Intruder Alert: Exposing Security & Compliance Risks in Education
Educational technology is a large market; an estimated at $8 billion . In order to get a foothold, many companies will offer free products as a lead generator. In doing so, they may not put as much time and effort as they should into details like security, or they may end up using student data in ways that are not suitable for the education setting. Moreover, companies face legal liability for inadequate security protection. Educators and online service providers have a responsibility to safeguard student data, and to involve parents in the process. Information security will continue to be an issue for schools that use digital products, so be aware and prepared. What are the risks? The Future of Privacy Forum (FPF) and The Software & Information Industry Association (SIIA) presented a Student Privacy Pledge to safeguard the personal information of students. Jules Polonetsky, Executive Director and Co-chair of FPF states that the pledge “clearly and concisely articulate[s] a set of expectations that parents and education officials have for the safeguarding of children’s sensitive data. The Pledge will enhance the trust between families, schools and third party service providers necessary to support the safe and effective use of student information for student, teacher and school success." There is no shortage of useful educational apps and web-based programs, yet not every software program is secure. Several contracted service providers that have taken the Student Privacy Pledge have been found to fall short in March of 2015 and have since added a Secure Socket Layer (SSL). Security challenges also occur when educators, who are not always trained to tell if an online program is secure or not, choose learning sites and apps that do not have protective measures in place. For example, an educator finds a free learning app to use to in his classroom. He downloads the educational app without reading the Terms of Service. He then creates student accounts using their first names and last initial as usernames, and birthdates as passwords. Unaware that the app does not encrypt information, usernames, passwords, parent and teacher email addresses, student activity, audio recordings of students reading, and progress are exposed to hackers and intruders—frightening. If online student accounts are set up prior to collecting signed permissions from parents, the parents are precluded from their legal right to review the online program and verify consent. Parents really ought to know which sites and services that their children use during the school day, the types of data that the service collects, and what the service will do with that data.
So…What could possibly happen? First off, there is the risk of an intrusion.
Educational sites and apps that have errors subject the school network to remote attacks and eavesdropping. A “remote attack” targets one computer or an entire network by finding vulnerable points in the computer or network software. The reasons for this type of malicious attack are to view sensitive information, to steal data, or to introduce malware to a network or system. For example, the attacker can retrieve information in the classroom account and view student information and activities without being logged in. Some apps may reveal hints such as parent email addresses or the student’s name after a failed login attempts. This could lead to phishing attacks against parents and educators. “Eavesdropping attacks” occur when an intruder intercepts communication between computers. This type of attack is common in unsecured public Wi-Fi networks in airports and coffee shops. A Transport Layer Security (TLS) protects against eavesdropping by encrypting messages that are exchanged between computers. For example, the “https” in a URL indicates that a TLS is in place. On the other hand, “http” indicates that the layer is not encrypted and, therefore, not secure. If a school adopts a mobile app or online services that does not use a secure socket layer (SSL), sensitive information can be compromised. Here’s a scary thought: educational products that do not use encryption technologies in websites or software may expose sensitive data. Educational apps and school systems that do not protect against eavesdropping attacks give intruders access to sensitive information. The types of information that can be compromised include, but are not limited to names, Social Security numbers, student identification numbers, birthdates, medical information, school usernames and passwords, addresses, email addresses, and phone numbers.
What will intruders do with the information?
Student data has a high market value. When a school system is hacked, personal information of students and staff members can be stolen and sold on the dark Web to the highest bidder. Vendors who seek to build large databases can, in turn, buy this information to sell their products and services to educational institutions. Identity theft and commercial exploitation are not the only threats. Other information such as demographics, attendance records, and test scores may be used to damage the reputation of schools and school districts. Numerous reported cases tell of hackers accessing academic records to change student grades. Spam or harmful messages may be sent to contacts through a staff member or administrator’s email account. More chilling is the thought that a data disclosure of the layout of the school campus or home addresses of staff or students could open the door for a hostile intruder on campus itself. Vulnerabilities in electronic systems may jeopardize the physical safety of staff and students. When it comes to protecting children, spare no measure to safeguard their futures and well-being.
Then, there are the legal ramifications.
The Family Educational Rights and Privacy Act, or FERPA, is a federal law that addresses privacy in schools, but there are numerous other laws such as COPPA, CIPA, PPRA and HIPPA that deal with child safety on the internet. (This Regulatory Overview simplifies the alphabet soup.) Best practices and responsible use of student data is essential to maintaining education privacy. Attacks and intrusions are scary stuff. Information security will continue to be an issue for schools that use digital products, so be aware and prepared. Read more about the six proactive steps you can take to bolster data security in your school or school district. i-SAFE’s services are designed to simplify compliance, taking into consideration the full set of requirements and best practices for implementation. Visit i-SAFE Ventures for more info.