Major Google Drive privacy breach led to cybercrime
Google Drive is one of the most popular cloud storage services available today. To give you an idea of its popularity, Google recently said the service will soon hit the 1 billion users mark.
While not in majority, millions of school going kids – especially in the US – use the service almost on daily basis, thanks to the G Suite for Education package (which is tailor made for educational institutions).
If you have been following Google’s steps into the education market, you’d probably be aware that the search giant has been accused multiple times of unfairly collecting student data in the past 5-7 years. What’s, however, good is that the company did take some steps to appease critics.
So far so good. But what’s now coming to light is really concerning – a Springfield Public Schools (Missouri) staff member (and their family) has alleged that their official Google Drive account is backing up sensitive personal information (like passwords) without their knowledge.
The family has alleged that the Google Drive service – which is part of the G Suite for Education package that the school has enrolled for, and is hence the official cloud storage service used by the school staff and students – has been backing up majority of their private information.
This information includes browser history, Google search and YouTube queries, audio from their voice to text messages, and even passwords (for services like Amazon and even bank accounts).
Brette Hay, who works as an educator at Springfield Public Schools (SPS), made these alarming revelations at last month’s SPS board meeting. She started her presentation in a regretting tone, saying:
When I signed my contract with SPS, I did not sign my first amended rights or my children’s rights. Nor did I sign away my rights to privacy when using my personal computers, iPads, iPhones or any of my children’s personal devices during non working hours.
Brette Hay at SPS board meeting
She then went on to reveal that their SPS Google Drive has been storing all her passwords (totaling 139 in number) in plain text. Brette specifically mentioned that most of these passwords are of accounts that she only accessed from her personal devices (not the one issued by the school).
Another startling revelation she made was that after she logged into the SPS Google Drive system from a device for the first time, their data got recorded regardless of whether they were logged into the SPS Google Drive system or not.
Brette playing personal audio clippings backed up on SPS Google Drive
For 3 years, since April 14 2015 until now, SPS has been tracking everything I have been doing form my own personal devices during non working hours.
Prior to Brette, her parents – specifically her father Dr. Norman Ely – appeared at an SPS board meeting in May, wherein they explained what all the family went through because of this Google Drive privacy breach. According to them, it all started back in December when Brette noticed some password wrongdoings.
Mr Ely further noted that hacking attacks haven’t stopped since then, and Brette’s accounts and devices are still being hacked. He blamed these repeated hacks to sensitive information like IP addresses and device’s IMEI number being backed up by SPS Google Drive.
Dr. Norman Ely
Since Brette tried avoiding hackers by logging into the SPS Google Drive from her parents phone and laptops, personal data on those devices – which includes sensitive patient details (as Norman is a doctor) – also started backing up on the SPS Google Drive system.
If that wasn’t enough, the family’s credit cards were fraudulently used, and their son-in-law’s office account login details were also compromised. More info here.
It’s worth mentioning that there’s a Chrome Sync feature that Google offers as part of its G Suite for Education package. With this feature enabled, things like browsing history, bookmarks, and passwords get synced to servers, so users can “get to them on any device by signing in with their Google account,” the company says.
However, what makes this SPS case alarming is that such personal information is being backed up regardless of the device and browser being used. Here’s what Brette had said at one point:
My voice to text was being stored as well as any search my kids did, and I could say ‘sure my daughter was searching on Google,’ but my phone uses Safari
What SPS says?
For its part, Springfield Public Schools said their system is safe and there is no information on any such breach.
We believe that our data systems remain safe and secure. In reviewing the concerns brought forward, no data breach has been identified within the SPS system, nor are we aware of any personal information on our servers beyond the appropriate staff and student information provided to the district. We want to assure our community that SPS will always support any investigation into allegations, such as these, in order to address concerns. SPS is committed to doing all that is necessary to keep our staff and students safe and secure
What this means for Google?
Although police investigations have pointed towards the SPS system as origin of hacking attacks, the case isn’t settled yet.
If it’s proved that the Google Drive system is at fault, it would not only be a major embarrassment for the company, but a big blow to the trust that the education sector had reposed in Google.
PiunikaWeb is a unique initiative that mainly focuses on investigative journalism. This means we do a lot of hard work to come up with news stories that are either ‘exclusive,’ ‘breaking,’ or ‘curated’ in nature. Perhaps that’s the reason our work has been picked by the likes of Forbes, Engadget, The Verge, Macrumors, and more. Do take a tour of our website to get a feel of our work. And if you like what we do, stay connected with us on Twitter (@PiunikaWeb) and other social media channels to receive timely updates on stories we publish.