Opinion
Privacy & Security Opinion

The Cyber-Security Problem Schools and Ed. Tech Need to Face

Thousands of students had private data compromised last year. We must do better
By Joel Schwarz — January 30, 2020 5 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

In the past year, we have seen story after story that detail breaches of educational technology vendors’ system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.

Just last month, Bethesda Magazine reported on a breach of student data held on behalf of Montgomery County public schools in Maryland by Naviance, an ed-tech provider used by middle, high school, and college students that collects students’ dates of birth, ethnicity, test scores, and other sensitive data. Far larger than initially believed, the data breach affected close to 6,000 students.

How did the hacker breach Naviance? In layman’s terms, the student hacker committed a “brute force” attack, akin to attempting to break into a house by jiggling every door and window looking for vulnerabilities. Specifically, the hacker used a script to iteratively try to log into accounts, looking for instances in which the user ID and passwords were the same, likely running the script thousands of times to get access to the almost 6,000 accounts. Unfortunately, Naviance didn’t announce the full scope of these intrusions until months later.

Even without catching these access attempts (something a good cyber-security framework would have remedied), the hacks still would have failed if Naviance had implemented better password security. The hacker exploited a vulnerability—use of the same string for user ID and password—that most websites prohibit. Because Montgomery County student IDs are accessible to all district staff and students cannot change them, only strong password policies could have protected the accounts.

Even worse, this was actually the third Naviance breach in 2019; the first was a data breach in Virginia, where a parent was mistakenly allowed access to sensitive details of 21 former students. And then, in Pennsylvania, a group of high school students gained access to more than 12,000 students’ addresses, student identification numbers, grade point averages, and SAT scores just to gain an edge in a competitive water-gun fight.

But Naviance wasn’t the only ed-tech vendor to deal with student data breaches in 2019. Last year, the ed-tech vendor Pearson confirmed that it had suffered a security breach of the system it uses to monitor academic progress, affecting approximately 13,000 school and university accounts. Each account held by a school district provided access to potentially thousands of students’ names, birth dates, and email addresses. And like Naviance, Pearson didn’t detect the breaches until months after they occurred. Moreover, the Pearson breach included student data dating back to 2008, meaning that had it been promptly deleted after those students were no longer enrolled, the breach would have had a far smaller impact.

Good intentions alone don't protect our children's personally identifying information."

Last year also saw a breach of student data through a K12 Inc. learning software application used by more than 500 school districts, which left the personal records of 19,000 students exposed on an unsecured cloud server.

Most significantly, there are a number of basic cyber-security steps that could’ve been taken to prevent these breaches, including:

• Continuous, real-time monitoring of access attempts, which would’ve detected the unsuccessful log-in attempt missed by both Naviance and Pearson;

• Strong password policies, prohibiting the use of the same value for both user ID and password;

• Regular compliance monitoring to include spot checks and audits to identify repeated access attempts, repeated accesses of different accounts from the same IP address, unauthorized accesses, and violations of password policies. This could’ve likely prevented the breaches at all three ed-tech vendors;

• Timely deletion of student data when it is no longer needed to fulfill the business purpose; and

• Maintenance of data in a secure, password-protected environment which is encrypted at rest, so even if stolen, it’s indecipherable.

These items are already covered in many cyber-security frameworks currently available, such as the National Institute of Standards and Technology’s Cybersecurity Framework which has been widely adopted by the private sector.

Finally, it’s worth noting that of the three vendors discussed, only Naviance took the Future of Privacy Forum’s Student Privacy Pledge, agreeing to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks—such as unauthorized access or use, or unintended or inappropriate disclosure.” In other words, two of the three ed-tech vendors were not even willing to commit to security precautions that could’ve prevented the breaches discussed above.

Then again, good intentions alone don’t protect our children’s personally identifying information. Even though Naviance took the pledge, they clearly failed to abide by it, highlighting the ultimate shortcoming of the pledge and an urgent need for greater accountability.

With or without the Student Privacy Pledge, the only way to truly ensure the privacy and security of our children’s information is for ed-tech vendors to put their money where their mouths are and implement stronger security controls. Likewise, vendors need to implement a robust compliance monitoring program, including regular audits and spot checks. And they need to make the results of those reviews public, so that we can draw our own conclusions. Only through implementation of a compliance program—and transparency of the results—can ed-tech vendors begin to earn back our trust.

School districts must also do their part to help students protect themselves, such as through the use of de-identified accounts (an option that Montgomery County public schools already offers on an opt-in basis, but needs to be more widely publicized), which would minimize the harm of data breaches. School districts should also incorporate explicit compensation for students and penalties for ed-tech providers into vendor contracts, so that when a breach does occur, the vendor is held accountable.

If we do nothing, we should expect nation states to begin targeting our students through ed-tech vendors’ systems. After all, the students of today are our government leaders and captains of industry tomorrow. They are an attractive target for a country like China, for example, which has the patience and strategic focus to plan ahead.

As a parent and a cyber-security professional, I’d prefer my children’s data not go down this path. It’s up to ed-tech vendors to step up and be proactive about delivering on their obligations.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Achievement Webinar
How To Tackle The Biggest Hurdles To Effective Tutoring
Learn how districts overcome the three biggest challenges to implementing high-impact tutoring with fidelity: time, talent, and funding.
Content provided by Saga Education
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Student Well-Being Webinar
Reframing Behavior: Neuroscience-Based Practices for Positive Support
Reframing Behavior helps teachers see the “why” of behavior through a neuroscience lens and provides practices that fit into a school day.
Content provided by Crisis Prevention Institute
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Mathematics Webinar
Math for All: Strategies for Inclusive Instruction and Student Success
Looking for ways to make math matter for all your students? Gain strategies that help them make the connection as well as the grade.
Content provided by NMSI

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Conceptual photo of blue locks and red locks that are "unlocked" and each placed in a honeycomb grid.
BlackJack3D/Getty
Privacy & Security A New Federal Taskforce Targets Cybersecurity in Schools
The “government coordinating council" aims to provide training, policies, and best practices.
3 min read
Illustration of computer and lock.
iStock / Getty Images Plus
Privacy & Security Q&A Why One Tech Leader Prioritizes Explaining Student Data Privacy to Teachers
Jun Kim, the director of technology for an Oklahoma school district, helped build a statewide database of vetted learning platforms.
3 min read
Jun Kim, Director of Technology for Moore Public Schools, poses for a portrait outside the Center for Technology on Dec. 13, 2023 in Moore, Okla.
Jun Kim, is the director of technology for the Moore school district in Moore, Okla., He has made securing student data a priority for the district and the state.
Brett Deering for Education Week
Privacy & Security A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know
More than 4 million records held by school safety software company Raptor Technologies were left inadvertently exposed online.
5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
Nicolas Herrbach/iStock/Getty