The Broken Chain of Student Data Security
2015 was not a good year for student data privacy. Massive exposure on three levels has shown that no one is truly capable of protecting the data they gather on American students.
Federal Student Data At Serious Risk
At a House hearing on Oversight and Government Reform held on 11-17-15, Inspector General Kathleen Tighe testified that the US Department of Education’s “data security” system is riddled with vulnerabilities. The problems encompass both lax controls over the people allowed access to sensitive data, as well as outdated technology and inadequate security to prevent unauthorized access.
“During our testing of the EDUCATE environment, OIG testers were able to gain full access to the Department’s network and our access went undetected by Dell [the vendor] and the Department’s Office of the Chief Information Officer.” Moreover, as the Committee reported, USED “is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.”
Key takeaways from the hearing include:
- [USED] scored a NEGATIVE 14 percent on the [Office of Management and Budget] Cybersprint [security program] for total users using strong authentication;
- [USED] received an “F” on the [Federal Information Technology Acquisition Reform Act] scorecard;
- [USED] maintains 184 information systems;
- Twenty-nine [of these systems] are valued by the Office of Management and Budget as “high asset”; and
- [USED] needs significant improvement in four key security areas: continuous monitoring, configuration management, incident response and reporting, and remote access management.
The feds will get individual student test scores and directory info. They get more personal information if you take out a federal student load. More than 139 million Americans have and their social security numbers are at risk. They will have access to the state databases and could conceivably combine information gathered there with the information the states send them directly. How safe is the information the states gather?
Missouri Student Information At Risk
Last month the State Auditor, Nicole Galloway, found serious flaws in the protection system the state uses to guard the student data it collects. We wrote about it here. Key findings of her audit report:
- DESE management has not fully established and documented user account management policies and procedures. User account management includes requesting, establishing, issuing, suspending, modifying, closing, and periodically reviewing user accounts and related user privileges. Multiple DESE users are allowed access to the MOSIS system via shared accounts; however, DESE management does not regularly monitor these accounts to ensure actions taken by account holders are appropriate.
- DESE management has not established a comprehensive data breach response policy, as recommended by the U.S. Department of Education. Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals.
DESE promised to clean up its act, but it would be understandable if the public was skeptical of such promises, given that the Dept of Revenue made similar promises regarding the Concealed Carry Licensing reporting that they did not live up to.
Private Education Corporation Data Hacked
Pearson, the world’s largest education supplier, with products designed for preschool on up to workforce certification, was hacked recently. TheThe Broken Chain of Student Data Security » Missouri Education Watchdog: