Find your next job fast at the Jan. 28 Virtual Career Fair. Register now.
Opinion
Privacy & Security Opinion

The Cyber-Security Problem Schools and Ed. Tech Need to Face

Thousands of students had private data compromised last year. We must do better
By Joel Schwarz — January 30, 2020 5 min read
21Schwarz Akindo Getty vs

In the past year, we have seen story after story that detail breaches of educational technology vendors’ system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.

Just last month, Bethesda Magazine reported on a breach of student data held on behalf of Montgomery County public schools in Maryland by Naviance, an ed-tech provider used by middle, high school, and college students that collects students’ dates of birth, ethnicity, test scores, and other sensitive data. Far larger than initially believed, the data breach affected close to 6,000 students.

How did the hacker breach Naviance? In layman’s terms, the student hacker committed a “brute force” attack, akin to attempting to break into a house by jiggling every door and window looking for vulnerabilities. Specifically, the hacker used a script to iteratively try to log into accounts, looking for instances in which the user ID and passwords were the same, likely running the script thousands of times to get access to the almost 6,000 accounts. Unfortunately, Naviance didn’t announce the full scope of these intrusions until months later.

Even without catching these access attempts (something a good cyber-security framework would have remedied), the hacks still would have failed if Naviance had implemented better password security. The hacker exploited a vulnerability—use of the same string for user ID and password—that most websites prohibit. Because Montgomery County student IDs are accessible to all district staff and students cannot change them, only strong password policies could have protected the accounts.

Even worse, this was actually the third Naviance breach in 2019; the first was a data breach in Virginia, where a parent was mistakenly allowed access to sensitive details of 21 former students. And then, in Pennsylvania, a group of high school students gained access to more than 12,000 students’ addresses, student identification numbers, grade point averages, and SAT scores just to gain an edge in a competitive water-gun fight.

But Naviance wasn’t the only ed-tech vendor to deal with student data breaches in 2019. Last year, the ed-tech vendor Pearson confirmed that it had suffered a security breach of the system it uses to monitor academic progress, affecting approximately 13,000 school and university accounts. Each account held by a school district provided access to potentially thousands of students’ names, birth dates, and email addresses. And like Naviance, Pearson didn’t detect the breaches until months after they occurred. Moreover, the Pearson breach included student data dating back to 2008, meaning that had it been promptly deleted after those students were no longer enrolled, the breach would have had a far smaller impact.

Good intentions alone don't protect our children's personally identifying information."

Last year also saw a breach of student data through a K12 Inc. learning software application used by more than 500 school districts, which left the personal records of 19,000 students exposed on an unsecured cloud server.

Most significantly, there are a number of basic cyber-security steps that could’ve been taken to prevent these breaches, including:

• Continuous, real-time monitoring of access attempts, which would’ve detected the unsuccessful log-in attempt missed by both Naviance and Pearson;

• Strong password policies, prohibiting the use of the same value for both user ID and password;

• Regular compliance monitoring to include spot checks and audits to identify repeated access attempts, repeated accesses of different accounts from the same IP address, unauthorized accesses, and violations of password policies. This could’ve likely prevented the breaches at all three ed-tech vendors;

• Timely deletion of student data when it is no longer needed to fulfill the business purpose; and

• Maintenance of data in a secure, password-protected environment which is encrypted at rest, so even if stolen, it’s indecipherable.

These items are already covered in many cyber-security frameworks currently available, such as the National Institute of Standards and Technology’s Cybersecurity Framework which has been widely adopted by the private sector.

Finally, it’s worth noting that of the three vendors discussed, only Naviance took the Future of Privacy Forum’s Student Privacy Pledge, agreeing to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks—such as unauthorized access or use, or unintended or inappropriate disclosure.” In other words, two of the three ed-tech vendors were not even willing to commit to security precautions that could’ve prevented the breaches discussed above.

Then again, good intentions alone don’t protect our children’s personally identifying information. Even though Naviance took the pledge, they clearly failed to abide by it, highlighting the ultimate shortcoming of the pledge and an urgent need for greater accountability.

With or without the Student Privacy Pledge, the only way to truly ensure the privacy and security of our children’s information is for ed-tech vendors to put their money where their mouths are and implement stronger security controls. Likewise, vendors need to implement a robust compliance monitoring program, including regular audits and spot checks. And they need to make the results of those reviews public, so that we can draw our own conclusions. Only through implementation of a compliance program—and transparency of the results—can ed-tech vendors begin to earn back our trust.

School districts must also do their part to help students protect themselves, such as through the use of de-identified accounts (an option that Montgomery County public schools already offers on an opt-in basis, but needs to be more widely publicized), which would minimize the harm of data breaches. School districts should also incorporate explicit compensation for students and penalties for ed-tech providers into vendor contracts, so that when a breach does occur, the vendor is held accountable.

If we do nothing, we should expect nation states to begin targeting our students through ed-tech vendors’ systems. After all, the students of today are our government leaders and captains of industry tomorrow. They are an attractive target for a country like China, for example, which has the patience and strategic focus to plan ahead.

As a parent and a cyber-security professional, I’d prefer my children’s data not go down this path. It’s up to ed-tech vendors to step up and be proactive about delivering on their obligations.

Follow the Education Week Opinion section on Twitter.

Sign up to get the latest Education Week Opinion in your email inbox.

Events

This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
How to Make Learning More Interactive From Anywhere
Join experts from Samsung and Boxlight to learn how to make learning more interactive from anywhere.
Content provided by Samsung
Teaching Live Online Discussion A Seat at the Table With Education Week: How Educators Can Respond to a Post-Truth Era
How do educators break through the noise of disinformation to teach lessons grounded in objective truth? Join to find out.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
School & District Management Webinar
The 4 Biggest Challenges of MTSS During Remote Learning: How Districts Are Adapting
Leaders share ways they have overcome the biggest obstacles of adapting a MTSS or RTI framework in a hybrid or remote learning environment.
Content provided by Panorama Education

EdWeek Top School Jobs

Human Resources Manager
Madison, Wisconsin
One City Schools
Elementary Teacher - Scholars Academy
Madison, Wisconsin
One City Schools
Special Education Teacher
Chicago, Illinois
JCFS Chicago
Communications Officer
Chattanooga, Tennessee
Hamilton County Department of Education

Read Next

Privacy & Security Sponsor How Public K-12s Can Defend Against Today’s Cyber Threats
The Multi-State Information Sharing and Analysis Center is the focal point for cyber threat prevention, protection, response, and recovery.
1 min read
Privacy & Security Spotlight Spotlight on Cybersecurity 2020
In this Spotlight, learn how educators are combatting cyberattacks and more.
Privacy & Security Schools Aren't Doing Enough to Protect Their Networks, Top Cybersecurity Official Warns
The nation's top cybersecurity official urged schools to take advantage of free federal resources for safeguarding their networks.
3 min read
Images shows a symbolic lock on a technical background.
iStock/Getty
Privacy & Security COVID-19 and Cybersecurity: 'Catastrophic Attack on Our Technology Systems'
Two large school districts have been rattled in the last week by incidents related to internet security and privacy.
7 min read
hacked IMG
Getty