When school officials talk about keeping students safe, you might imagine metal detectors and live shooter drills. Or maybe you think of keeping lead out of school drinking water. Both are national problems that have flared in Oregon.
Now national law enforcement leaders are warning about a less obvious threat: the theft of student information.
The FBI issued an alert Sept. 13 conveying “cyber threat concerns related to K-12 students.” The message warned of the “privacy and safety implications” of the “rapid growth of education technologies and widespread collection of student data.”
Officials in Oregon schools are already well aware that student data is attracting cybercriminals.
“Some of the most valuable data we have is identity data for large numbers of students who are not yet 18,” said Steve Langford, the chief information officer at the Beaverton School District — one of Oregon’s largest districts. “That can be used to open credit, create false identities … so the K-12 system is an attractive target.”
Gabe Gunderson supervises an Oregon FBI cyber-security task force, which goes after all kinds of online crime. Gunderson calls student data “one of the most critical pieces of information that affects the public,” in part because of how sensitive it is.
“Biometric data, health data, every time a child goes to the student nurse, those things are collected,” Gunderson said. “Mental health data, when we see a counselor or a mental health professional.”
Gunderson said cybercriminals can form “a picture of how a student might react to a particular situation” and then manipulate minors or their families toward an “end goal.”
“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI warned in its alert.
Gunderson is not aware of any specific cases in Oregon.
Some in the education world are applauding the FBI’s message. Stuart Long helps manage computer systems at 10 school districts as the chief information officer for the Clackamas Education Service District.
“The threat is very real, and it’s definitely very scary,” Long said.
The FBI alert highlighted two kinds of vulnerabilities: systems that house student data and the people who use those systems.
On the system side, the FBI emphasized breaches involving two national vendors in late 2017.
The FBI didn’t name the companies, but Long said they’re EdModo and Schoolzilla, both of which have worked extensively in Oregon. Long wasn’t sure if the vendor problems the FBI mentioned involved any Oregon student data.
“Not that I’m aware of, but it doesn’t mean that hasn’t happened,” Long said.
Officials at the Oregon Chief Education Office interpreted the focus on vendors to mean the FBI warning was not particularly relevant to the millions of student records housed in their massive Statewide Longitudinal Data System, or SLDS.
“The FBI warning was focused on cybersecurity breaches at EdTech companies,” said spokeswoman Lisa Morawski in an email to OPB.
“The SLDS has no connection to EdTech companies.”
But the Oregon FBI said the focus on the two vendors didn’t mean that was the only part of the high-tech puzzle to pay attention to.
“Our reading of the [alert] is both generic to any kind of security attached to educational technology systems (whether handled in house or contracted out to outside vendors) and specific in that it discusses incidents in 2017 related to two particular EdTech companies,” wrote Beth Anne Steele, spokeswoman for the Oregon FBI.
“Regardless,” Steele continued, “the real issue … is that student data collectively kept by schools, districts, other agencies and/or companies is potentially at risk if all of those components are not actively working to protect it.”
Langford, in Beaverton, said his district has a dedicated IT security officer and help from outside contractors. He said student accounts are routinely flagged, sometimes because they’re being accessed from overseas or because district officials note other signs they may have been compromised.
“We get notified when accounts are for sale on the dark web — and those accounts are immediately suspended and passwords are changed so that we can get those accounts back into a protected status,” Langford said.
He said Beaverton is not alone in finding compromised accounts before they go too far.
“Everyone’s had that happen,” Langford said.
And like other parts of the country, Oregon’s education sector has seen security breaches in recent years.
In 2012, Oregon State University announced a security breach involving social security numbers and other information of 21,000 former students.
Roseburg Public Schools had to pay a ransom to regain control of its computer systems earlier this year after hackers paralyzed them. The decision to pay ransom went against the FBI’s advice, according to a story in the Roseburg News-Register, but no student data was compromised.
OPB and Willamette Week reported on a Portland State University graduate student project that collected data on Oregon public school students without informing schools or families of the goal to publish research, as is typically required under federal law.
The Redmond School District transferred tax information in response to an email from a spoofed account, as Clackamas ESD information chief Stuart Long recalled.
“[The Redmond case] was an impersonating email designed to trick these fiscal staff in that district because it appeared to come from their superintendent,” said Long.
“Then they handed off a thousand W-2’s approximately to somebody they shouldn’t have — and unfortunately that happens, and we try our best to provide education to help people avoid that.”
But extending that “education” to parents enters a sensitive area for many school districts. Schools are wary of alarming parents, and the risks of children’s information getting into the wrong hands can be scary. Some state and district officials said the FBI warning was “vague” and might worry parents more than help them.
Portland Public Schools is among several school districts OPB contacted that learned of the FBI Alert but didn’t pass it on to parents. Spokesman Harry Esteve said the warning wasn’t specific enough to PPS.
But Esteve said that in conversations the district had with the FBI, the district learned of another area of sensitivity: bus route maps.
“We are working on a bus route technology that will allow parents to see where their buses are, but we’re protecting it so that’s not accessible by people outside of that particular bus route,” he said.
Districts and state agencies are quick to defend the safeguards they have in place, from Portland’s bus routes to the massive student database managed by Oregon’s Chief Education Office.
“[T]he SLDS has strong tools in place to ensure the security of the data,” said Lisa Morawski with the education office. “These include continuous encryption and restriction of access to the data store that holds [Personally Identifiable Information].”
A deeper look at Oregon’s data breaches shows a pattern: that it often resulted from individual staffers making mistakes, rather than a system failure … which means fully protecting the system involves tightening the behavior of individual users.
Officials at ODE and at the state’s Chief Education Office confirmed earlier this year that private student information transferring into the SLDS had been handled incorrectly, or “potentially not in adherence with operational protocols,” as state officials put it, by an education staffer. State leaders said the data never went beyond secure computers in Salem, but the discovery triggered an investigation and a review of security protocols.
But as quickly as state and school officials implement safeguards, IT managers say, cyber criminals are testing for weaknesses.
Gunderson at the Oregon FBI describes an information system as a “house of cards,” given all the vendors, researchers, school districts and state agencies that share information.
Langford in Beaverton agrees, saying successful hacks of student data are basically “inevitable.”
“With thousands of accounts, we’re gonna have compromises,” said Langford.
Langford argues the solution is to keep working with parents, teachers and students.
“So we have to do our very best with educating users, making sure that they know how to protect their account,” Langford concluded.
The alternative — to simply rely on law enforcement after a data breach has happened — is not an attractive prospect, according to Long at the Clackamas ESD.
“It’s 180 days on average before we know about cyber security incidents — successful ones,” Long said.
“So the damage is already done and past by the time someone finds out about something like these.”
The FBI alert from Sept. 13 concluded with a handful of recommendations all directed at prompting parents to think about their children’s information:
- Brush up on legal rights under FERPA, the Protection of Pupil Rights Amendment (PPRA), the Children’s Online Privacy Protection Act (COPPA), and applicable state laws,
- Talk to schools about the involvement of outside tech vendors in your children’s school,
- Research recent cyber breaches, to learn about potential vulnerabilities,
- Look into protecting your child’s credit and/or monitoring their online identity,
- Conduct internet searches of children’s information to see where it may be showing up, and
- Check into information-gathering organizations and parent coalitions for additional resources.