In the past year, we have seen story after story that detail breaches of educational technology vendors' system security. These troubling incidents in which sensitive student data is compromised will only become more frequent until both technology companies and public school districts make student privacy and security a greater priority.
Just last month, Bethesda Magazine reported on a breach of student data held on behalf of Montgomery County public schools in Maryland by Naviance, an ed-tech provider used by middle, high school, and college students that collects students' dates of birth, ethnicity, test scores, and other sensitive data. Far larger than initially believed, the data breach affected close to 6,000 students.
How did the hacker breach Naviance? In layman's terms, the student hacker committed a "brute force" attack, akin to attempting to break into a house by jiggling every door and window looking for vulnerabilities. Specifically, the hacker used a script to iteratively try to log into accounts, looking for instances in which the user ID and passwords were the same, likely running the script thousands of times to get access to the almost 6,000 accounts. Unfortunately, Naviance didn't announce the full scope of these intrusions until months later.
Even without catching these access attempts (something a good cyber-security framework would have remedied), the hacks still would have failed if Naviance had implemented better password security. The hacker exploited a vulnerability-use of the same string for user ID and password-that most websites prohibit. Because Montgomery County student IDs are accessible to all district staff and students cannot change them, only strong password policies could have protected the accounts.
Even worse, this was actually the third Naviance breach in 2019; the first was a data breach in Virginia, where a parent was mistakenly allowed access to sensitive details of 21 former students. And then, in Pennsylvania, a group of high school students gained access to more than 12,000 students' addresses, student identification numbers, grade point averages, and SAT scores just to gain an edge in a competitive water-gun fight.
But Naviance wasn't the only ed-tech vendor to deal with student data breaches in 2019. Last year, the ed-tech vendor Pearson confirmed that it had suffered a security breach of the system it uses to monitor academic progress, affecting approximately 13,000 school and university accounts. Each account held by a school district provided access to potentially thousands of students' names, birth dates, and email addresses. And like Naviance, Pearson didn't detect the breaches until months after they occurred. Moreover, the Pearson breach included student data dating back to 2008, meaning that had it been promptly deleted after those students were no longer enrolled, the breach would have had a far smaller impact.
Last year also saw a breach of student data through a K12 Inc. learning software application used by more than 500 school districts, which left the personal records of 19,000 students exposed on an unsecured cloud server.
Most significantly, there are a number of basic cyber-security steps that could've been taken to prevent these breaches, including:
* Continuous, real-time monitoring of access attempts, which would've detected the unsuccessful log-in attempt missed by both Naviance and Pearson;
* Strong password policies, prohibiting the use of the same value for both user ID and password;
* Regular compliance monitoring to include spot checks and audits to identify repeated access attempts, repeated accesses of different accounts from the same IP address, unauthorized accesses, and violations of password policies. This could've likely prevented the breaches at all three ed-tech vendors;
* Timely deletion of student data when it is no longer needed to fulfill the business purpose; and
* Maintenance of data in a secure, password-protected environment which is encrypted at rest, so even if stolen, it's indecipherable.
These items are already covered in many cyber-security frameworks currently available, such as the National Institute of Standards and Technology's Cybersecurity Framework which has been widely adopted by the private sector.
Finally, it's worth noting that of the three vendors discussed, only Naviance took the Future of Privacy Forum's Student Privacy Pledge, agreeing to "maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks-such as unauthorized access or use, or unintended or inappropriate disclosure." In other words, two of the three ed-tech vendors were not even willing to commit to security precautions that could've prevented the breaches discussed above.
Then again, good intentions alone don't protect our children's personally identifying information. Even though Naviance took the pledge, they clearly failed to abide by it, highlighting the ultimate shortcoming of the pledge and an urgent need for greater accountability.
With or without the Student Privacy Pledge, the only way to truly ensure the privacy and security of our children's information is for ed-tech vendors to put their money where their mouths are and implement stronger security controls. Likewise, vendors need to implement a robust compliance monitoring program, including regular audits and spot checks. And they need to make the results of those reviews public, so that we can draw our own conclusions. Only through implementation of a compliance program-and transparency of the results-can ed-tech vendors begin to earn back our trust.
School districts must also do their part to help students protect themselves, such as through the use of de-identified accounts (an option that Montgomery County public schools already offers on an opt-in basis, but needs to be more widely publicized), which would minimize the harm of data breaches. School districts should also incorporate explicit compensation for students and penalties for ed-tech providers into vendor contracts, so that when a breach does occur, the vendor is held accountable.
If we do nothing, we should expect nation states to begin targeting our students through ed-tech vendors' systems. After all, the students of today are our government leaders and captains of industry tomorrow. They are an attractive target for a country like China, for example, which has the patience and strategic focus to plan ahead.
As a parent and a cyber-security professional, I'd prefer my children's data not go down this path. It's up to ed-tech vendors to step up and be proactive about delivering on their obligations.
Joel Schwarz is a senior principal at Global Cyber Risk, where he works as a consultant and attorney, and an adjunct professor at Albany Law School. He previously served as the Civil Liberties and Privacy Officer for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Department and the New York State Attorney General's Office, and Counsel on E-Commerce and Privacy for MetLife.