Opinion
Privacy & Security Opinion

The Cyber-Security Problem Schools and Ed. Tech Need to Face

Thousands of students had private data compromised last year. We must do better
By Joel Schwarz — January 30, 2020 5 min read
BRIC ARCHIVE
  • Save to favorites
  • Print

In the past year, we have seen story after story that detail breaches of educational technology vendors’ system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.

Just last month, Bethesda Magazine reported on a breach of student data held on behalf of Montgomery County public schools in Maryland by Naviance, an ed-tech provider used by middle, high school, and college students that collects students’ dates of birth, ethnicity, test scores, and other sensitive data. Far larger than initially believed, the data breach affected close to 6,000 students.

How did the hacker breach Naviance? In layman’s terms, the student hacker committed a “brute force” attack, akin to attempting to break into a house by jiggling every door and window looking for vulnerabilities. Specifically, the hacker used a script to iteratively try to log into accounts, looking for instances in which the user ID and passwords were the same, likely running the script thousands of times to get access to the almost 6,000 accounts. Unfortunately, Naviance didn’t announce the full scope of these intrusions until months later.

Even without catching these access attempts (something a good cyber-security framework would have remedied), the hacks still would have failed if Naviance had implemented better password security. The hacker exploited a vulnerability—use of the same string for user ID and password—that most websites prohibit. Because Montgomery County student IDs are accessible to all district staff and students cannot change them, only strong password policies could have protected the accounts.

Even worse, this was actually the third Naviance breach in 2019; the first was a data breach in Virginia, where a parent was mistakenly allowed access to sensitive details of 21 former students. And then, in Pennsylvania, a group of high school students gained access to more than 12,000 students’ addresses, student identification numbers, grade point averages, and SAT scores just to gain an edge in a competitive water-gun fight.

But Naviance wasn’t the only ed-tech vendor to deal with student data breaches in 2019. Last year, the ed-tech vendor Pearson confirmed that it had suffered a security breach of the system it uses to monitor academic progress, affecting approximately 13,000 school and university accounts. Each account held by a school district provided access to potentially thousands of students’ names, birth dates, and email addresses. And like Naviance, Pearson didn’t detect the breaches until months after they occurred. Moreover, the Pearson breach included student data dating back to 2008, meaning that had it been promptly deleted after those students were no longer enrolled, the breach would have had a far smaller impact.

Good intentions alone don't protect our children's personally identifying information."

Last year also saw a breach of student data through a K12 Inc. learning software application used by more than 500 school districts, which left the personal records of 19,000 students exposed on an unsecured cloud server.

Most significantly, there are a number of basic cyber-security steps that could’ve been taken to prevent these breaches, including:

• Continuous, real-time monitoring of access attempts, which would’ve detected the unsuccessful log-in attempt missed by both Naviance and Pearson;

• Strong password policies, prohibiting the use of the same value for both user ID and password;

• Regular compliance monitoring to include spot checks and audits to identify repeated access attempts, repeated accesses of different accounts from the same IP address, unauthorized accesses, and violations of password policies. This could’ve likely prevented the breaches at all three ed-tech vendors;

• Timely deletion of student data when it is no longer needed to fulfill the business purpose; and

• Maintenance of data in a secure, password-protected environment which is encrypted at rest, so even if stolen, it’s indecipherable.

These items are already covered in many cyber-security frameworks currently available, such as the National Institute of Standards and Technology’s Cybersecurity Framework which has been widely adopted by the private sector.

Finally, it’s worth noting that of the three vendors discussed, only Naviance took the Future of Privacy Forum’s Student Privacy Pledge, agreeing to “maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks—such as unauthorized access or use, or unintended or inappropriate disclosure.” In other words, two of the three ed-tech vendors were not even willing to commit to security precautions that could’ve prevented the breaches discussed above.

Then again, good intentions alone don’t protect our children’s personally identifying information. Even though Naviance took the pledge, they clearly failed to abide by it, highlighting the ultimate shortcoming of the pledge and an urgent need for greater accountability.

With or without the Student Privacy Pledge, the only way to truly ensure the privacy and security of our children’s information is for ed-tech vendors to put their money where their mouths are and implement stronger security controls. Likewise, vendors need to implement a robust compliance monitoring program, including regular audits and spot checks. And they need to make the results of those reviews public, so that we can draw our own conclusions. Only through implementation of a compliance program—and transparency of the results—can ed-tech vendors begin to earn back our trust.

School districts must also do their part to help students protect themselves, such as through the use of de-identified accounts (an option that Montgomery County public schools already offers on an opt-in basis, but needs to be more widely publicized), which would minimize the harm of data breaches. School districts should also incorporate explicit compensation for students and penalties for ed-tech providers into vendor contracts, so that when a breach does occur, the vendor is held accountable.

If we do nothing, we should expect nation states to begin targeting our students through ed-tech vendors’ systems. After all, the students of today are our government leaders and captains of industry tomorrow. They are an attractive target for a country like China, for example, which has the patience and strategic focus to plan ahead.

As a parent and a cyber-security professional, I’d prefer my children’s data not go down this path. It’s up to ed-tech vendors to step up and be proactive about delivering on their obligations.

Events

Ed-Tech Policy Webinar Artificial Intelligence in Practice: Building a Roadmap for AI Use in Schools
AI in education: game-changer or classroom chaos? Join our webinar & learn how to navigate this evolving tech responsibly.
Education Webinar Developing and Executing Impactful Research Campaigns to Fuel Your Ed Marketing Strategy 
Develop impactful research campaigns to fuel your marketing. Join the EdWeek Research Center for a webinar with actionable take-aways for companies who sell to K-12 districts.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Privacy & Security Webinar
Navigating Cybersecurity: Securing District Documents and Data
Learn how K-12 districts are addressing the challenges of maintaining a secure tech environment, managing documents and data, automating critical processes, and doing it all with limited resources.
Content provided by Softdocs

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security 3 Superintendents Share Cybersecurity Best Practices
Cyberattacks cause major disruptions to learning, but school districts are still struggling to put in place effective protections.
3 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security Saturn Is a New App for High Schoolers. Here’s Why It Has Educators Concerned
Saturn is billed as a time-management app, but experts see potential privacy concerns in allowing it broad access to students' schedules.
6 min read
Image of a clock, calendar, and a pencil.
Tatomm/iStock/Getty
Privacy & Security Q&A AI Is Making Data Literacy a 'Survival Skill' That Schools Must Teach, Experts Argue
A new survey found that more than two-thirds of U.S. adults don't understand how their data is being used.
4 min read
Illustration of individual carrying binary data on his back to put back into the organized background of 1s and 0s.
iStock/Getty Images Plus
Privacy & Security Nonprofit Uses Halloween Run-Up to Showcase 'Scary' Privacy Issues in Learning Apps
Selling data for targeted advertising, sharing it with third party vendors, and vague data privacy policies raise concerns, nonprofit says.
4 min read
Glowing laptop with generic apps in the background with flying bats and ghosts and floating pumpkins.
Collage via Canva