[BreachExchange] A (Secondary) Education in Data Security

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 9 15:20:56 EST 2018


On January 18, 2018, the New York State Education Department (“NYSED”)
announced that one of its vendors, Questar Assessment, experienced a data
breach resulting in the unauthorized disclosure of personal information
from students in five different New York schools. While the data breach
reportedly affected only a small number of students that had registered for
online testing in spring 2017, it nonetheless exposed sensitive personally
identifiable information from those students.  And despite its narrow
scope, this breach potentially threatens public (and parent) confidence in
the security of sensitive student information at a time when New York
schools are moving more and more of their activities online.

NYSED selected Questar in 2015 to “conduct the program management, test
development, online test administration, scoring, and analysis of the
state’s grades 3–8 English language arts and mathematic summative
assessments.”  Questar was contracted to develop testing materials and both
analog and digital platforms for administering those tests.  In the course
of providing these testing services, Questar was given access to and
generated a trove of data about students in New York’s secondary schools.

According to the NYSED report, sometime in January 2018, Questar “informed
the Department that an unauthorized user, whom the company suspects is a
former employee, accessed an internal Questar user account to view student
data from Dec. 30, 2017 to Jan. 2, 2018.”  The exposed data included
students’ names and New York State Student Identification numbers, as well
as school names, grade levels and teacher names.

In response to the breach, the NYSED required Questar to take specific
steps to prevent further data breaches, including: resetting user
passwords; closing former employee accounts; hiring an independent
third-party to perform a security audit of its systems and security
protocols; and providing a corrective action plan designed to prevent
future breaches to the NYSED. The NYSED also referred the matter to the New
York Attorney General’s office, which has opened an investigation.

Only 52 New York students had their information exposed, but the same
breach also reportedly affected more than 650 students in Mississippi.
Like the NYSED, the Mississippi State Superintendent demanded that Questar
conduct an outside security audit and implement a corrective action plan,
including resetting all passwords.  Questar has reportedly closed all
accounts of its former employees and hired an outside auditor to review its
data security practices.

As we have previously reported, educational institutions—particularly in
higher education—have become a priority target for data breaches.  Recent
high-profile data security incidents have been reported at Stanford
University, as well as Rutgers, Michigan State, and the University of
Oklahoma.  But this latest incident suggests that the threat is not limited
to higher education.  Indeed, educational institutions at all levels are
moving online.  The NYSED recently stated that its goal is to have all
testing for grades 3 through 8 administered on computers by 2020.  As the
Questar breach indicates, these institutions will need to be smart about
safeguarding their data.

The lesson of the Questar breach also applies outside of the education
context.  It underscores the risks to organizations in any industry of
sharing data—particularly sensitive personal information—with third-party
vendors.  The fact that Questar exposed data from students within the NYSED
system, and potentially exposed NYSED itself to criticism as a result, is
an important reminder that organizations need to tend not only to their own
data security practices, but those of their vendors as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/0490f27b/attachment.html>

More information about the BreachExchange mailing list