More than 650,000 Nevada students had personal information exposed in a data breach announced this week by the state’s two largest school districts, prompting internet safety advocates to urge parental caution with products children use online.
The breach involved Pearson Clinical Assessment’s software program known as Aimsweb 1.0, which is used for screening and assessment.
The breach affected roughly 13,000 of the company’s school and university accounts and exposed first and last names and, in some instances, dates of birth and email addresses, according to Pearson spokesman Scott Overland.
The company has no evidence that the information has been misused but is offering free credit monitoring services as a precaution, he said in a statement.
The Clark County School District estimates that the breach affects 559,487 students enrolled between 2008 and 2019. A much smaller number of staff working at that time had their names and work location exposed, according to the district. The software was phased out at the end of the 2018-19 school year, according to the district.
Meanwhile, the Washoe County School District estimates 114,000 students from 2001 to 2016 are affected, plus a smaller number of staff.
Both districts noted that the information is old, much of it from students who are no longer in the school system. They also said only names, and in some cases dates of birth, were exposed.
“The type of information involved in this incident was extremely limited,” Dan Wray, the Clark County School District’s chief technology officer, said in a statement. “However, CCSD makes every effort to ensure the safety of private information online and we set high standards for our own data systems and those we contract with to conduct business.”
The FBI found the breach in November after discovering a hacker accessed the data through third-party software, according to a person familiar with the situation. The agency notified Pearson in March, and the company then began to analyze the data to determine the scope of the breach before notifying school districts in July.
The FBI did not respond to a request for comment.
Student data privacy law
The breach follows the recent approval of a law in Nevada that more closely monitors student data privacy. Senate Bill 403 requires “service providers” — those who provide online services or mobile applications — to inform schools when there is a data breach. It also requires schools to post a list of such providers on their website, along with confirmation that those providers have a plan for the security of such data.
The law takes effect next year.
The privacy of student data has become a growing concern with the digitization of learning and the boom of free online educational resources, including classroom mobile applications that teachers and students may use to track homework and other assignments.
Last year, the FBI issued a public service announcement warning about the widespread collection of student data made possible through the growth of education technology.
The announcement noted cybersecurity issues in 2017 with two large companies in which millions of students had their data exposed. One company’s data was posted for sale on the dark web.
John Eppolito, founder of Protect Nevada Children, a group that works to protect student data and pushed for SB403, said such data breaches are inevitable.
He pointed to the previous breach of Edmodo, another online educational resource, in 2017.
“That may have been more problematic than this one,” he said. “But nobody ever told Nevada parents.”
The group fought for a stricter version of SB403, which would have required the parent or student to consent to using an online service.
The group’s suggestion, Eppolito said: Don’t allow your kids to log into any of these “free” educational software programs.
“It’s difficult because we’re fighting the trend … but parents deserve to know,” he said.
“Just a name is not going to necessarily lead to an increase in risk of identity theft,” she said. “A name and date of birth could potentially lead to a slight increase. But as far as very serious personal identifying information, it does not appear that this breach contains that level of data.”
But she noted the age of the data, questioning why the data may have been kept so long if it was no longer needed.
“If you’re trying to tell me that the data that was compromised was of little or no value, I’d like to know why you were keeping it,” she said. “Because that is really part of a basic privacy and security awareness protocol in that you know why you’re collecting it, you know who has access to it, and you destroy it when it has lived its useful purpose.”
Velasquez urges parents to read the privacy terms and conditions before their children sign up for a program or download an application online.
The center also helps victims of identity theft with free services and seeks to broaden public awareness of the issue.