Privacy & Security

Fla. Closes Probe Into Attacks on State Testing Without Suspects, or Leads

By Leo Doran — September 24, 2015 3 min read

By guest blogger Leo Doran

Having reached dead-ends in their pursuit of leads and suspects, Florida officials have closed their probe into a series of cyberattacks that disrupted state testing earlier this year.

In March and April, thousands of students and test proctors in Florida schools discovered they were unable to access Florida’s online state tests, encountering blank screens and problems logging into the system.

According to a Florida Department of Law Enforcement report released this month, officials quickly identified the problem as a Distibuted Denial of Service attack against the contractor administering Florida’s test, the American Institutes for Research.

Specifically, the AIR’s third-party server contractor, Rackspace, which physically houses the file server for the Florida tests in Chicago, was flooded with service requests from over 29,000 IP addresses.

State officials ultimately found that no “items associated with the test administration, including the testing instrument, test results or student information [were] compromised.”

In conjunction with the FBI, the Florida Department of Law Enforcement was able to determine that the attack was likely orchestrated from outside the United States by comparing IP addresses from previous distributed denial of service attacks.

The AIR responded to the cyber-attack by requesting that Rackspace strengthen its firewall to handle more traffic and block all foreign traffic. The vendor also coordinated distributed denial of service mitigation services between Arbor Networks (Rackspace’s security consultant) and Mandiant (another security consultant).

According to investigators, these measures proved mostly effective, as the online testing systems would be attacked again numerous times in the following months with only minor interruptions in exams reported through May.

While the investigative report failed to identify a probable motive, distributed denial of service attacks are typically intended to disrupt access to a system rather than to extract sensitive data, although occasionally these attacks are used to mask secondary assaults against a server. According to state officials in this case, the attacks did not appear to compromise any personal student or teacher information housed on school servers.

An independent report compiled by Alpine Testing Solutions for the Florida Department of Education found that between one and five percent of all state assessments were corrupted. The review also concluded that Florida’s tests were an acceptable way to measure students’ knowledge of state standards, a conclusion that was greeted with skepticsm in some quarters.

For full coverage of the Alpine report, see the recent entry in Andrew Ujifusa’s blog State Ed Watch.

Florida department of education officials say they will be pursuing liquidated damages against the AIR to compensate for the delays and disruptions.

A spokesman for the AIR declined to comment on potential damages beyond saying in a statement: “We are focused on working with the department to provide the most positive possible testing experience for Florida’s students.”

The testing vendor also expressed confidence in its strengthened security tools to counteract future attacks.

"[W]e are continually reviewing the safeguards we have in place,” the AIR said, adding that the organization “will make adjustments as necessary to make sure students have a positive testing experience.”


See also:


for the latest news on ed-tech policies, practices, and trends.

A version of this news article first appeared in the Digital Education blog.