Should parents trust schools with children’s data?
Trust is hard to gain but easy to lose.
When parents send their children to school, every parent is TRUSTING the school to protect their children. However, when school officials dismiss parent concerns, treat parents as if they are interfering, as if they have no right to be involved or concerned with their own children’s education or welfare, parents lose trust.
Parents especially lose trust when they are dismissed or not told the truth.
How often have parents asked what data is collected and shared on my child? How often does a school district know the answer to that, or answer honestly? When a parent asks if the data has been breached, if the data is securely protected, can the school answer without a doubt, that the student data is safe, not shared outside of contracts, not misused? What’s the consequence when a school or district breaches student data? Apparently, not much.
After bringing her concerns to a principal and district Information Technology officer last fall, and getting no change in policy, a parent recently went in front of a Colorado school board and pleaded with them to fix their website, which showed student names and student IDs and advertised that the password was the student’s birthday. Once logged into a student account, it was very easy to get into ANY student’s account and access their gmail, their grades, and anything stored in the Infinite Campus database. The district reportedly told the parent that’s just the way it had to be and it was not possible to change it.
“Picture this: a stranger able to access your children’s bus pick-up and drop-off time and location, able to see their photos, names, phone numbers, home addresses, health records, even lunch account and activity fees. This information was amazingly vulnerable to hacking in the Lewis Palmer School district in Colorado. Incredibly, the school district posted hints to passwords (the student’s birthday) on the district website. The student login ID and password were the SAME for both Infinite Campus (that stores student grades, demographics and other personally identifiable information) and their Google Apps for Education documents, including their Gmail accounts. According to a district parent, who prefers to remain anonymous,
“Once you logged in with your student account, you could see all names and student IDs of every student in the district, listed alphabetically down the left side of the website, with corresponding student ID. And since it was advertised that their birthday was the password, any hacker could go onto Facebook, find out a student’s birthday and login to see all their emails and records in Google (GAFE) and in Infinite Campus.”
According to its website, the Lewis Palmer School District has publicly posted login information and clues to student passwords for three years. You can read more about this breach here and we wonder if ALL parents in this district have been notified of the breach.
Compare this school district situation to breaches in the general public.
What would happen if say, the Target breach, or the Home Depot breach or the OPM breach went unreported, un-reprimanded, unpatched for years? Take for instance this strikingly odd coincidence with LinkedIn, whose 2012 data breach is just now being reported, a little over 3 years after the fact. One thing hackers are exposing is how easy it was to breach LinkedIn because of poor passwords. This is remarkable because even without LinkedIn advertising password hints, and posting login IDs and names, hackers were still able to access the accounts. Just think how easy it must have been for anyone to get into a student account with remember “your birthday is your password” posted across the school webpage for years.
Let’s see how much a school district has to pay in fines for breached accounts. Any guesses? (First they would have to tell parents about the breach–and that hasn’t happened, yet.)