Latest student data breach exposes security lapse concerns

Latest student data breach exposes security lapse concerns

(Miss.) A breach in student testing data exposing personal information from more than 660 students across three Mississippi schools earlier this month has state education officials calling for stronger security protocols.

With districts increasingly relying on third-party storage or Cloud services to track and store student information, such instances can act as a reminder to stay diligent in keeping data secure.

Mississippi Department of Education superintendent Carey Wright was notified of the breach by Questar Assessment, Inc.–the state’s assessment vendor.

Wright called for an outside security audit, a corrective plan by the end of January and the reset of passwords to ensure no further data breaches occur.

“The MDE takes very seriously the confidentiality of student information, and any breach of our records will not be tolerated,” Wright said in a statement. “Even though this incident is isolated to a fraction of students, any type of breach is unacceptable.”

Wright said she was assured that the company was “acting swiftly to ensure Mississippi’s data remains safe and secure.”

Lawmakers have pushed for districts to emphasize student privacy policies as schools increasingly become the target of cyberattacks, with many seeking to protect state and federal assessment of data, as well as third-party service providers’ information security and data sharing activities.

According to the nonprofit Data Quality Campaign, nearly 400 bills were introduced throughout the country targeting issues of transparency, security and privacy between 2014 and 2016–though few were actually signed into law.

In recent years, districts in New Jersey, Tennessee, Delaware, New York and Michigan have all been targets of hackers installing “ransomware,” which locks stored files until a ransom is paid, at which point the files are unlocked. According to the FBI, almost 2,500 complaints about ransomware were received in 2015, costing the victims more than $24 million.

Last year in one South Carolina district, hackers made it impossible for school personnel to access email, online digital content, assessment tools or network and cloud-based storage, and gave administrators one week to pay $8,500 in Bitcoin to unlock the files.

Without the proper safeguards in place, hackers could gain access to families’ authorized bank accounts provided for child lunch plans, or health records provided to a school nurse, or to student’s Social security numbers.

Education officials in Mississippi said they were thankful that had not been the case with the Questar breach, because the education department doesn’t share addresses or Social Security numbers with the company. Still, items exposed included student names, state identification numbers, grade levels, teacher names and test results, and one student record viewed contained demographic data.

Overall, 663 student records were viewed by an unauthorized user–490 from Tupelo Middle School, 72 from Tupelo High School and 101 from Jefferson County Junior High School.

State officials said that superintendents of the affected districts will issue a letter to every student who was affected.

Questar’s chief operating officer Brad Baumgartner said that the company immediately took action to address the unauthorized access and notified the Mississippi Department of Education that two school districts had been subject to a breach in data.

“Any unauthorized access to data is unacceptable,” Baumgartner said in an emailed statement. “In addition, Questar will cooperate fully with the Mississippi Department of Education to implement requested preventative activities. Based on the actions Questar has taken in response to this event, we believe there is no ongoing impact to Questar system users.”

The Minnesota-based company, which administers Mississippi's standardized tests in English language arts and math, has since closed accounts of former employees and hired the outside auditor.