brings 15  years of experience in product management, software engineering, and network security. Prior to founding DoControl, Adam was a Product Manager at Google Cloud, where he led ideation, execution, and strategy of Security & Privacy products serving Fortune 500 customers. Before Google, Adam was a Senior Technical Product Manager at Amazon, where he launched customer-obsessed products improving the payment experience for 300M customers globally. Before Amazon, Adam was a Software Engineer in two successfully acquired startups, eXelate for $200M and Skyfence for $60M.

Adam is a lifetime information geek, breaking down business and technical problems into components to generate long-term learning. He loves running outdoors, playing with LEGOs with his son, and watching a good movie with his wife.

Adam holds a B.S. in Computer Science from the Academic College of Tel-Aviv Yafo and an MBA from the Johnson Graduate School of Management at Cornell University.

Get updates to your inbox

Our latest tips, insights, and news