The largest state-run virtual school in the country revealed two major data breaches last week, the latest in a string of cybersecurity incidents affecting the nation’s students and teachers.
The exact nature of the breaches, which also involved the 34,000-student Leon County, Fla. school system, remain the subject of dispute.
In one of the breaches, the personal information of more than 368,000 students who have taken courses at the Florida Virtual School was left unsecured online for almost two years, exposing them to potential identity theft, the school said.
According to FLVS, unauthorized individuals also obtained data being transferred between FLVS and Florida’s Leon County school district, allowing them to collect the Social Security numbers, addresses, phone numbers, spouses’ names, personal contact information, and emergency contacts of more than 1,800 Leon County teachers.
“FLVS takes it obligation to protect the privacy of personal information very seriously and deeply regrets this incident,” the school said in a notice posted to its website.
Leon County school officials, however, have taken exception with some details of FLVS’s characterization of events. In a press conference Monday, superintendent Rocky Hanna said that “hackers got all the data from a single server accidentally left open,” and that Florida Virtual School is “100 percent responsible for this theft.”
Hanna said that “over 50,000 individuals” connected to Leon County schools, including both students and teachers, may have been affected.
Investigations into the incidents are still underway. Both FLVS and Leon County initiated forensic cybersecurity reviews last month, after being alerted that hackers were bragging about access to the personal information in an online forum. The parties then alerted state and federal law-enforcement agencies.
Founded in 1997, the Florida Virtual School is a public school district that serves about 6,000 full-time students. Hundreds of thousands of other students in public, private, charter, and home schools take FLVS’s online courses part-time.
The breaches were first brought to light by databreaches.net.
“There are lessons to be learned here, but they won’t be learned if there’s any cover-up or attempt to spin what happened,” the site reported in an update posted late Monday.
According to a spokesman for FLVS, the compromised student information was stored on a server that was left open, without appropriate password protection. Included were student names, dates of birth, parents’ contact information, and school-account usernames and passwords.
Cybersecurity is a rising concern for school districts and educational vendors alike. A recent survey by the Consortium for School Networking and the Education Week Research Center, for example, found that school chief technology chiefs continue to underestimate a wide range of threats, from breaches to phishing to ransomware. As a result, schools have also been slow to take the necessary steps to prevent such attacks.
FLVS is offering those who may have been impacted by the breach a year of identity-protection and fraud-monitoring services. There is no evidence that any financial information was stolen, or that anyone’s personal information has yet been used fraudulently, the school said.
“Rather than engaging in a blame game, FLVS has focused on fixing the problem, providing protection to anyone who might have been impacted, and taking action to make sure this never happens again,” spokesman Ron Hutcheson said in a statement.
This post has been updated to reflect the dispute between Florida Virtual School and the Leon County school district, including quotes from representatives of both parties and futher reaction from databreaches.net.
A version of this news article first appeared in the Digital Education blog.