The Broken Chain of Student Data Security
Federal Student Data At Serious Risk
At a House hearing on Oversight and Government Reform held on 11-17-15, Inspector General Kathleen Tighe testified that the US Department of Education’s “data security” system is riddled with vulnerabilities. The problems encompass both lax controls over the people allowed access to sensitive data, as well as outdated technology and inadequate security to prevent unauthorized access.
“During our testing of the EDUCATE environment, OIG testers were able to gain full access to the Department’s network and our access went undetected by Dell [the vendor] and the Department’s Office of the Chief Information Officer.” Moreover, as the Committee reported, USED “is not heeding repeat warnings from the Inspector General (IG) that their information systems are vulnerable to security threats.”
Key takeaways from the hearing include:
- [USED] scored a NEGATIVE 14 percent on the [Office of Management and Budget] Cybersprint [security program] for total users using strong authentication;
- [USED] received an “F” on the [Federal Information Technology Acquisition Reform Act] scorecard;
- [USED] maintains 184 information systems;
- Twenty-nine [of these systems] are valued by the Office of Management and Budget as “high asset”; and
- [USED] needs significant improvement in four key security areas: continuous monitoring, configuration management, incident response and reporting, and remote access management.
The feds will get individual student test scores and directory info. They get more personal information if you take out a federal student load. More than 139 million Americans have and their social security numbers are at risk. They will have access to the state databases and could conceivably combine information gathered there with the information the states send them directly. How safe is the information the states gather?
Missouri Student Information At Risk
Last month the State Auditor, Nicole Galloway, found serious flaws in the protection system the state uses to guard the student data it collects. We wrote about it here. Key findings of her audit report:
- DESE management has not fully established and documented user account management policies and procedures. User account management includes requesting, establishing, issuing, suspending, modifying, closing, and periodically reviewing user accounts and related user privileges. Multiple DESE users are allowed access to the MOSIS system via shared accounts; however, DESE management does not regularly monitor these accounts to ensure actions taken by account holders are appropriate.
- DESE management has not established a comprehensive data breach response policy, as recommended by the U.S. Department of Education. Without a comprehensive data breach response policy, management may not be sufficiently equipped to respond quickly and effectively in the event of a breach, increasing the risk of potential harm to affected individuals.
DESE promised to clean up its act, but it would be understandable if the public was skeptical of such promises, given that the Dept of Revenue made similar promises regarding the Concealed Carry Licensing reporting that they did not live up to.
Private Education Corporation Data Hacked
Pearson, the world’s largest education supplier, with products designed for preschool on up to workforce certification, was hacked recently. The Pearson VUE PCM System, which is an on-line testing service used by adult learners to support professional certifications and licenses, was accessed by an unauthorized third party. Cisco was one of the companies affected by this breach. Pearson is still looking into what was accessed for which users and by whom. The information could include social security numbers and credit card numbers.
Clearly, preventing hacking or data breaches is not a reasonable outcome at this point in time. Most businesses and government entities are working to limit their exposure and shore up breach response policies. In the mean time, would it not be prudent to dramatically limit what data is collected so that states are not sitting on high value data assets that are desirable targets? IT professionals know that database security is only as strong as its weakest user. From bottom to top we have weak protective systems. At the very least the states should limit their exposure by limiting what they collect and what they let the federal government have access to.