Cyber operator exposed students’ personal data

Such breaches present an increasing threat in the education sector. "Our data is the new oil," said one parent.

This article was originally published in The Notebook. In August 2020, The Notebook became Chalkbeat Philadelphia.

Nearly 7 million student records containing personal information were exposed to the public earlier this summer at K12 Inc., one of the country’s largest operators of cyber charter schools and a provider of online services to school districts.

Researchers exposed the breach in late June, and the company fixed it five days later. The incident is not unique, and it illustrates a threat to educational data that grows worse each year, under a shaky legal framework that is rarely enforced.

Across the country, K12 Inc. has 45,000 students in the schools it operates. It has contracts with 1,100 school districts, bringing the total number of students for whom it has records to more than 200,000. Some of the data exposed belonged to former students, because the database went back to 2015.

The millions of compromised records included information on 19,000 individuals, according to a K12 spokesman.

The records were left open to anyone with an internet connection, said Paul Bischoff, one of the two researchers who discovered the security breach and wrote a report for Comparitech, a website that researches and compares tech services and reports what it finds out. The available information included name, gender, age, birthday, school, and email address, among other academic information. The database was also indexed by two search engines, meaning it would appear as a search result for users.

Bischoff said the main consequence from this type of leak is “phishing.”

“Because this information gets pretty specific, it would be easy for a hacker or scammer to set up a spear-phishing campaign to target users of this system,” Bischoff said. “It would send emails that mention you by name and the school you attend, asking you to update your information in the [K12] system, and send you a link to another site, which looks identical but is intended to steal your username and password.”

K12’s software is used by three conventional cyber charters in Pennsylvania – Agora, Insight Pennsylvania, and Pennsylvania Virtual – along with Passport Academy, a charter that provides accelerated online courses for older students.

Ken Schwartz, K12’s manager of corporate communications, said that just 54 students in Pennsylvania had their data exposed; he did not have time to determine where they attended school before this story was published. It remains unclear whether anyone else viewed or copied the data during the week when it was publicly available.

“While we never want any data to be compromised, once the problem was fixed, we worked with both researchers to destroy the data and received proof of its destruction,” Schwartz said in an email. “The data was not released publicly otherwise that we are aware of.”

Schwartz said the problem occurred while updating some of the company’s servers.

“K12 monitors our server vendors continuously for security notices and updated software that is required to protect our systems,” Schwartz said in the email. “We implement patches across K12 following a risk assessment review process.”

Bischoff said that the Mongo Database software on the K12 server had not been updated since late 2016. He got into the database in late June and said the server was vulnerable starting on June 23 and secured on July 1.

“It’s important to keep [database software] up-to-date, because those updates make security improvements,” Bischoff said. “Hackers know what those vulnerabilities are, and they target servers without the latest update.”

Bischoff said the remote desktop protocol was enabled, allowing users to control the database from their own computers.

“Anybody could use a client, which is built into Windows 10, to connect to the server and use the server as a normal computer — as if it were their own – and go through all the data on it.”

If the data is copied, it can be bought and sold like any other commodity.

“This can be used to compile information about people,” Bischoff said. “A lot of this is kids’ information, so it may be the first time it’s hitting the black market.”

Schwartz said that K12 Inc. informed the affected school districts of the breach and that those districts could choose whether to inform parents.

“For reasons of transparency, K12 Inc. sent a notice to every school district and partner that had a student affected by the data incident,” Schwartz said. “And we have worked with them to notify students and/or parents at their request.”

The message sent to school districts informed them of what happened, assured them that the researchers had destroyed the data, and pointed out that the most sensitive personal information, such as credit card or Social Security numbers, was not part of the database that was breached. The letter concluded:

“K12 [Inc.] has made technical and process improvements to its software hosting migration process to ensure that this situation is not repeated. Because of the limited nature of the data, students should continue normal measures to safeguard their personal data such as not clicking on links or downloading attachments from suspicious emails. They do not need to change their password.”

Screenshot of a redacted student record seen through the remote desktop protocol (Photo: Comparitech)

Parents concerned about more than advertising

Advertisers are some of the most common buyers of data, but the information also can be used for more nefarious purposes.

Tonya Bah, a public school parent and recent City Council candidate, said the idea of her daughter’s academic data being bought and sold terrified her. Bah’s daughter is on the autism spectrum, but is very high functioning. An employer would not know from their interaction that her daughter has an autism diagnosis, she said. Recently, Bah herself filled out a job application that asked her to list any disabilities. This made her worry about her daughter when she reached the job market. It should be her right not to disclose her autism, she said, because disability discrimination is not uncommon in hiring decisions.

The K12 incident did not reveal students’ disabilities, but that data can be kept in similar systems.

“At the end of the application, it says: If any of the statements you have made or anything you have shared on this application is found to be incorrect, that is justification for termination,” Bah said. “If she chooses to answer that she has a disability, she could be discriminated against and not hired. If she chooses to answer that she does not have a disability, she could be fired down the line.

“Her data is now being shared on so many different vulnerable platforms that, later in life, it could be used to fire her or discriminate against her.”

People who have a disability like autism often require additional medical care, so employers would suspect that covering their health insurance would cost more than average.

