Wake County Student’s Discovery Exposes School Data Security Flaws
A routine file search by Abner Sanabria Cruz, a senior at Leesville Road High School in Wake County, North Carolina, uncovered a critical vulnerability in the school district’s file-sharing system. While looking for an assignment in early 2024, Sanabria Cruz stumbled upon sensitive documents including student ID numbers, grades, attendance records, medical files, and confidential teacher notes that were accessible to unauthorized users. One teacher’s note labeled a student as “hopelessly failing.”
The exposed files, shared within the district’s network, were not the result of a hack but rather misconfigured permissions a flaw caused by users, including students and staff, who inadvertently set files to be searchable and shareable across the system. After reporting the issue to school officials, Sanabria Cruz alerted WRAL News, prompting Wake County Public Schools to address the breach within weeks. The district implemented a script to scan for and delete improperly shared files, though it remains unclear whether affected families were notified.
The incident highlights a growing risk in K-12 cybersecurity: "oversharing" where users unintentionally expose sensitive data by setting loose permissions on platforms like Google Workspace for Education and Microsoft Education. Unlike high-profile ransomware attacks, these vulnerabilities stem from human error rather than malicious intrusion. A similar case in 2023 saw hackers exploit a Nevada student’s Google account to access and extort families over exposed records, leading the Clark County School District to temporarily restrict off-campus access and reset passwords. That case is now headed to trial after the district argued it was immune from liability.
Cybersecurity experts, including Doug Levin of the K12 Security Information Exchange, warn that such breaches are preventable. While file-sharing platforms default to private settings, users often intentionally or accidentally make files searchable, allowing tech-savvy individuals or even AI tools to uncover them. Levin notes that schools can mitigate risks by limiting user permissions, auditing systems regularly, and educating staff and students on secure file-sharing practices. However, he criticizes platform providers for not making stricter default settings mandatory, forcing schools to rely on third-party audits or custom scripts like Wake County’s that may delete necessary files in the process.
Under North Carolina’s Identity Theft Protection Act, breach notifications are only required if exposed data could lead to financial fraud, leaving unclear whether families in Wake County will be informed. The Family Educational Rights and Privacy Act (FERPA) mandates only that schools log the exposure in student records, not notify affected individuals. When questioned by WRAL, Wake County officials confirmed they received two generic reports about improperly shared files but did not specify how they verified the scope of the exposure.
The incident underscores the need for better training, stricter controls, and clearer policies in school districts. As Sanabria Cruz noted, many users especially students lack the technical knowledge to secure their data, placing the burden on schools to enforce safeguards. Without proactive measures, sensitive information remains at risk of accidental exposure, with potentially long-term consequences for students.
Source: https://www.wral.com/news/education/wake-student-stumbles-on-peers-personal-data-may-2026/
Wake County Public School System TPRM report: https://www.rankiteo.com/company/wake-county-schools
"id": "wak1778718254",
"linkid": "wake-county-schools",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Students and staff of Leesville '
'Road High School and '
'potentially other schools in '
'the district',
'industry': 'Education (K-12)',
'location': 'Wake County, North Carolina, USA',
'name': 'Wake County Public School System',
'type': 'School District'}],
'attack_vector': 'Misconfigured Permissions',
'customer_advisories': 'Unclear if affected families were notified',
'data_breach': {'personally_identifiable_information': 'Yes (student ID '
'numbers, grades, '
'medical files)',
'sensitivity_of_data': 'High (personally identifiable and '
'sensitive educational/medical '
'information)',
'type_of_data_compromised': ['Student ID numbers',
'Grades',
'Attendance records',
'Medical files',
'Confidential teacher notes']},
'date_detected': 'early 2024',
'description': 'A routine file search by a high school student uncovered a '
'critical vulnerability in the Wake County Public Schools '
'file-sharing system, exposing sensitive student and teacher '
'data due to misconfigured permissions. The incident '
"highlights risks of 'oversharing' in K-12 cybersecurity.",
'impact': {'brand_reputation_impact': 'Potential reputational damage to Wake '
'County Public Schools',
'data_compromised': 'Student ID numbers, grades, attendance '
'records, medical files, confidential teacher '
'notes',
'identity_theft_risk': 'Potential risk due to exposure of student '
'ID numbers and personal records',
'legal_liabilities': 'Unclear; district may argue immunity under '
'FERPA',
'operational_impact': 'Implementation of a script to scan and '
'delete improperly shared files',
'systems_affected': 'Wake County Public Schools file-sharing '
'system (Google Workspace for '
'Education/Microsoft Education)'},
'investigation_status': 'Addressed; scope of exposure unclear',
'lessons_learned': 'The incident underscores the need for better training, '
'stricter controls, and clearer policies in school '
'districts to prevent accidental data exposure due to '
'human error in file-sharing settings.',
'post_incident_analysis': {'corrective_actions': 'Script to scan and delete '
'improperly shared files; '
'potential future policy '
'changes',
'root_causes': 'Human error in file-sharing '
'settings (misconfigured '
'permissions), lack of user '
'awareness, insufficient default '
'security controls on platforms'},
'recommendations': ['Limit user permissions on file-sharing platforms',
'Conduct regular audits of system permissions',
'Educate staff and students on secure file-sharing '
'practices',
'Enforce stricter default settings on platforms like '
'Google Workspace for Education and Microsoft Education',
'Implement proactive measures to safeguard sensitive '
'information'],
'references': [{'source': 'WRAL News'}],
'regulatory_compliance': {'legal_actions': 'Unclear; district may argue '
'immunity (similar to Clark County '
'School District case)',
'regulations_violated': ['Family Educational Rights '
'and Privacy Act (FERPA)',
'Potential non-compliance '
'with North Carolina’s '
'Identity Theft Protection '
'Act'],
'regulatory_notifications': 'FERPA requires logging '
'exposure in student '
'records; no '
'requirement to notify '
'affected individuals'},
'response': {'communication_strategy': 'Alerted WRAL News; district confirmed '
'receipt of reports but did not '
'specify verification scope',
'containment_measures': 'Script implemented to scan for and '
'delete improperly shared files',
'remediation_measures': 'Addressed the breach within weeks; '
'unclear if families were notified'},
'title': 'Wake County Student’s Discovery Exposes School Data Security Flaws',
'type': 'Data Exposure',
'vulnerability_exploited': 'Human error in file-sharing settings (Google '
'Workspace for Education/Microsoft Education)'}