Special Report
School Climate & Safety

Schools Learn Lessons From Security Breaches

By Michelle R. Davis — October 19, 2015 6 min read
  • Save to favorites
  • Print

When an employee of the Provo, Utah, school district mistakenly clicked on a phishing link in an email last year, the private data of about 500 employees were put at risk.

District officials personally went to every school and district department to meet with employees face to face and explain what occurred. The district also paid the bill for a year of credit monitoring for employees. Afterwards, the district altered its practices on sharing sensitive information to improve data security, and employees were retrained to better recognize suspicious links and other scams.

“It was a kind of learn-as-we-went-along kind of thing,” said Caleb Price, the spokesman for the 13,000-student district.

Many districts have found themselves in similar situations. They are vulnerable to outside hacking, in-house errors, and even technology gaps at companies they work with. The consequences of a data breach can be embarrassing and expensive, with the potential for costly lawsuits and other problems.

One challenge is that school systems often lack specific plans for dealing with data breaches once they occur, experts say. But in today’s climate, where major corporations like Home Depot and Target are having a difficult time fending off hackers, security experts say school districts need to prepare.

“Right now, we are at a crossroads with how to deal with data breaches,” said Amelia Vance, the director of education data and technology for the National Association of State Boards of Education. “Parents want to know the data that schools have can be protected, … but when you’re dealing with data, there’s always a level of danger.”

Lawmakers are starting to take action. Forty-seven states have data-breach laws that apply to public entities, including school districts. Many states have also passed laws or introduced bills aimed specifically at protecting education data. Some of those states—including California, New Hampshire, and Utah—have passed laws that require districts to notify students, parents, or employees if the security of personally identifiable information is compromised.

But districts are still catching up, said Dane Lancaster, the chief technology officer for the Marin County, Calif., office of education, which supports 19 area districts. Lancaster is also chairman of the Technology and Telecommunications Steering Committee of the California County Superintendents Educational Services Association, which has produced a data-privacy guidebook for districts containing a range of best practices, sample vendor contracts, and steps to take when a data breach occurs, Lancaster said.

Districts are “probably not” prepared, he said. “Many districts don’t have the resources.”

Hacking and Phishing

To help districts prevent and prepare for such data breaches, the Consortium for School Networking has developed SEND, or Smart Education Networks by Design, as a guide. It recommends a host of technical-network-security strategies to keep private data secure. The organization’s cybersecurity-planning framework also aims to help districts determine whether they have prepared adequately in areas such as technological readiness, data-breach handling when it happens, and minimizing the impact on students and employees.

Chris Paschke, the director of data privacy and security for the 86,500-student Jeffco public schools in Golden, Colo., said his district’s technology infrastructure is constantly being probed for weaknesses—students getting teachers’ passwords and hacking into the system, phishing links, and denial-of-service attacks, he said.

Anatomy of a Data Breach

The 5,400-student Mount Pleasant Independent School District in Texas experienced a data breach earlier this year that put 915 former employees’ private information, including Social Security numbers, at risk.

1. Mount Pleasant ISD is informed of its likely data breach by another school system, which had experienced something similar and found references to the Mount Pleasant district during its investigation.

2. Mount Pleasant district technology director tests school system’s technology infrastructure and determines that hackers had retrieved district data, but not through district computer systems.

3. Superintendent alerts district employees via email.

4. School leaders work with the media to inform the public.

5. District determines private employee information was likely taken by hackers through a third-party district vendor, possibly a health-care provider. Breach only affected former district employees.

6. District cooperates with investigation by FBI and U.S. Department of Homeland Security officials.

7. Even though the breach affected only former employees, the district provides all current employees with credit-monitoring services for one year, at a cost of about $36,000. (Such services were not offered to former employees, because they were too difficult to track down.)

8. District technology director provides guidance to other Texas school systems on how to prevent and handle a data breach.

Source: Mount Pleasant Independent School District

The key, he said, is to be prepared, including the drafting of a formal preparedness plan. He also said the district prioritizes what he calls “log management,” so if a security breakdown occurs, the district can track it and determine what took place. Some districts are also investing in insurance policies to cover litigation that might result from data that don’t remain private, as well as to cover the cost of cleaning up from a cyber attack, he said.

“What’s unique to our industry is balancing that need for teachers to be able to explore and be innovative and creative with technology, versus keeping kids and their data and all of our district members’ data safe,” he said.

School systems may find themselves walking a fine line when a data breach occurs, said Noelle Ellerson, the associate executive director of policy and advocacy for AASA, the School Superintendents Association. Districts need to be open about a breach to make sure they inform those affected and make sure it doesn’t appear they’re hiding anything. But before announcing an incident, school leaders also must make sure to correct the problem and seal off any other data that could be at risk, she said.

“You don’t want to sit on it and look like you’re trying to be sneaky,” Ellerson said. “But if you haven’t been able to fully address the problem, you don’t want to call attention to it.”

