On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students. And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.
NYSED selected Questar in 2015 to “conduct the program management, test development, online test administration, scoring, and analysis of the state’s grades 3–8 English language arts and mathematic summative assessments.” Questar was contracted to develop testing materials and both analog and digital platforms for administering those tests. In the course of providing these testing services, Questar was given access to and generated a trove of data about students in New York’s secondary schools.
According to the NYSED report, sometime in January 2018, Questar “informed the Department that an unauthorized user, whom the company suspects is a former employee, accessed an internal Questar user account to view student data from Dec. 30, 2017 to Jan. 2, 2018.” The exposed data included students’ names and New York State Student Identification numbers, as well as school names, grade levels and teacher names.
In response to the breach, the NYSED required Questar to take specific steps to prevent further data breaches, including: resetting user passwords; closing former employee accounts; hiring an independent third-party to perform a security audit of its systems and security protocols; and providing a corrective action plan designed to prevent future breaches to the NYSED. The NYSED also referred the matter to the New York Attorney General’s office, which has opened an investigation.
Only 52 New York students had their information exposed, but the same breach also reportedly affected more than 650 students in Mississippi. Like the NYSED, the Mississippi State Superintendent demanded that Questar conduct an outside security audit and implement a corrective action plan, including resetting all passwords. Questar has reportedly closed all accounts of its former employees and hired an outside auditor to review its data security practices.
As we have previously reported, educational institutions—particularly in higher education—have become a priority target for data breaches. Recent high-profile data security incidents have been reported at Stanford University, as well as Rutgers, Michigan State, and the University of Oklahoma. But this latest incident suggests that the threat is not limited to higher education. Indeed, educational institutions at all levels are moving online. The NYSED recently stated that its goal is to have all testing for grades 3 through 8 administered on computers by 2020. As the Questar breach indicates, these institutions will need to be smart about safeguarding their data.
The lesson of the Questar breach also applies outside of the education context. It underscores the risks to organizations in any industry of sharing data—particularly sensitive personal information—with third-party vendors. The fact that Questar exposed data from students within the NYSED system, and potentially exposed NYSED itself to criticism as a result, is an important reminder that organizations need to tend not only to their own data security practices, but those of their vendors as well.