Privacy & Security

Audit: Maryland Dept. Did Not Properly Store Data for 1.4 Million Students

By Alyson Klein — July 15, 2019 1 min read
  • Save to favorites
  • Print

The Maryland State Department of Education “inappropriately stored” personal information of 1.4 million students and more than 230,000 teachers, leaving them vulnerable to potential bad actors, according to an audit published earlier this month.

“As of June 29, 2018, we determined that separate databases for statewide student and teacher identity information held 1,430,940 unique student names and social security numbers and 233,130 unique teacher names and [social security numbers] respectively; all stored in clear text,” the audit said. “In addition, we noted that this sensitive PII was not adequately protected by other substantial mitigating controls such as the use of data loss prevention software.”

Such personally identifiable information is commonly associated with identity theft, the report said, although it did not draw the conclusion that any of the information fell into the wrong hands.

The audit, which was published by the Maryland General Assembly, found that the state did not make sure that critical applications and systems were protected against potential security risks. The state also did not have a complete information technology disaster recovery plan, the report found. And it found that the state’s malware protections were not up to snuff.

That means certain servers were running on outdated and no-longer-supported operating systems, and a number of computers hadn’t been updated with the latest release of software products that were known to have serious security-related problems, the audit noted.

The auditors recommended that the state perform a manual inventory of all its systems and delete all unnecessary personally identifiable information, plus use an encryption method to make sure the information is secure. And they asked the state to review agreements with contractors to mitigate security risks. In a response included with the audit, the state agreed to take both steps.

Cybersecurity is continually identified as a top concern, not just among state education officials but among chief technology officers. More in this story, from Education Week Marketbrief.


Related Tags:

A version of this news article first appeared in the Digital Education blog.