‘Everybody Is Vulnerable’

Having a relationship of trust in place between district leadership and the school community before an incident occurs makes a difference in that process, said Judith Saxton, the director of communications for the 5,400-student Mount Pleasant, Texas, district, which discovered a data breach in January. A district investigation determined that about 915 former employees had their private data accessed. The superintendent notified employees and the public, and the school community appeared to accept that the district was taking necessary steps to rectify the situation and protect data, Saxton said.

Though the private data accessed was only that of former employees, the district provided all employees with credit-monitoring services for a year, at a cost of $36,000, Saxton said. Since former employees were difficult to track down, district officials said they were not given credit-monitoring services.

“We were open and honest and direct,” she said. “The community here knows that if something happens, we’re going to be as transparent as possible.”

During the investigation by Mount Pleasant officials, Technology Director Noe Arzate said he discovered the district system itself had not been breached and that the incursion was likely through a third-party vendor—possibly a health-care company—that did business with the district. “To this day, we really don’t know how this data got out,” he said.

Many states, including California, provide technical expertise to districts in these situations. In the 4,000-student Southwest Licking Local district in Pataskala, Ohio, two students hacked into district data earlier this year and retrieved Social Security numbers for about 100 students. To investigate, the district used its own personnel plus technical help from the Licking Area Computer Association, which provides technical services to local districts, said district spokeswoman Paula Brunton.

The security lapse was corrected, and the breach was traced to the two students, who were expelled from the district and prosecuted by local law enforcement, Brunton said. The students whose private data were accessed were offered credit-monitoring protection. All school secretaries were equipped with a statement to provide to concerned parents, and the district went through a “refresh” with staff, having them update passwords and review proper data-security procedures, Brunton said.

“Everybody is vulnerable” to cyberattack, she said. “It’s not inevitable, but it certainly is possible.”

A version of this article appeared in the October 21, 2015 edition of Education Week as Lessons Learned From Security Breaches


This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Achievement Webinar
How To Tackle The Biggest Hurdles To Effective Tutoring
Learn how districts overcome the three biggest challenges to implementing high-impact tutoring with fidelity: time, talent, and funding.
Content provided by Saga Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Student Well-Being Webinar
Reframing Behavior: Neuroscience-Based Practices for Positive Support
Reframing Behavior helps teachers see the “why” of behavior through a neuroscience lens and provides practices that fit into a school day.
Content provided by Crisis Prevention Institute
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Mathematics Webinar
Math for All: Strategies for Inclusive Instruction and Student Success
Looking for ways to make math matter for all your students? Gain strategies that help them make the connection as well as the grade.
Content provided by NMSI

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

School Climate & Safety 25 Years After Columbine, America Spends Billions to Prevent Shootings That Keep Happening
Districts have invested in more personnel and physical security measures to keep students safe, but shootings have continued unabated.
9 min read
A group protesting school safety in Laurel County, K.Y., on Feb. 21, 2018. In the wake of a mass shooting at a Florida high school, parents and educators are mobilizing to demand more school safety measures, including armed officers, security cameras, door locks, etc.
A group calls for additional school safety measures in Laurel County, Ky., on Feb. 21, 2018, following a shooting at Marjory Stoneman Douglas High School in Parkland, Fla., in which 14 students and three staff members died. Districts have invested billions in personnel and physical security measures in the 25 years since the 1999 shooting at Columbine High School in Littleton, Colo.
Claire Crouch/Lex18News via AP
School Climate & Safety How Columbine Shaped 25 Years of School Safety
Columbine ushered in the modern school safety era. A quarter decade later, its lessons remain relevant—and sometimes elusive.
14 min read
Candles burn at a makeshift memorial near Columbine High School on April 27, 1999, for each of the of the 13 people killed during a shooting spree at the Littleton, Colo., school.
Candles burn at a makeshift memorial near Columbine High School on April 27, 1999, for each of the of the 13 people killed during a shooting spree at the Littleton, Colo., school.
Michael S. Green/AP
School Climate & Safety 'A Universal Prevention Measure' That Boosts Attendance and Improves Behavior
When students feel connected to school, attendance, behavior, and academic performance are better.
9 min read
Principal David Arencibia embraces a student as they make their way to their next class at Colleyville Middle School in Colleyville, Texas on Tuesday, April 18, 2023.
Principal David Arencibia embraces a student as they make their way to their next class at Colleyville Middle School in Colleyville, Texas, on Tuesday, April 18, 2023.
Emil T. Lippe for Education Week
School Climate & Safety 4 Case Studies: Schools Use Connections to Give Every Student a Reason to Attend
Schools turn to the principles of connectedness to guide their work on attendance and engagement.
12 min read
Students leave Birney Elementary School at the start of their walking bus route on April 9, 2024, in Tacoma, Wash.
Students leave Birney Elementary School at the start of their walking bus route on April 9, 2024, in Tacoma, Wash. The district started the walking school bus in response to survey feedback from families that students didn't have a safe way to get to school.
Kaylee Domzalski/Education Week