I'm betting the school had a password protected page, but failed to password protect the pages behind that page which contained sensitive info. The student's site must have linked directly to a non-password protected page. Poor website management.
If the school does not want Google searching their pages, they need to add code to the site to instruct the Google web spiders to skip the site.
If the school does not want Google searching their pages, they need to add code to the site to instruct the Google web spiders to skip the site. Yeah, it's the school's fault. Google respects robot.txt files. Actually, it's a good thing that they found out through Google, there are LOTS of other spiders that are testing web sites for security holes. Heaven knows what else got out.
Yep, happens all the time. I frequently tell people that they SHOULD NOT put any information on the web that they don't want the whole world to see, and I'm constantly shocked at the number of people who will argue the point. Web servers are PUBLIC RESOURCES. When you publish information onto the Internet, you are putting it somewhere that the whole world can view. For non-programmers, effectively protecting sensitive data online is almost impossible.
Situations like the one you described are common...people will put the "protected" files in an otherwise public folder, and then limit access to it via a password protected page. Unless you're on a Unix box with a well crafted htaccess file, that just isn't going to work. All it takes is ONE person or ONE web page to link into your "protected" folder, and the security will be irreparably broken. It's the security equivalent of sticking a key under your doormat.
I once visited a webpage that had customer data hidden behind a "secure" login. The routine was written in Javascript, and was entirely client side. When I caught what they were doing, I was all set to get the password from the source code (hey, it's on my computer, it's perfectly legal for me to read it) and send the webmaster a flaming email, but when I looked at the code I found an even dumber mistake...the code contained the actual URL of the "protected" pages". I copied it into my browser, hit enter, and read this wonderful list of fairly sensitive client documents. That kind of stupidity was staggering.