Opinion
Privacy & Security Opinion

The Cyber-Security Problem Schools and Ed. Tech Need to Face

Thousands of students had private data compromised last year. We must do better
By Joel Schwarz — January 30, 2020 5 min read
BRIC ARCHIVE

In the past year, we have seen story after story that detail breaches of educational technology vendors’ system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.

Just last month, Bethesda Magazine reported on a breach of student data held on behalf of Montgomery County public schools in Maryland by Naviance, an ed-tech provider used by middle, high school, and college students that collects students’ dates of birth, ethnicity, test scores, and other sensitive data. Far larger than initially believed, the data breach affected close to 6,000 students.

How did the hacker breach Naviance? In layman’s terms, the student hacker committed a “brute force” attack, akin to attempting to break into a house by jiggling every door and window looking for vulnerabilities. Specifically, the hacker used a script to iteratively try to log into accounts, looking for instances in which the user ID and passwords were the same, likely running the script thousands of times to get access to the almost 6,000 accounts. Unfortunately, Naviance didn’t announce the full scope of these intrusions until months later.

Even without catching these access attempts (something a good cyber-security framework would have remedied), the hacks still would have failed if Naviance had implemented better password security. The hacker exploited a vulnerability—use of the same string for user ID and password—that most websites prohibit. Because Montgomery County student IDs are accessible to all district staff and students cannot change them, only strong password policies could have protected the accounts.

Even worse, this was actually the third Naviance breach in 2019; the first was a data breach in Virginia, where a parent was mistakenly allowed access to sensitive details of 21 former students. And then, in Pennsylvania, a group of high school students gained access to more than 12,000 students’ addresses, student identification numbers, grade point averages, and SAT scores just to gain an edge in a competitive water-gun fight.

But Naviance wasn’t the only ed-tech vendor to deal with student data breaches in 2019. Last year, the ed-tech vendor Pearson confirmed that it had suffered a security breach of the system it uses to monitor academic progress, affecting approximately 13,000 school and university accounts. Each account held by a school district provided access to potentially thousands of students’ names, birth dates, and email addresses. And like Naviance, Pearson didn’t detect the breaches until months after they occurred. Moreover, the Pearson breach included student data dating back to 2008, meaning that had it been promptly deleted after those students were no longer enrolled, the breach would have had a far smaller impact.

Good intentions alone don't protect our children's personally identifying information."

Last year also saw a breach of student data through a K12 Inc. learning software application used by more than 500 school districts, which left the personal records of 19,000 students exposed on an unsecured cloud server.

Most significantly, there are a number of basic cyber-security steps that could’ve been taken to prevent these breaches, including:

• Continuous, real-time monitoring of access attempts, which would’ve detected the unsuccessful log-in attempt missed by both Naviance and Pearson;

• Strong password policies, prohibiting the use of the same value for both user ID and password;

• Regular compliance monitoring to include spot checks and audits to identify repeated access attempts, repeated accesses of different accounts from the same IP address, unauthorized accesses, and violations of password policies. This could’ve likely prevented the breaches at all three ed-tech vendors;

• Timely deletion of student data when it is no longer needed to fulfill the business purpose; and

• Maintenance of data in a secure, password-protected environment which is encrypted at rest, so even if stolen, it’s indecipherable.

These items are already covered in many cyber-security frameworks currently available, such as the National Institute of Standards and Technology’s Cybersecurity Framework which has been widely adopted by the private sector.

Finally, it’s worth noting that of the three vendors discussed, only Naviance took the Future of Privacy Forum’s Student Privacy Pledge, agreeing to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks—such as unauthorized access or use, or unintended or inappropriate disclosure.” In other words, two of the three ed-tech vendors were not even willing to commit to security precautions that could’ve prevented the breaches discussed above.

Then again, good intentions alone don’t protect our children’s personally identifying information. Even though Naviance took the pledge, they clearly failed to abide by it, highlighting the ultimate shortcoming of the pledge and an urgent need for greater accountability.

With or without the Student Privacy Pledge, the only way to truly ensure the privacy and security of our children’s information is for ed-tech vendors to put their money where their mouths are and implement stronger security controls. Likewise, vendors need to implement a robust compliance monitoring program, including regular audits and spot checks. And they need to make the results of those reviews public, so that we can draw our own conclusions. Only through implementation of a compliance program—and transparency of the results—can ed-tech vendors begin to earn back our trust.

School districts must also do their part to help students protect themselves, such as through the use of de-identified accounts (an option that Montgomery County public schools already offers on an opt-in basis, but needs to be more widely publicized), which would minimize the harm of data breaches. School districts should also incorporate explicit compensation for students and penalties for ed-tech providers into vendor contracts, so that when a breach does occur, the vendor is held accountable.

If we do nothing, we should expect nation states to begin targeting our students through ed-tech vendors’ systems. After all, the students of today are our government leaders and captains of industry tomorrow. They are an attractive target for a country like China, for example, which has the patience and strategic focus to plan ahead.

As a parent and a cyber-security professional, I’d prefer my children’s data not go down this path. It’s up to ed-tech vendors to step up and be proactive about delivering on their obligations.

Follow the Education Week Opinion section on Twitter.

Sign up to get the latest Education Week Opinion in your email inbox.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Equity & Diversity Webinar
Culturally Relevant Pedagogy to Advance Educational Equity
Schools are welcoming students back into buildings for full-time in-person instruction in a few short weeks and now is the perfect time to take a hard look at both our practices and systems to build
Content provided by PowerMyLearning
Classroom Technology Webinar Making Big Technology Decisions: Advice for District Leaders, Principals, and Teachers
Educators at all levels make decisions that can have a huge impact on students. That’s especially true when it comes to the use of technology, which was activated like never before to help students learn
Professional Development Webinar Expand Digital Learning by Expanding Teacher Training
This discussion will examine how things have changed and offer guidance on smart, cost-effective ways to expand digital learning efforts and train teachers to maximize the use of new technologies for learning.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security Spotlight Spotlight on Lessons Learned: Digital Safety
In this Spotlight, review ways you should be approaching student and system data, discover how others teach digital safety, and more.
Privacy & Security Quiz Quiz: How Much Do You Know About Protecting Students During Remote Learning?
Quiz Yourself: What should you know about storing video content involving students?
Privacy & Security Spotlight Spotlight: Online Student Safety
In this Spotlight, assess possible digital vulnerabilities, learn how students may be partaking in digital self-harm, and more.
Privacy & Security Hackers Post 26,000 Broward School Files Online After District Doesn't Pay Ransom
Hackers who demanded up to $40 million from the Broward School District have now published nearly 26,000 files stolen from district servers.
Scott Travis, South Florida Sun Sentinel
3 min read
Image shows a glowing futuristic background with lock on digital integrated circuit.
iStock/Getty Images Plus