The American Institutes for Research, a major research and testing organization with a significant presence in K-12 education in the United States, suffered a serious data breach earlier this month.
After one of the organization’s servers was hacked, the sensitive personal information of as many as 6,500 current and former employees, including Social Security numbers and personal credit card information, was compromised, an AIR spokesman confirmed during an interview Monday with Education Week. No student or client information was affected.
“The breach only affected our business systems,” said Larry McQuillan, the organization’s director of public affairs. “By design, student data resides on an external information system independent from the domain that was affected.”
The Washington-based AIR has hundreds of contracts with federal, state, and local agencies, including the United States departments of agriculture, commerce, defense, education, health and human services, and more, according to the group’s website. The organization has been a major provider of both online and pencil-and-paper assessments to districts and states, including Delaware, Minnesota, and Oregon.
AIR also has contracts with the Smarter Balanced Assessment Consortium, one of two major multi-state consortia developing online assessments aligned to the new Common Core State Standards, and the organization provides educational program evaluation and value-added teacher evaluation services to a number of states and districts. It’s worth noting that AIR is currently embroiled in a dispute over a lucrative contract being awarded by the Partnership for Assessment of Readiness for College and Careers. (The executive vice president of AIR, Gina Burkhardt, is also a member of the board of Editorial Projects in Education, the publisher of Education Week.)
President and CEO David Myers alerted AIR employees to the breach via a letter dated May 14, 2014, a copy of which was obtained by Education Week.
“On Monday, May 12, 2014 we determined that unencrypted (plain text) personal information on current and former AIR employees may have been accessed through a hacking incident,” the letter reads. “At this point, we have no evidence that any information was accessed or misused.”
In addition to hiring a “digital forensics firm” to investigate the hacking, AIR is also offering free credit monitoring services to those who may have been affected, even though there is no evidence to date that any sensitive employee information was downloaded from the server.
“We’re notifying [employees] because we don’t want to wait and find out that something bad has happened,” McQuillan said.
Joseph Hawkins, an AIR employee in 1998 and 1999, was among those notified of the breach.
“I’m concerned that my own personal information was not secured,” said Hawkins, who now works as a senior study director with Westat, a research and statistical survey organization based in Rockville, Md. “Given that AIR is constantly dealing with [clients] that require the highest security and encryption, that they didn’t do that for their own employees is to me a serious issue.”