Thousands of students' personal info mistakenly e-mailed in S. Washington Co. data breach

Personal information about thousands of students and their families was sent out in a mass back-to-school e-mail by the South Washington County School District in what school officials are calling "an inadvertent employee error."

In a statement issued Thursday, the district said the e-mails sent Wednesday by its transportation department were intended to provide bus information for the coming school year. But also included was a document that revealed students' names, grades, student identification numbers, e-mail and mailing addresses, phone numbers, bus routes, pickup and drop-off times and locations, and schools of attendance.

Although some of that information is deemed public, a district statement read, some of it is private and "should not have been sent to the parents of other students in the district."

The statement did not say how many students were affected. The Woodbury Bulletin reported the number at roughly 9,600. The first day of school for grades 1-12 is Sept. 5.

An internal investigation into the mistake has begun, and at this point, "we know the disclosure was the result of an inadvertent employee error," the district statement read.

"We are now looking at what led to the error, so we can take steps to prevent similar errors from occurring in the future," the statement added. "After the investigation is completed, the district will prepare a report [that] parents may access."

As part of their statement, administrators said they would not answer media questions, including whether the district will offer free identity theft monitoring to families, as it did after an employee data breach earlier this year. Calls to school district officials were not returned.

On Thursday evening, Sen. Dan Schoen, DFL-Cottage Grove, sent a letter to his constituents that read, in part, "We live in an era in which privacy is getting more and more difficult to protect. … We must make sure that we take every caution to protect ourselves from fraud.

"Children are even at greater risk because they require our protection, and this can make it more difficult. I fully expect a thorough follow-through regarding how this happened and what can be done to make sure that we have the policies in place to ensure that this does not happen again."

In the letter, he shared the text of a letter he wrote to Jacobus and school board members about the matter.

"I hope we can get to the bottom of this issue," his letter said. "Why was this data placed in an e-mail? What are the data-privacy policies in the district? What are the proposals moving forward to ensure that something like this will never happen again?"

In February, the school district revealed it was tightening security after a high school student hacked into the district's server and took names, Social Security numbers and some addresses.

But the district said that the student — who was not identified — provided a sworn statement that no personal data was shared, copied or misused.

The district of more than 18,000 students includes all or parts of Cottage Grove, Newport, St. Paul Park, Woodbury, and Afton, Denmark and Grey Cloud Island townships, an area of 84 square miles.