BIG DATA SLIP: Earlier this month, security researcher Chris Vickery uncovered a flaw in Schoolzilla’s data configuration settings through which personal information from the company’s data warehousing tools was backed up to a publicly accessible location on Amazon S3.
Writing in the MacKeeper blog, Vickery describes how he was able to find and download the company’s database backups, the biggest of which amounted to 12 gigabytes of data and included information such as test scores and social security numbers for school staff and students. In all, 1.3 million students, in his estimation, may have been exposed.
This about sums it up. #school #student #databreach pic.twitter.com/lE8kDuj1VT
— Chris Vickery (@VickerySec) April 5, 2017
Vickery does credit Schoolzilla for a timely response—and for “not try[ing] to shoot the messenger or claim that I had somehow ‘hacked’ them.”
After resolving the issue, Schoolzilla’s founder and CEO, Lynzi Ziegenhagen wrote in a blog post that her team “spent the next two days calling each of our customers personally and explaining the technical safeguards that will prevent this from happening again.” Among the districts affected was Palo Alto Unified in California, where 14,000 former and current students' records were exposed.
She also “confirmed no one accessed any information, other than the researcher.” Schoolzilla declined to comment on how long the security vulnerability was in place.
The company’s outreach to customers was “exceptional and as fast as appropriate,” says a technology officer at a charter school network in Texas that was impacted by the breach. (The person requested anonymity as the district is still in the process of notifying staff and parents.) Among the information that Schoolzilla has shared include server records and a redacted affidavit, signed by Vickery, affirming that the data had been destroyed.
Yet these incidents create a long tail of costly follow-up activities. Each state has laws mandating how schools and districts notify parents and staff. (Some require communication via snail mail.) Staff members must be assigned to address questions and concerns. Schools must also alert credit monitoring agencies to the possibility that personal data was compromised. Complying with these requirements often requires lawyers to be involved—and that means fees.
These repercussions offer “a real lesson in the importance of software terms of service,” says the technology officer. Schoolzilla’s vulnerability highlights the need for contracts to mandate the encryption of data at rest and in transit between systems. (In this case, the information would not be easily personally identifiable, even though the data was exposed.) Agreements also sometimes lack clauses for restitution to cover schools’ costs. That may soon change.
Some vendors may complain that these additions are prohibitively restrictive. Yet as more services are outsourced to edtech software providers, school leaders now bear the responsibility of safeguarding the privacy of their staff, children and families.
The incident underscores “how important it is to have a good vendor when you’re dealing with these outsourcing relationships,” the person adds. All too often, officials gloss over and accept end user license agreements that are not only generic, but also allow the vendor to change the terms at any time. (That’s a lazy habit ingrained, perhaps, from our habits as individual consumers.)