“She has a therapist and doctor that she sees — those are disincentives to an employer,” Bah said. “Data is going to mean the destruction of so many lives, because it’s a valuable commodity and it can be used as a weapon.

“Our data is the new oil.”

Student data increasingly targeted

The K12 exposure was not an isolated incident. It was quite typical. In 2018, there were 122 known data breaches of education agencies that cover grades K-12 across 38 states. That’s an average of one breach every three days. And, alarming as those numbers are, they continue to grow each year – education has become the ninth most-targeted industry for hackers, according to an IBM cybersecurity report.

The federal Department of Education issued a warning about this kind of attack back in October 2017, though it was directed at how school districts can protect themselves. A growing target of these hacks are the private vendors that contract with school districts and universities. In higher education, an estimated 57 percent of institutions are unable to determine whether their vendors’ security protocols are sufficient to prevent a breach, according to the National Student Clearinghouse.

“I think the rate of security breaches will keep growing, especially the number of records exposed,” Bischoff said. “That doesn’t mean cybersecurity isn’t improving. It just means we put more things online to be stolen.”

Screenshot of the system’s code, showing a student’s personal email that has been redacted (Photo: Comparitech)

No punishment for violating FERPA

The legal framework of protection for student data has grown increasingly complex and is not consistently enforced. The older and better-understood law is the Family Educational Rights and Privacy Act (FERPA). Passed in 1974, FERPA mandates that school districts and educational institutions receiving federal dollars must protect all personal identifying information of their students and only disclose such information to members of the public with permission from parents.

But FERPA is not actually enforced. Although violations of FERPA would allow the Department of Education to withhold federal funds from the violating organization, the department has never done so for the countless violations committed since the law was enacted. Instead, the department works with violating institutions to help them comply on a voluntary basis.

Leah Plunkett is a lawyer with the Berkman Klein Center for Internet & Society at Harvard University, where she specializes in student privacy laws.

“We have this group of people, our kids, who we tend to see – in all legal situations – as deserving greater protection,” Plunkett said. “FERPA has a lot of obligation for districts and school entities, without a lot of realistic remedy.”

She said that the lack of enforcement using FERPA’s only punishment, often referred to as “the nuclear option,” has created an environment where the law is difficult to enforce.

“That is a big structural problem,” Plunkett said. “We have legal requirements in place to protect [children], one of the most vulnerable groups in our society, and yet there is no realistic situation where you’re going to have meaningful enforcement.”

It creates an inherent conflict for regulators, because if federal funds are withheld, Plunkett said, the violating institution would not be the only one punished.

“You’re in this Catch-22 situation. In order to sanction or hold accountable the school officials who may, despite their best efforts, not have complied with the law, you would actually end up punishing not just the entity they work for, but also the students and parents.”

Public outrage from the communities that they serve might pressure schools and districts into compliance. But that’s less likely for national corporations, which can move or rebrand themselves.

The Children’s Online Privacy Protection Act

The Children’s Online Privacy Protection Act (COPPA) was passed in 1998, and it is at least occasionally enforced. It protects students under the age of 13 whose personal information is collected online, which can only be distributed to others if a parent consents. Without parental consent, the school can only collect data to use for educational purposes; it must get parental consent if it intends to use the data for “commercial” purposes.

If the data collected is made available to the public “by any means” with names attached, the collecting company has violated COPPA. And any such operator running a website or other “online service” must “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”

One of the key differences between FERPA and COPPA is that FERPA applies to schools, while COPPA can apply to private companies.

Plunkett said there’s a wide range of understanding about COPPA among schools and companies, and many either aren’t aware of the legal requirements or don’t have the resources to adequately enforce them – though many violators are large corporations.

Violating COPPA carries a fine of $42,530 per child whose information was exposed or collected without consent. Last March, the company that owns the app Musical.ly agreed to pay $5.7 million in fines for violating COPPA by collecting children’s personal information without the consent of a parent or guardian.

COPPA is regulated by the Federal Trade Commission. When asked whether it was investigating the K12 incident, an FTC spokesperson said agency policy is to neither confirm nor deny the existence of ongoing investigations.

Like many in the charter sector, K12, a billion-dollar company, is no stranger to local and national politics. U.S. Secretary of Education Betsy DeVos and her husband were early investors while the lobbying groups she ran were pushing for legislation to allow the creation of cyber charter schools. And the company, which has roughly $800 million in annual revenue, does plenty of lobbying itself.

In 2016, it was running lobbying operations in 21 states, including Pennsylvania, according to Education Week magazine. During the preceding 10 years, it spent $1.8 million on political contributions and at least $10.5 million on lobbying; the publication noted that these amounts are underestimates because not every state requires disclosure of such lobbying expenses.

The political clout of such large companies makes parents particularly when spending in politics is practically unlimited and regulatory agencies appear to be increasingly political. And there is often a revolving door between government and these companies.

It’s no mystery why parents worry about a lack of enforcement when, Bah said, campaign contributions and lobbying have such a huge influence.

Relationships that parents have with school districts can be problematic enough, Bah said. “It’s worse when these private companies have our data. The moment we outsource to a consultant or a company, we’re playing by their rules.”